develooper Front page | perl.perl5.porters | Postings from February 2015

[perl #123847]

From:
Hugo van der Sanden
Date:
February 16, 2015 12:38
Subject:
[perl #123847]
Message ID:
rt-4.0.18-5686-1424090271-213.123847-75-0@perl.org
# New Ticket Created by  Hugo van der Sanden 
# Please include the string:  [perl #123847]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=123847 >


AFL (<http://lcamtuf.coredump.cx/afl/>) finds this:

% ./miniperl -e '%0=*:=*::::=0'
Segmentation fault (core dumped)
% 

The code looks similar to the glob overwriting cases in [perl #123710], but the failure mode is quite different:

Program received signal SIGSEGV, Segmentation fault.
0x000000000056afbc in Perl_hv_ename_add (hv=0xa56108, name=0xa62460 ":", 
    len=1, flags=0) at hv.c:2342
2342                     (HEK_UTF8(*hekp) || (flags & SVf_UTF8)) 
(gdb) where
#0  0x000000000056afbc in Perl_hv_ename_add (hv=0xa56108, name=0xa62460 ":", 
    len=1, flags=0) at hv.c:2342
#1  0x000000000055a651 in S_mro_gather_and_rename (stashes=0xa557c0, 
    seen_stashes=0xa55790, stash=0xa56108, oldstash=0x0, namesv=0xa61400)
    at mro.c:992
#2  0x000000000055953b in Perl_mro_package_moved (stash=0xa56108, 
    oldstash=0x0, gv=0xa613e8, flags=0) at mro.c:844
#3  0x00000000005a9e33 in S_glob_assign_glob (dstr=0xa613e8, sstr=0xa61418, 
    dtype=9) at sv.c:4005
#4  0x00000000005afa88 in Perl_sv_setsv_flags (dstr=0xa613e8, sstr=0xa61418, 
    flags=1538) at sv.c:4426
#5  0x0000000000574add in Perl_pp_sassign () at pp_hot.c:231
#6  0x000000000052a13d in Perl_runops_debug () at dump.c:2231
#7  0x00000000004098c7 in S_run_body (oldscope=1) at perl.c:2423
#8  0x0000000000408f0b in perl_run (my_perl=0xa40010) at perl.c:2346
#9  0x00000000004508d1 in main (argc=3, argv=0x7fffffffe638, 
    env=0x7fffffffe658) at miniperlmain.c:122
(gdb) p hekp
$1 = (HEK **) 0xa5f820
(gdb) p *hekp
$2 = (HEK *) 0x0
(gdb) p /x *hv
$3 = {sv_any = 0xa47ec0, sv_refcnt = 0x1, sv_flags = 0x3200000c, sv_u = {
    svu_pv = 0xa59150, svu_iv = 0xa59150, svu_uv = 0xa59150, svu_nv = 0x0, 
    svu_rv = 0xa59150, svu_rx = 0xa59150, svu_array = 0xa59150, 
    svu_hash = 0xa59150, svu_gp = 0xa59150, svu_fp = 0xa59150}}
(gdb) p *aux
$4 = {xhv_name_u = {xhvnameu_name = 0xa5f820, xhvnameu_names = 0xa5f820}, 
  xhv_backreferences = 0x0, xhv_eiter = 0x0, xhv_riter = -1, 
  xhv_name_count = -2, xhv_mro_meta = 0xa5f4e0, xhv_rand = 1738015991, 
  xhv_last_rand = 1738015991, xhv_fill_lazy = 0, xhv_aux_flags = 0}
(gdb) p aux->xhv_name_u.xhvnameu_names[0]@2
$5 = {0x0, 0xa4d368}

Not sure what's supposed to be happening here - the else branch (when not aux->xhv_name_count) clearly knows when it stores existing_name to xhvnameu_names[0] that it might be NULL, that's why our name_count is -2, so how can it be right to loop as far as xhvnameu_names[0] in the if branch?

Hugo




nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About