several segfaults new in bleedperl #2322

p5pRT · 2000-08-06T15:57:39Z

Migrated from rt.perl.org#3646 (status was 'resolved')

Searchable as RT3646$

p5pRT · 2000-08-06T15:57:39Z

From [email protected]

Created by [email protected]

I've been busy today -- what follows are reports on seven mostly-different
situations where perl will either segfault or panic. Some of these are new
in bleedperl (as of Aug 6).

They're all related in that they all use (??{...}).

Problem #1: the following program segfaults with bleedperl, but not 5.6.0:

use strict;
use re 'eval';

$_ = "1";
our $foo = qr{ (\d+)
(?{ warn "foo" })
(?{ warn $undefined }) }x;

m{ (??{ $foo }) }x;

With 5.6.0:
foo at (re_eval 1) line 1.
Use of uninitialized value in warn at (re_eval 2) line 1.
Warning: something's wrong at (re_eval 2) line 1.

With bleedperl:

foo at (re_eval 1) line 1.
Segmentation fault

Here's the backtrace

jfriedl@fummy> gdb ./perl
GNU gdb 4.18
Copyright 1998 Free Software Foundation, Inc.
(gdb) run /tmp/p
Starting program: /home/jfriedl/src/bleadperl/./perl /tmp/p
foo at (re_eval 1) line 1.

Program received signal SIGSEGV, Segmentation fault.
malloc (nbytes=1) at malloc.c:1067
1067 nextf[bucket] = p->ov_next;
(gdb) where
#0 malloc (nbytes=1) at malloc.c:1067
#1 0x809e006 in Perl_sv_grow (sv=0x80f5964, newlen=1) at sv.c:1246
#2 0x80a0ee0 in Perl_sv_setpvn (sv=0x80f5964, ptr=0x80e3338 "", len=0) at sv.c:3006
#3 0x80a3679 in Perl_newSVpvn (s=0x80e3338 "", len=0) at sv.c:4901
#4 0x808c95b in S_mess_alloc () at util.c:1374
#5 0x808ca91 in Perl_vmess (pat=0x80e7ea0 "Use of uninitialized value%s%s", args=0xbfffeccc)
at util.c:1450
#6 0x808d679 in Perl_vwarner (err=41, pat=0x80e7ea0 "Use of uninitialized value%s%s", args=0xbfffeccc)
at util.c:1819
#7 0x808d64e in Perl_warner (err=41, pat=0x80e7ea0 "Use of uninitialized value%s%s") at util.c:1804
#8 0x809d126 in Perl_report_uninit () at sv.c:304
#9 0x809fc0a in Perl_sv_2pv (sv=0x810a338, lp=0xbfffed94) at sv.c:2273
#10 0x80bdeca in Perl_pp_warn () at pp_sys.c:431
#11 0x8096e4d in Perl_runops_standard () at run.c:27
#12 0x80d1d69 in S_regmatch (prog=0x8100af8) at regexec.c:2366
#13 0x80d3668 in S_regmatch (prog=0x8100ae8) at regexec.c:3117
#14 0x80d1f69 in S_regmatch (prog=0x80f615c) at regexec.c:2435
#15 0x80d0669 in S_regtry (prog=0x80f6120, startpos=0x80f5020 "1") at regexec.c:1774
#16 0x80d02ff in Perl_regexec_flags (prog=0x80f6120, stringarg=0x80f5020 "1", strend=0x80f5021 "",
strbeg=0x80f5020 "1", minend=0, sv=0x80f5910, data=0x0, flags=2) at regexec.c:1630
#17 0x80992de in Perl_pp_match () at pp_hot.c:1082
#18 0x8096e4d in Perl_runops_standard () at run.c:27
#19 0x805c12e in S_run_body (oldscope=1) at perl.c:1447
#20 0x805bea8 in perl_run (my_perl=0x80f5004) at perl.c:1367
#21 0x8059c83 in main (argc=2, argv=0xbffff354, env=0xbffff360) at perlmain.c:52
(gdb)

My bleedperl is compiled with Perl's malloc. I had another problem earlier
in which I was getting segfaults in libc, and although I spent a few hours
with gdb, I couldn't even track down where from within Perl the errant libc
function was being called. When I recompiled with Perl's malloc, the
problem went away. I don't know if it's related to this, though.

