[perl #36667] Lengthy parameter passed to eval leads to bus error on FreeBSD 5.4

# New Ticket Created by  jnarron@cdsinet.net 
# Please include the string:  [perl #36667]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/rt3/Ticket/Display.html?id=36667 >


This is a bug report for perl from jnarron@cdsinet.net,
generated with the help of perlbug 1.35 running under perl v5.8.7.


-----------------------------------------------------------------
I came across this problem when not only myself, but several other
FreeBSD users upgraded to perl 5.8.7 and were noticing that their
amavisd-new installations were not working properly.  After some
testing and digging, it turns out that spamassassin 3.0 was causing
a bus error.  Using the perl debugger, the line causing the bus
error turns out to be:

>   DB<4> v
> 1955    EOT
> 1956 
> 1957      # and run it.
> 1958==>   eval $evalstr;
> 1959:     if ($@) {
> 1960:       warn("Failed to compile URI SpamAssassin tests, skipping:\n".
> 1961              "\t($@)\n");
> 1962:       $self->{rule_errors}++;
> 1963      }
> 1964      else {

eXamining $evalstr produces an incredibly lengthy string full of
many if statements.  Using a debug version of perl 5.8.7, and gdb:

#0  0x280a2144 in Perl_malloc (nbytes=25) at malloc.c:1411
#1  0x281075b5 in S_save_hek_flags (str=0x935b328 "WLS_URI_OPT_377", len=15, hash=1020016264, flags=0) at hv.c:97
#2  0x2810aa51 in S_share_hek_flags (str=0x935b328 "WLS_URI_OPT_377", len=15, hash=1020016264, flags=0) at hv.c:2114
#3  0x2810a940 in Perl_share_hek (str=0x935b328 "WLS_URI_OPT_377", len=15, hash=1020016264) at hv.c:2074
#4  0x28129e29 in Perl_newSVpvn_share (src=0x935b328 "WLS_URI_OPT_377", len=15, hash=1020016264) at sv.c:6876
#5  0x280def33 in Perl_peep (o=0x935f288) at op.c:6699
#6  0x280debcc in Perl_peep (o=0x935ef88) at op.c:6634
... (lots of calls to Perl_peep, o= different numbers each time.. I'm assuming it's a recursive function)
#5432 0x280debcc in Perl_peep (o=0x8081108) at op.c:6634
#5433 0x280debcc in Perl_peep (o=0x8587a48) at op.c:6634
#5434 0x280debcc in Perl_peep (o=0x8062b08) at op.c:6634
#5435 0x280d10d5 in Perl_newPROG (o=0x8062b88) at op.c:1952
#5436 0x280cac39 in Perl_yyparse () at perly.y:140
#5437 0x28155eb7 in S_doeval (gimme=128, startop=0x0, outside=0x805829c, seq=0) at pp_ctl.c:2892
#5438 0x281588ef in Perl_pp_entereval () at pp_ctl.c:3486
#5439 0x280f8ebe in Perl_runops_debug () at dump.c:1452 #5440 0x2809be1f in S_run_body (oldscope=1) at perl.c:2000
#5441 0x2809b8d5 in perl_run (my_perl=0x804e1f0) at perl.c:1919
#5442 0x08049188 in main ()

This happens on line 21720 of the $evalstr, and the following was also noticed:
(5434 (first Perl_peep line) - 4 (line after last Perl_peep) * 4 = 21720

FreeBSD 5.4 seems to have a default stack hardlimit of 64MB.  Increasing
this hardlimit to 128MB (by changing the MAXSSIZ option in the kernel)
allows eval to process more lines of $evalstr, but still not enough to
get all the way through.  Originally, perl 5.8.7 was compiled with CFLAGS
of -O2, but changing CFLAGS to -O0 didn't help either.  Changing CFLAGS to
-Os however did the trick.

This is reproducable on 2 other FreeBSD 5.4 systems.  This bus error
does not occur with perl 5.8.5 or perl 5.8.6 on these same systems.
This bus error also does not appear on a tested Linux 2.6 (with an
unlimited stack), or on an OpenBSD 3.7 (with an 8M stack).  I have
test cases that I'm willing to send, but not attaching due to their
sizes.


