develooper Front page | perl.perl5.porters | Postings from January 2008

Re: [perl #50256] segfault on perl -e 'split //, unpack "(B)*", "ab"'

Thread Previous | Thread Next
From:
=?UTF-8?Q?=C3=86var_Arnfj=C3=B6r=C3=B0_Bjarmason?=
Date:
January 25, 2008 21:27
Subject:
Re: [perl #50256] segfault on perl -e 'split //, unpack "(B)*", "ab"'
Message ID:
51dd1af80801252127i4afe3f8dqf6bbf122034a81d9@mail.gmail.com
This looks to my untrained eye like something unpack is causing its
return value to be a damaged PMOP.

    $ ./perl -le 'split //, unpack("(B)*", "ab")'
    Segmentation fault
    $ ./perl -le 'my $s = unpack("(B)*", "ab"); split //, $s'
    $ ./perl -le 'my $s = unpack("(B)*", "ab"); unpack "(a)*", $s'
    $ ./perl -le 'unpack "(a)*", unpack("(B)*", "ab");'
    Invalid type '0' in unpack at -e line 1.

This will actually segfault at different times in Perl_pp_split
depending on whether you compile with -DDEBUGGING or not, at least on
my system.

Without debugging, => marks the segfault:

    #ifdef DEBUGGING
        Copy(&LvTARGOFF(POPs), &pm, 1, PMOP*);
    #else
        pm = (PMOP*)POPs;
    #endif
        if (!pm || !s)
    	DIE(aTHX_ "panic: pp_split");
        rx = PM_GETRE(pm);

    =>  TAINT_IF((rx->extflags & RXf_PMf_LOCALE) &&
    	     (rx->extflags & (RXf_WHITE | RXf_SKIPWHITE)));

In gdb:

    Program received signal SIGSEGV, Segmentation fault.
    0x00000000004ba3aa in Perl_pp_split () at pp.c:4617
    (gdb) bt
    #0  0x00000000004ba3aa in Perl_pp_split () at pp.c:4617
    #1  0x000000000047f9da in Perl_runops_standard () at run.c:38
    #2  0x000000000047a2af in S_run_body (oldscope=1) at perl.c:2384
    #3  0x0000000000479e4f in perl_run (my_perl=0x7fffffeef970) at perl.c:2302
    #4  0x000000000041bfb9 in main (argc=3, argv=0x7fffffeefce8,
env=0x7fffffeefd08) at perlmain.c:113
    (gdb) p pm
    $10 = (PMOP *) 0x6a12f0
    (gdb) p rx
    $11 = (REGEXP *) 0x2200000c00000001
    (gdb) p *rx
    Cannot access memory at address 0x2200000c00000001

With debugging:

    #ifdef DEBUGGING
        Copy(&LvTARGOFF(POPs), &pm, 1, PMOP*);
    #else
        pm = (PMOP*)POPs;
    #endif
        if (!pm || !s)
    	DIE(aTHX_ "panic: pp_split");
    =>  rx = PM_GETRE(pm);

in gdb:

    Program received signal SIGSEGV, Segmentation fault.
    0x00000000004d8aca in Perl_pp_split () at pp.c:4615
    (gdb) bt
    #0  0x00000000004d8aca in Perl_pp_split () at pp.c:4615
    #1  0x0000000000468612 in Perl_runops_debug () at dump.c:1931
    #2  0x000000000048cadc in S_run_body (oldscope=1) at perl.c:2384
    #3  0x000000000048c592 in perl_run (my_perl=0x6dd010) at perl.c:2302
    #4  0x000000000041c0c9 in main (argc=3, argv=0x7fffffba5e38,
env=0x7fffffba5e58) at perlmain.c:113
    (gdb) p pm
    $1 = (PMOP *) 0x8

So under debugging the pm from the stack is invalid while without
debugging the regex from the regex pad is.

