ASAN segfaults in lib/warnings.t

[p5pRT]

Migrated from rt.perl.org#121831 (status was 'resolved')

Searchable as RT121831$

[p5pRT]

From @khwilliamson

This is a bug report for perl from khw@​khw.(none),
generated with the help of perlbug 1.40 running under perl 5.19.12.

---

Our smoke reports lately have been failing tests 425 and 427 in
threaded builds with lib/warnings.t under clang 4.2.1 with ASAN. For
example, http​://perl.develop-help.com/raw/?id=161123

I do not get a failure with clang 3.2, nor with valgrind.

Below is the relevant portion of one such log​:

POE Paste with lovely alien head...
No paste!
from "khw" at 217.168.150.38
ASAN failure in t/lib/warnings/op

format options below

PROG​:
# op.c
use warnings 'void' ; no warnings 'experimental​::smartmatch'; close STDIN ;
#line 2
1 x 3 ; # OP_REPEAT (folded)
(1) x 3 ; # OP_REPEAT
  # OP_GVSV
wantarray ; # OP_WANTARRAY
  # OP_GV
  # OP_PADSV
  # OP_PADAV
  # OP_PADHV
  # OP_PADANY
  # OP_AV2ARYLEN
ref ; # OP_REF
\@​a ; # OP_REFGEN
\$a ; # OP_SREFGEN
defined $a ; # OP_DEFINED
hex $a ; # OP_HEX
oct $a ; # OP_OCT
length $a ; # OP_LENGTH
substr $a,1 ; # OP_SUBSTR
vec $a,1,2 ; # OP_VEC
index $a,1,2 ; # OP_INDEX
rindex $a,1,2 ; # OP_RINDEX
sprintf $a ; # OP_SPRINTF
$a[0] ; # OP_AELEM
  # OP_AELEMFAST
@​a[0] ; # OP_ASLICE
#values %a ; # OP_VALUES
#keys %a ; # OP_KEYS
$a{0} ; # OP_HELEM
@​a{0} ; # OP_HSLICE
unpack "a", "a" ; # OP_UNPACK
pack $a,"" ; # OP_PACK
join "" ; # OP_JOIN
(@​a)[0,1] ; # OP_LSLICE
  # OP_ANONLIST
  # OP_ANONHASH
sort(1,2) ; # OP_SORT
reverse(1,2) ; # OP_REVERSE
  # OP_RANGE
  # OP_FLIP
(1 ..2) ; # OP_FLOP
caller ; # OP_CALLER
fileno STDIN ; # OP_FILENO
eof STDIN ; # OP_EOF
tell STDIN ; # OP_TELL
readlink 1; # OP_READLINK
time ; # OP_TIME
localtime ; # OP_LOCALTIME
gmtime ; # OP_GMTIME
eval { getgrnam 1 }; # OP_GGRNAM
eval { getgrgid 1 }; # OP_GGRGID
eval { getpwnam 1 }; # OP_GPWNAM
eval { getpwuid 1 }; # OP_GPWUID
prototype "foo"; # OP_PROTOTYPE
$a ~~ $b; # OP_SMARTMATCH
$a <=> $b; # OP_NCMP
"dsatrewq";
"diatrewq";
"igatrewq";
use 5.015;
__SUB__ # OP_RUNCV
EXPECTED​:
Useless use of a constant ("111") in void context at - line 2.
Useless use of repeat (x) in void context at - line 3.
Useless use of wantarray in void context at - line 5.
Useless use of reference-type operator in void context at - line 12.
Useless use of reference constructor in void context at - line 13.
Useless use of single ref constructor in void context at - line 14.
Useless use of defined operator in void context at - line 15.
Useless use of hex in void context at - line 16.
Useless use of oct in void context at - line 17.
Useless use of length in void context at - line 18.
Useless use of substr in void context at - line 19.
Useless use of vec in void context at - line 20.
Useless use of index in void context at - line 21.
Useless use of rindex in void context at - line 22.
Useless use of sprintf in void context at - line 23.
Useless use of array element in void context at - line 24.
Useless use of array slice in void context at - line 26.
Useless use of hash element in void context at - line 29.
Useless use of hash slice in void context at - line 30.
Useless use of unpack in void context at - line 31.
Useless use of pack in void context at - line 32.
Useless use of join or string in void context at - line 33.
Useless use of list slice in void context at - line 34.
Useless use of sort in void context at - line 37.
Useless use of reverse in void context at - line 38.
Useless use of range (or flop) in void context at - line 41.
Useless use of caller in void context at - line 42.
Useless use of fileno in void context at - line 43.
Useless use of eof in void context at - line 44.
Useless use of tell in void context at - line 45.
Useless use of readlink in void context at - line 46.
Useless use of time in void context at - line 47.
Useless use of localtime in void context at - line 48.
Useless use of gmtime in void context at - line 49.
Useless use of getgrnam in void context at - line 50.
Useless use of getgrgid in void context at - line 51.
Useless use of getpwnam in void context at - line 52.
Useless use of getpwuid in void context at - line 53.
Useless use of subroutine prototype in void context at - line 54.
Useless use of smart match in void context at - line 55.
Useless use of numeric comparison (<=>) in void context at - line 56.
Useless use of a constant ("dsatrewq") in void context at - line 57.
Useless use of a constant ("diatrewq") in void context at - line 58.
Useless use of a constant ("igatrewq") in void context at - line 59.
Useless use of __SUB__ in void context at - line 61.
GOT​:
Useless use of a constant ("111") in void context at - line 2.
Useless use of repeat (x) in void context at - line 3.
Useless use of wantarray in void context at - line 5.
Useless use of reference-type operator in void context at - line 12.
Useless use of reference constructor in void context at - line 13.
Useless use of single ref constructor in void context at - line 14.
Useless use of defined operator in void context at - line 15.
Useless use of hex in void context at - line 16.
Useless use of oct in void context at - line 17.
Useless use of length in void context at - line 18.
Useless use of substr in void context at - line 19.
Useless use of vec in void context at - line 20.
Useless use of index in void context at - line 21.
Useless use of rindex in void context at - line 22.
Useless use of sprintf in void context at - line 23.
Useless use of array element in void context at - line 24.
Useless use of array slice in void context at - line 26.
Useless use of hash element in void context at - line 29.
Useless use of hash slice in void context at - line 30.
Useless use of unpack in void context at - line 31.
Useless use of pack in void context at - line 32.
Useless use of join or string in void context at - line 33.
Useless use of list slice in void context at - line 34.
Useless use of sort in void context at - line 37.
Useless use of reverse in void context at - line 38.
Useless use of range (or flop) in void context at - line 41.
Useless use of caller in void context at - line 42.
Useless use of fileno in void context at - line 43.
Useless use of eof in void context at - line 44.
Useless use of tell in void context at - line 45.
Useless use of readlink in void context at - line 46.
Useless use of time in void context at - line 47.
Useless use of localtime in void context at - line 48.
Useless use of gmtime in void context at - line 49.
Useless use of getgrnam in void context at - line 50.
Useless use of getgrgid in void context at - line 51.
Useless use of getpwnam in void context at - line 52.
Useless use of getpwuid in void context at - line 53.
Useless use of subroutine prototype in void context at - line 54.
Useless use of smart match in void context at - line 55.
Useless use of numeric comparison (<=>) in void context at - line 56.
Useless use of a constant ("dsatrewq") in void context at - line 57.
Useless use of a constant ("diatrewq") in void context at - line 58.
Useless use of a constant ("igatrewq") in void context at - line 59.
Useless use of __SUB__ in void context at - line 61.
ASAN​:SIGSEGV