-----------------------------------------------------------------
---
Flags:
    category=core
    severity=medium
---
Site configuration information for perl v5.8.7:

Configured by root at Mon Jul 25 16:56:21 CDT 2005.

Summary of my perl5 (revision 5 version 8 subversion 7) configuration:
  Platform:
    osname=freebsd, osvers=5.4-release-p4, archname=i386-freebsd-64int
    uname='freebsd freebsd.cdsinet.net 5.4-release-p4 freebsd 5.4-release-p4 #12: wed jul 6 10:39:12 cdt 2005 zeek@freebsd.cdsinet.net:usrobjusrsrcsysnoaa i386 '
    config_args='-sde -Dprefix=/usr/local -Darchlib=/usr/local/lib/perl5/5.8.7/mach -Dprivlib=/usr/local/lib/perl5/5.8.7 -Dman3dir=/usr/local/lib/perl5/5.8.7/perl/man/man3 -Dman1dir=/usr/local/man/man1 -Dsitearch=/usr/local/lib/perl5/site_perl/5.8.7/mach -Dsitelib=/usr/local/lib/perl5/site_perl/5.8.7 -Dscriptdir=/usr/local/bin -Dsiteman3dir=/usr/local/lib/perl5/5.8.7/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv -Uinstallusrbinperl -Dcc=cc -Duseshrplib -Dccflags=-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.7/BSDPAN" -Doptimize=-Os -Ud_dosuid -Ui_gdbm -Dusethreads=n -Dusemymalloc=n -Duse64bitint'
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=define use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.7/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -I/usr/local/include',
    optimize='-Os',
    cppflags='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.7/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -pipe -I/usr/local/include'
    ccversion='', gccversion='3.4.2 [FreeBSD] 20040728', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='cc', ldflags ='-pthread -Wl,-E -L/usr/local/lib'
    libpth=/usr/lib /usr/local/lib
    libs=-lgdbm -lm -lcrypt -lutil
    perllibs=-lm -lcrypt -lutil
    libc=, so=so, useshrplib=true, libperl=libperl.so
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='  -Wl,-R/usr/local/lib/perl5/5.8.7/mach/CORE'
    cccdlflags='-DPIC -fPIC', lddlflags='-shared  -L/usr/local/lib'

Locally applied patches:
    defined-or

---
@INC for perl v5.8.7:
    /usr/local/lib/perl5/site_perl/5.8.7
    /usr/local/lib/perl5/site_perl/5.8.7/mach
    /usr/local/lib/perl5/site_perl
    /usr/local/lib/perl5/5.8.7/BSDPAN
    /usr/local/lib/perl5/5.8.7/mach
    /usr/local/lib/perl5/5.8.7
    .

---
Environment for perl v5.8.7:
    HOME=/home/z/zeek
    LANG (unset)
    LANGUAGE (unset)
    LC_ALL=POSIX
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin:/home/z/zeek/bin:/home/z/zeek/bin:.
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/bash

• RE: [perl #36667] Lengthy parameter passed to eval leads to bus error on FreeBSD 5.4 by John Narron
• Re: [perl #36667] Lengthy parameter passed to eval leads to bus error on FreeBSD 5.4 by Dominic Dunlop
• [perl #36667] Lengthy parameter passed to eval leads to bus error onFreeBSD 5.4 by Tony Cook via RT
• [PATCH] Re: [perl #36667] Lengthy parameter passed to eval leads to bus error on FreeBSD 5.4 by Dominic Dunlop
• Re: [PATCH] Re: [perl #36667] Lengthy parameter passed to eval leads to bus error on FreeBSD 5.4 by Dave Mitchell
• Re: [PATCH] Re: [perl #36667] Lengthy parameter passed to eval leads to bus error on FreeBSD 5.4 by Dominic Dunlop
• Re: [PATCH] Re: [perl #36667] Lengthy parameter passed to eval leads to bus error on FreeBSD 5.4 by Yitzchak Scott-Thoennes
• Re: [perl #36667] Lengthy parameter passed to eval leads to bus error on FreeBSD 5.4 by Dominic Dunlop
• [perl #36667] Lengthy parameter passed to eval leads to bus error on FreeBSD 5.4 by jnarron @ cdsinet . net
• Re: [perl #36667] Lengthy parameter passed to eval leads to bus error on FreeBSD 5.4 by Dave Mitchell