-----------------------------------------------------------------

Problem#2:
As I noted before, program execution results in:
foo at (re_eval 1) line 1.
Segmentation fault
However, if you comment out the "use re 'eval'" line, you then get
at (re_eval 1) line 1.
Segmentation fault
which seems odd. Again, this oddness does not occur with 5.6.0.
Using "no re 'eval'" doesn't make the oddness go away.

-----------------------------------------------------------------

Problem#3:
In trying to make a t/op test for problem#2, I ran into yet another
problem. The program:

eval {
$_ = "1";
our $foo = qr{ (\d+)
(?{ die "foo" })
(?{ $undefined }) }x;
m{ (??{ $foo }) }x;
};

print "result is [$@]\n";

Generates:
Modification of a read-only value attempted at t/op/regex-oddness.t line 11.

I don't think there's anything read-only about $foo or $_, the two variables
that are modified.

-----------------------------------------------------------------

Problem#4:

If you then add a print before the result-print line,

eval {
$_ = "1";
our $foo = qr{ (\d+)
(?{ die "foo" })
(?{ $undefined }) }x;
m{ (??{ $foo }) }x;
};

print "before\n"
print "result is [$@]\n";

it then segfaults:

jfriedl@fummy> gdb ./perl
(gdb) run t/op/regex-oddness.t
Starting program: /home/jfriedl/src/bleadperl/./perl t/op/regex-oddness.t
1..2
before

Program received signal SIGSEGV, Segmentation fault.
0x808fa0c in Perl_mg_get (sv=0x80fe050) at mg.c:111
111 if (!(mg->mg_flags & MGf_GSKIP) && vtbl && vtbl->svt_get) {
(gdb) where
#0 0x808fa0c in Perl_mg_get (sv=0x80fe050) at mg.c:111
#1 0x80976be in Perl_pp_concat () at pp_hot.c:210
#2 0x8096e4d in Perl_runops_standard () at run.c:27
#3 0x805c12e in S_run_body (oldscope=1) at perl.c:1447
#4 0x805bea8 in perl_run (my_perl=0x80f5004) at perl.c:1367
#5 0x8059c83 in main (argc=2, argv=0xbffff344, env=0xbffff350) at perlmain.c:52
(gdb)

-----------------------------------------------------------------

Problem#5:

If you take the first program above and inline the $foo regex directly into
the main regex, as with:

use strict;
use re 'eval';

$_ = "1";

m{ (??{ qr{(\d+)
(?{ warn "foo" })
(?{ warn $undefined })} }) }x;

you then get
panic: unknown regstclass 0 at /tmp/p line 9.

-----------------------------------------------------------------

Problem#6:

Making the program even smaller

use re 'eval';
m{ (??{ qr{(\d+)} }) }x;

and you get a segfault (gdb dump below).
Oddly, with 5.6.0, you get the line
80fe468 176
before the segfault. With bleedperl, you don't get it.

Here's the gdb dump:

jfriedl@fummy> gdb ./perl
(gdb) run /tmp/p
Starting program: /home/jfriedl/src/bleadperl/./perl /tmp/p