==5432==ERROR​: AddressSanitizer​: SEGV on unknown address 0x000000000000
(pc 0x00000045df80 sp 0x7fffb1c4b760 bp 0x7fffb1c4bfb0 T0)
  #0 0x45df7f
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x45df7f)
  #1 0x45ec97
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x45ec97)
  #2 0x7ea324
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x7ea324)
  #3 0x6bcbec
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x6bcbec)
  #4 0x528184
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x528184)
  #5 0x4c923f
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x4c923f)
  #6 0x2b5d2ea15de4 (/lib/x86_64-linux-gnu/libc.so.6+0x21de4)
  #7 0x4c8f7c
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x4c8f7c)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV ??​:0 ??
==5432==ABORTING
# Failed test 425 - at lib/warnings/op line 349
PROG​:
# op.c
no warnings 'void' ; close STDIN ;
1 x 3 ; # OP_REPEAT
  # OP_GVSV
wantarray ; # OP_WANTARRAY
  # OP_GV
  # OP_PADSV
  # OP_PADAV
  # OP_PADHV
  # OP_PADANY
  # OP_AV2ARYLEN
ref ; # OP_REF
\@​a ; # OP_REFGEN
\$a ; # OP_SREFGEN
defined $a ; # OP_DEFINED
hex $a ; # OP_HEX
oct $a ; # OP_OCT
length $a ; # OP_LENGTH
substr $a,1 ; # OP_SUBSTR
vec $a,1,2 ; # OP_VEC
index $a,1,2 ; # OP_INDEX
rindex $a,1,2 ; # OP_RINDEX
sprintf $a ; # OP_SPRINTF
$a[0] ; # OP_AELEM
  # OP_AELEMFAST
@​a[0] ; # OP_ASLICE
#values %a ; # OP_VALUES
#keys %a ; # OP_KEYS
$a{0} ; # OP_HELEM
@​a{0} ; # OP_HSLICE
unpack "a", "a" ; # OP_UNPACK
pack $a,"" ; # OP_PACK
join "" ; # OP_JOIN
(@​a)[0,1] ; # OP_LSLICE
  # OP_ANONLIST
  # OP_ANONHASH
sort(1,2) ; # OP_SORT
reverse(1,2) ; # OP_REVERSE
  # OP_RANGE
  # OP_FLIP
(1 ..2) ; # OP_FLOP
caller ; # OP_CALLER
fileno STDIN ; # OP_FILENO
eof STDIN ; # OP_EOF
tell STDIN ; # OP_TELL
readlink 1; # OP_READLINK
time ; # OP_TIME
localtime ; # OP_LOCALTIME
gmtime ; # OP_GMTIME
eval { getgrnam 1 }; # OP_GGRNAM
eval { getgrgid 1 }; # OP_GGRGID
eval { getpwnam 1 }; # OP_GPWNAM
eval { getpwuid 1 }; # OP_GPWUID
prototype "foo"; # OP_PROTOTYPE
EXPECTED​:

