develooper Front page | perl.perl5.porters | Postings from September 2003

Re: [PATCH?] Re: [perl #23576] valgrind errors for /(?{})/ in t/op/pat.t

Thread Previous | Thread Next
From:
Dave Mitchell
Date:
September 17, 2003 15:17
Subject:
Re: [PATCH?] Re: [perl #23576] valgrind errors for /(?{})/ in t/op/pat.t
Message ID:
20030917221719.GC6159@fdgroup.com
On Sun, Sep 14, 2003 at 12:10:24AM +0100, Dave Mitchell wrote:
> On Mon, Aug 25, 2003 at 07:12:42PM -0000, Nicholas Clark wrote:
> > The first 2 valgrind errors on t/op/pat.t boil down to this.
> > They're from the two (? constructions starting at column 8.
> > 
> > #!./perl
> > 
> > @a = 1 .. 2;
> > 
> > m/
> > 	(?{ 0 })
> > 	(?(?{ 0 })
> > 	 )	
> >    /x;
> > 
> > # bug is during compile time
> > BEGIN {exit;}
> > __END__
> > 
> > ==27761== Invalid read of size 2
> > ==27761==    at 0x80FFC29: Perl_sv_compile_2op (pp_ctl.c:2666)
> > ==27761==    by 0x80A24B2: S_reg (regcomp.c:2239)
> > ==27761==    by 0x80A467E: S_regatom (regcomp.c:2845)
> > ==27761==    by 0x80A3AAA: S_regpiece (regcomp.c:2622)
> > ==27761==    Address 0x413A2CE8 is 16 bytes inside a block of size 32 free'd
> > ==27761==    at 0x40026C15: free (vg_replace_malloc.c:220)
> > ==27761==    by 0x80B0628: Perl_safesysfree (util.c:143)
> > ==27761==    by 0x8089B9A: Perl_op_free (op.c:334)
> > ==27761==    by 0x8089B31: Perl_op_free (op.c:321)
> 
> The following patch makes the valgrind errors go away, but I'm not
> sure whether I'm just masking the problem.
> 
> After op_free(), PL_op may be left pointing at the just-freed op.
> Later, Perl_sv_compile_2op () tries to use PL_op, which is no longer
> valid. The patch makes op_free() set PL_op to null if it equals the op
> being freed. However, I don't know whether instead
> 
> * the caller of op_free() should be sorting out PL_op, or
> * that op_free() shopuldn't be getting called on PL_op, or
> * that Perl_sv_compile_2op() shouldn't be relying on PL_op to be valid.

I think this last case applies.

Perl_sv_compile_2op() is trying to distinguish between compile-time and
runtime behaviour, ie between

    /(?{1})/
and
    $x = '(?{1})'; /$x/

with the following line (written by me a few months ago):

    /* we get here either during compilation, or via pp_regcomp at runtime */
    runtime = PL_op && (PL_op->op_type == OP_REGCOMP);

But in the compoile-time case, PL_op isn't guaranteed to be pointing to
anything sensible (eg in the test code that valgrind is complaining about,
it happens to point to a recently-freed op).

Does anyone know of a safe way that I can distinguish between compile-time
and run-time calls to sv_compile_2op() ?

Dave.

-- 
To collect all the latest movies, simply place an unprotected ftp server
on the Internet, and wait for the disk to fill....

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About