Front page | perl.perl5.porters |
Postings from June 2016
On Thu, May 26, 2016 at 05:29:21PM -0700, Dan Collins wrote:
> dcollins@nightshade64:~/perldebug$ ./perl -Ilib -tW -e '{@{*a::ISA}=undef*a::ISA;@a::ISA=0}'
> Use of uninitialized value in list assignment at -e line 1.
> perl: mg.c:1726: Perl_magic_clearisa: Assertion `((((_gvstash)->sv_flags & (0x00004000|0x00008000)) == 0x00008000) && (((svtype)((_gvstash)->sv_flags & 0xff)) == SVt_PVGV || ((svtype)((_gvstash)->sv_flags & 0xff)) == SVt_PVLV))' failed.
> Aborted
It's equivalent to the following:
perl -t run against:
undef *a::ISA;
@{*a::ISA}=();
@a::ISA=0
The problem is in the weak pointer from ISA magic to the GV, i.e. where
the *a::ISA points to the GP which points to @a::ISA which has ISA magic
attached, who's mg_obj field contains a weak pointer back to *a::ISA. It
has to be weak, otherwise there would be a reference loop and leakage.
However, with this: @{*a::ISA}, the *a::ISA expression is executed within
a block scope; when that scope is left, a copy of the scope's return value
is returned (as is done with all rvalue scope exits). This copying creates
an SvTEMP GV whose GP is shared with the original *a::ISA GV.
When the gp_av slot of the temp GV is accessed, it is empty due to the
earlier undef, so is autovivified. The autovivification sees that the GV's
name is 'ISA' so attaches ISA magic, whose mg_obj field is set to point
(weakly) to the temp GV copy of *a::ISA.
At the next statement boundary temps are freed, and @a::ISA's mg_obj
field now points to a freed GV. Crashes etc follow.
I don't know how to fix this.
--
Dave's first rule of Opera:
If something needs saying, say it: don't warble it.
Thread Previous
|
Thread Next