GOT​:
ASAN​:SIGSEGV

==5446==ERROR​: AddressSanitizer​: SEGV on unknown address 0x000000000000
(pc 0x00000045df80 sp 0x7fff72f30560 bp 0x7fff72f30db0 T0)
  #0 0x45df7f
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x45df7f)
  #1 0x45ec97
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x45ec97)
  #2 0x7ea324
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x7ea324)
  #3 0x6bcbec
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x6bcbec)
  #4 0x528184
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x528184)
  #5 0x4c923f
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x4c923f)
  #6 0x2b0fed570de4 (/lib/x86_64-linux-gnu/libc.so.6+0x21de4)
  #7 0x4c8f7c
(/home/perl/smoke/perl/smoke-me_clang_quick_sanitize=address/build/perl+0x4c8f7c)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV ??​:0 ??
==5446==ABORTING
# Failed test 427 - at lib/warnings/op line 467

---

---

Flags​:
  category=core
  severity=high

---

Site configuration information for perl 5.19.12​:

Configured by khw at Fri May 9 09​:50​:37 MDT 2014.

Summary of my perl5 (revision 5 version 19 subversion 12) configuration​:
  Commit id​: f78f6d1
  Platform​:
  osname=linux, osvers=3.11.0-20-generic,
archname=x86_64-linux-thread-multi-ld
  uname='linux khw 3.11.0-20-generic #35-ubuntu smp fri may 2
21​:32​:49 utc 2014 x86_64 x86_64 x86_64 gnulinux '
  config_args='-des -Uversiononly -Dprefix=/home/khw/blead -Dusedevel
-D'optimize=-ggdb3' -A'optimize=-ggdb3' -A'optimize=-O0'
-Accflags='-DPERL_BOOL_AS_CHAR' -Dman1dir=none -Dman3dir=none
-DDEBUGGING -Dcc=g++ -Dusemorebits -Dusethreads'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=define, usemultiplicity=define
  use64bitint=define, use64bitall=define, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='g++', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DPERL_BOOL_AS_CHAR
-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize=' -ggdb3 -O0',
  cppflags='-D_REENTRANT -D_GNU_SOURCE -DPERL_BOOL_AS_CHAR -fwrapv
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
  ccversion='', gccversion='4.8.1', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=8, nvtype='long double', nvsize=16,
Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='g++', ldflags =' -fstack-protector -L/usr/local/lib'
  libpth=/usr/include/c++/4.8 /usr/include/x86_64-linux-gnu/c++/4.8
/usr/include/c++/4.8/backward /usr/local/lib
/usr/lib/gcc/x86_64-linux-gnu/4.8/include-fixed
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
  perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
  libc=libc-2.17.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.17'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -ggdb3 -ggdb3 -O0
-L/usr/local/lib -fstack-protector'