Program received signal SIGSEGV, Segmentation fault.
0x8083d06 in S_study_chunk (scanp=0xbfffef88, deltap=0xbfffef84, last=0x80f6178, data=0xbffff128,
flags=3072) at regcomp.c:466
466 && off + noff < max)
(gdb) where
#0 0x8083d06 in S_study_chunk (scanp=0xbfffef88, deltap=0xbfffef84, last=0x80f6178, data=0xbffff128,
flags=3072) at regcomp.c:466
#1 0x8084871 in S_study_chunk (scanp=0xbffff0cc, deltap=0xbffff0d0, last=0x80f6178, data=0xbffff128,
flags=3072) at regcomp.c:732
#2 0x80866f9 in Perl_pregcomp (exp=0x8101b98 " (??{ qr{(\\d+)} }) ", xend=0x8101bab "", pm=0x81012c0)
at regcomp.c:1537
#3 0x807c5d3 in Perl_pmruntime (o=0x81012c0, expr=0x80f7aa0, repl=0x0) at op.c:2901
#4 0x8077cb1 in Perl_yyparse () at perly.y:650
#5 0x805bccb in S_parse_body (env=0x0, xsinit=0x8059cb0 <xs_init>) at perl.c:1290
#6 0x805b412 in perl_parse (my_perl=0x80f5004, xsinit=0x8059cb0 <xs_init>, argc=2, argv=0xbffff354,
env=0x0) at perl.c:875
#7 0x8059c6f in main (argc=2, argv=0xbffff354, env=0xbffff360) at perlmain.c:50
(gdb)

-----------------------------------------------------------------

Problem #7: then, removing the "use re 'eval'" from that small one, you
get the panic again:

jfriedl@fummy> ./perl -we 'm{ (??{ qr{(\d+)} }) }x;'
Use of uninitialized value in pattern match (m//) at -e line 1.
panic: unknown regstclass 0 at -e line 1.

I don't know how related these all are.
Jeffrey

Perl Info


Flags:
    category=core
    severity=medium

Site configuration information for perl v5.6.0:

Configured by jfriedl at Sat Aug  5 23:33:33 PDT 2000.

Summary of my perl5 (revision 5.0 version 6 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.2.16, archname=i686-linux
    uname='linux fummy.dsl.yahoo.com 2.2.16 #6 smp sun jul 23 11:26:16 pdt 2000 i686 unknown '
    config_args=''
    hint=previous, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=undef d_sfio=undef uselargefiles=define 
    use64bitint=undef use64bitall=undef uselongdouble=undef usesocks=undef
  Compiler:
    cc='cc', optimize='-O2 -g', gccversion=pgcc-2.91.66 19990314 (egcs-1.1.2 release), gccosandvers=
    cppflags='-fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
    ccflags ='-fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
    stdchar='char', d_stdstdio=define, usevfork=false
    intsize=4, longsize=4, ptrsize=4, doublesize=8
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, usemymalloc=y, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lndbm -lgdbm -ldb -ldl -lm -lc -lposix -lcrypt -lutil
    libc=/lib/libc-2.1.1.so, so=so, useshrplib=false, libperl=libperl.a
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    devel-6489


@INC for perl v5.6.0:
    /home/jfriedl/lib/perl
    /home/jfriedl/lib/perl/yahoo
    /usr/test/lib/perl5/5.6.0/i686-linux
    /usr/test/lib/perl5/5.6.0
    /usr/test/lib/perl5/site_perl/5.6.0/i686-linux
    /usr/test/lib/perl5/site_perl/5.6.0
    /usr/test/lib/perl5/site_perl
    .


Environment for perl v5.6.0:
    HOME=/home/jfriedl
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH=/usr/local/pgsql/lib:/home/jfriedl/src/rvplayer5.0
    LOGDIR (unset)
    PATH=/home/jfriedl/bin:/home/jfriedl/common/bin:/usr/local/gcc-2.95.2/bin:.:/usr/local/pgsql/bin:/usr/local/bin:/usr/X11R6/bin:/bin:/usr/bin:/usr/sbin:/sbin:/home/jfriedl/src/rvplayer5.0
    PERLLIB=/home/jfriedl/lib/perl:/home/jfriedl/lib/perl/yahoo
    PERL_BADLANG (unset)
    SHELL=/bin/tcsh

p5pRT · 2000-08-07T09:27:22Z

From @jhi

I've been busy today -- what follows are reports on seven mostly-different
situations where perl will either segfault or panic. Some of these are new
in bleedperl (as of Aug 6).

They're all related in that they all use (??{...}).