(btw how does one build perl without -DDEBUGGING properly? I did
`./Configure -Dcc='ccache gcc' -Dld=gcc -Doptimize=-ggdb3 -d -e' which
put -DDEBUGGING in my makefile, presumably because it picked up
-ggdb3, I edited the definition out by hand)

On 1/26/08, via RT l. mai @ web. de <perlbug-followup@perl.org> wrote:
> # New Ticket Created by  l.mai@web.de
> # Please include the string:  [perl #50256]
> # in the subject line of all future correspondence about this issue.
> # <URL: http://rt.perl.org/rt3/Ticket/Display.html?id=50256 >
>
>
>
> This is a bug report for perl from l.mai@web.de,
> generated with the help of perlbug 1.35 running under perl v5.10.0.
>
>
> -----------------------------------------------------------------
> [Please enter your report here]
>
> % perl -e 'split //, unpack "(B)*", "ab"'
> Segmentation fault
>
> Oh, those "locally applied patches" below aren't in this perl; they
> were from v5.8.8. But 5.8.8 also crashes with this code.
>
> [Please do not change anything below this line]
> -----------------------------------------------------------------
> ---
> Flags:
>     category=core
>     severity=medium
> ---
> This perlbug was built using Perl v5.8.8 - Wed Mar 22 20:53:12 CET 2006
> It is being executed now by  Perl v5.10.0 - Wed Dec 19 19:01:35 CET 2007.
>
> Site configuration information for perl v5.10.0:
>
> Configured by mauke at Wed Dec 19 19:01:35 CET 2007.
>
> Summary of my perl5 (revision 5 version 10 subversion 0) configuration:
>   Platform:
>     osname=linux, osvers=2.6.22-gentoo-r9, archname=i686-linux
>     uname='linux nora 2.6.22-gentoo-r9 #3 preempt sat nov 3 22:12:09 cet
> 2007 i686 amd athlon(tm) 64 processor 3200+ authenticamd gnulinux '
>     config_args=''
>     hint=recommended, useposix=true, d_sigaction=define
>     useithreads=undef, usemultiplicity=undef
>     useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
>     use64bitint=undef, use64bitall=undef, uselongdouble=undef
>     usemymalloc=n, bincompat5005=undef
>   Compiler:
>     cc='gcc', ccflags ='-fno-strict-aliasing -pipe -I/usr/local/include
> -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm',
>     optimize='-O2 -march=native -fomit-frame-pointer',
>     cppflags='-fno-strict-aliasing -pipe -I/usr/local/include
> -I/usr/include/gdbm'
>     ccversion='', gccversion='4.2.2', gccosandvers=''
>     intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
>     d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
>     ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t',
> lseeksize=8
>     alignbytes=4, prototype=define
>   Linker and Libraries:
>     ld='gcc', ldflags =' -L/usr/local/lib'
>     libpth=/usr/local/lib /lib /usr/lib
>     libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
>     perllibs=-lnsl -ldl -lm -lcrypt -lutil -lc
>     libc=/lib/libc-2.6.1.so, so=so, useshrplib=false, libperl=libperl.a
>     gnulibc_version='2.6.1'
>   Dynamic Linking:
>     dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
>     cccdlflags='-fPIC', lddlflags='-shared -O2 -march=native
> -fomit-frame-pointer -L/usr/local/lib'
>
> Locally applied patches:
>     SAFEARGV0 - disable magic open in <ARGV>
>     METHQUAL0 - allow qualified method calls without a valid object
>     UNWARN0 - disable stupid warnings for print and qw
>
> ---
> @INC for perl v5.10.0:
>     /home/mauke/usr/local/lib/perl5/5.10.0/i686-linux
>     /home/mauke/usr/local/lib/perl5/5.10.0
>     /home/mauke/usr/local/lib/perl5/site_perl/5.10.0/i686-linux
>     /home/mauke/usr/local/lib/perl5/site_perl/5.10.0
>     .
>
> ---
> Environment for perl v5.10.0:
>     HOME=/home/mauke
>     LANG=en_US.UTF-8
>     LANGUAGE (unset)
>     LC_COLLATE=POSIX
>     LD_LIBRARY_PATH (unset)
>     LOGDIR (unset)
>
> PATH=/home/mauke/usr/local/bin:/usr/local/bin:/usr/bin:/bin:/opt/bin:/usr/i686-pc-linux-gnu/gcc-bin/4.1.2:/opt/sun-jdk-1.4.2.13/bin:/opt/sun-jdk-1.4.2.13/jre/bin:/opt/sun-jdk-1.4.2.13/jre/javaws:/usr/kde/3.5/bin:/usr/qt/3/bin:/usr/games/bin:/opt/vmware/player/bin
>     PERL_BADLANG (unset)
>     PERL_UNICODE=SAL
>     SHELL=/bin/zsh
>
>

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About