develooper Front page | perl.perl5.porters | Postings from February 2015

[perl #123677] 31 byte one liner crashes Perl5.21.9

Thread Previous | Thread Next
From:
Father Chrysostomos via RT
Date:
February 9, 2015 17:34
Subject:
[perl #123677] 31 byte one liner crashes Perl5.21.9
Message ID:
rt-4.0.18-6758-1423503240-880.123677-15-0@perl.org
On Mon Feb 09 07:08:38 2015, alh wrote:
> On Sun, Feb 8, 2015 at 5:56 PM, Father Chrysostomos via RT
> <perlbug-followup@perl.org> wrote:
> > Even if it doesn’t crash, the -DT output gets scrambled with lines like:
> >
> > ### 1:LEX_KNOWNEXT/XTERM "@0"
> > ### <== ?? 63008
> >
> > What happens if you bisect with -DT and check for ‘<== ??’ in the output?
> 
> More fun here. I had to compile all versions with -O2 -g to get this
> bug to trigger. It led to this:
> 
>   mhorsfall@dory:~/perl-1$ git show f05d7009fffc72d5b11ea5e553117baa7256a9a7
>   commit f05d7009fffc72d5b11ea5e553117baa7256a9a7
>   Author: Rafael Garcia-Suarez <rgarciasuarez@gmail.com>
>   Date:   Fri May 16 14:13:23 2008 +0200
> 
>       Prevent the tokenizer from segfaulting in debug mode when a FUNC
> token is forced
>          From: "Rafael Garcia-Suarez" <rgarciasuarez@gmail.com>
>          Message-ID:
> <b77c1dce0805160313r78cb1b2bxfeb64460d2e9a7df@mail.gmail.com>
> 
>       p4raw-id: //depot/perl@33833
> 
>   diff --git a/toke.c b/toke.c
>   index abdc54d..2a63a90 100644
>   --- a/toke.c
>   +++ b/toke.c
>   @@ -1359,7 +1359,7 @@ S_force_next(pTHX_ I32 type)
>    #ifdef DEBUGGING
>        if (DEBUG_T_TEST) {
>            PerlIO_printf(Perl_debug_log, "### forced token:\n");
>   -       tokereport(THING, &NEXTVAL_NEXTTOKE);
>   +       tokereport(type, &NEXTVAL_NEXTTOKE);
>        }
>    #endif
>    #ifdef PERL_MAD
> 
> Attached are the -DT output from before the commit and after the
> commit for comparison if it's of any interest.

Well, it is certainly interesting.  The first one stops abruptly at the buffer overflow.  Presumably it crashed because of the bug that 05d7009fff fixed.  The second one shows definitely buggy output.

When the overflow happens, nextval overflows into nexttype and nexttype overflows into nexttoke.  Since nexttoke is an offset into the nexttype and nextval arrays, it is possible to read ahead into save_curcop, which is a memory address.  That would explain why the bug is intermittent.

I suspect this bug is *old* and predates -DT output.

-- 

Father Chrysostomos


---
via perlbug:  queue: perl5 status: pending release
https://rt.perl.org/Ticket/Display.html?id=123677

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About