Sigh. The (?? truly is experimental.

p5pRT · 2000-08-07T10:05:45Z

From @vanstyn

In <20000807112700.A2773@chaos.wustl.edu>, Jarkko Hietaniemi writes:
:> I've been busy today -- what follows are reports on seven mostly-different
:> situations where perl will either segfault or panic. Some of these are new
:> in bleedperl (as of Aug 6).
:>
:> They're all related in that they all use (??{...}).
:
:Sigh. The (?? truly is experimental.

I have all of Jeffrey's recent reports filed for checking, but I
suspect that most or all of the (??{...}) problems will require that
the engine become reentrant, and possibly that we also replace the
way we jump out of scopes through JMPENV. ISTR Sarathy had some ideas
about the latter.

Hugo

p5pRT · 2000-08-10T11:13:31Z

From [Unknown Contact. See original ticket]

With problem #6 on NT with 5.6.0, it looks like it all starts with an
invalid pointer read:
S_nextchar [regcomp.c:3575]

for (;;) {
if (PL_regcomp_parse == '(' && PL_regcomp_parse[1] == '?' &&
=> PL_regcomp_parse[2] == '#') {
while (PL_regcomp_parse && PL_regcomp_parse != ')')
PL_regcomp_parse++;
PL_regcomp_parse++;
S_reg [regcomp.c:1791]
FAIL("Eval-group in insecure regular expression");
}

=> nextchar();
if (logical) {
ret = reg_node(LOGICAL);
if (!SIZE_ONLY)
S_regatom [regcomp.c:2297]
break;
case '(':
nextchar();
=> ret = reg(1, &flags);
if (ret == NULL) {
if (flags & TRYAGAIN)
goto tryagain;
S_regpiece [regcomp.c:2096]
I32 min;
I32 max = REG_INFTY;

=> ret = regatom(&flags);
if (ret == NULL) {
if (flags & TRYAGAIN)
flagp |= TRYAGAIN;
S_regbranch [regcomp.c:2044]
nextchar();
while (PL_regcomp_parse < PL_regxend && PL_regcomp_parse != '|'
&& PL_regcomp_parse != ')') {
flags &= ~TRYAGAIN;
=> latest = regpiece(&flags);
if (latest == NULL) {
if (flags & TRYAGAIN)
continue;
S_reg [regcomp.c:1902]
ret = NULL;

/* Pick up the branches, linking them together. /
=> br = regbranch(&flags, 1);
if (br == NULL)
return(NULL);
if (PL_regcomp_parse == '|') {
Perl_pregcomp [regcomp.c:1415]
PL_regcode->next_off = ((PL_seen_evals > U16_MAX) ? U16_MAX :
PL_seen_evals);
REGC((U8)REG_MAGIC, (char) PL_regcode++);
r->data = 0;
=> if (reg(0, &flags) == NULL)
return(NULL);

/ Dig out information for optimizations. */
Perl_pmruntime [op.c:2859]
}
if ((PL_hints & HINT_UTF8) || (SvUTF8(pat) && !(PL_hints &
HINT_BYTE)))
pm->op_pmdynflags |= PMdf_UTF8;
=> pm->op_pmregexp = CALLREGCOMP(aTHX_ p, p + plen, pm);
if (strEQ("\\s+", pm->op_pmregexp->precomp))
pm->op_pmflags |= PMf_WHITE;
op_free(expr);
unknown_function [perly.y:648]
| FUNC1 '(' expr ')'
{ $$ = newUNOP($1, 0, $3); }
| PMFUNC '(' term ')'
=> { $$ = pmruntime($1, $3, Nullop); }
| PMFUNC '(' term ',' term ')'
{ $$ = pmruntime($1, $3, $5); }
| WORD
S_parse_body [perl.c:1249]

SETERRNO(0,SS$_NORMAL);
PL_error_count = 0;
=> if (yyparse() || PL_error_count) {
if (PL_minus_c)
Perl_croak(aTHX_ "%s had compilation errors.\n",
PL_origfilename);
else {

Mark Leighton Fisher Thomson Consumer Electronics
fisherm@tce.com Indianapolis, IN, USA
"Display some adaptability." -- Doug Shaftoe, _Cryptonomicon_

p5pRT · 2001-05-21T10:13:58Z