---

@​INC for perl 5.19.12​:
  /home/khw/perl/blead/lib

/home/khw/blead/lib/perl5/site_perl/5.19.12/x86_64-linux-thread-multi-ld
  /home/khw/blead/lib/perl5/site_perl/5.19.12
  /home/khw/blead/lib/perl5/5.19.12/x86_64-linux-thread-multi-ld
  /home/khw/blead/lib/perl5/5.19.12
  /home/khw/blead/lib/perl5/site_perl/5.19.11
  /home/khw/blead/lib/perl5/site_perl/5.19.10
  /home/khw/blead/lib/perl5/site_perl
  .

---

Environment for perl 5.19.12​:
  HOME=/home/khw
  LANG=en_US.UTF-8
  LANGUAGE (unset)
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)

PATH=/home/khw/bin​:/home/khw/perl5/perlbrew/bin​:/home/khw/print/bin​:/bin​:/usr/local/sbin​:/usr/local/bin​:/usr/sbin​:/usr/bin​:/sbin​:/usr/games​:/usr/local/games​:/home/khw/iands/www​:/home/khw/cxoffice/bin
  PERL5OPT=-w
  PERL_BADLANG (unset)
  PERL_POD_PEDANTIC=1
  SHELL=/bin/ksh

[p5pRT]

From @greerga

On Fri, 9 May 2014, karl williamson wrote​:

-----------------------------------------------------------------
Our smoke reports lately have been failing tests 425 and 427 in
threaded builds with lib/warnings.t under clang 4.2.1 with ASAN. For
example, http​://perl.develop-help.com/raw/?id=161123

Simplest case is​:

  ./miniperl -e 'getgrnam 1'

The "1" is arbitrary and doesn't matter so long as the group doesn't
exist.

ASAN​:SIGSEGV

==1106==ERROR​: AddressSanitizer​: SEGV on unknown address 0x000000000000 (pc 0x00000045e6b0 sp 0x7fffdab8b090 bp 0x7fffdab8b8e0 T0)
  #0 0x45e6af in unpoison_group(void*, __sanitizer​::__sanitizer_group*) /home/tivrusky/p/clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc​:962
  #1 0x45f38d in __interceptor_getgrnam_r /home/tivrusky/p/clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc​:1046
  #2 0x879851 in Perl_pp_ggrent /home/tivrusky/p/perl/pp_sys.c​:5274
  #3 0x692213 in Perl_runops_debug /home/tivrusky/p/perl/dump.c​:2428
  #4 0x4db588 in S_run_body /home/tivrusky/p/perl/perl.c​:2456
  #5 0x4db588 in perl_run /home/tivrusky/p/perl/perl.c​:2372
  #6 0x53f8fc in main /home/tivrusky/p/perl/miniperlmain.c​:120
  #7 0x7f9e7dca5de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c​:260
  #8 0x4c9f7c in _start (/home/tivrusky/p/perl/miniperl+0x4c9f7c)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /home/tivrusky/p/clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc​:962 unpoison_group(void*, __sanitizer​::__sanitizer_group*)
==1106==ABORTING

(with v5.19.11-36-g2e6f7c2 above and Ubuntu 13.10.)

I'm not convinced it is a problem with perl, although the latest trunk of
clang does it as well so maybe?

--
George Greer

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @iabyn

On Fri, May 09, 2014 at 10​:43​:11PM -0400, George Greer wrote​:

On Fri, 9 May 2014, karl williamson wrote​:

-----------------------------------------------------------------
Our smoke reports lately have been failing tests 425 and 427 in
threaded builds with lib/warnings.t under clang 4.2.1 with ASAN. For
example, http​://perl.develop-help.com/raw/?id=161123

Simplest case is​:

\./miniperl \-e 'getgrnam 1'

The "1" is arbitrary and doesn't matter so long as the group doesn't
exist.

ASAN​:SIGSEGV

==1106==ERROR​: AddressSanitizer​: SEGV on unknown address 0x000000000000 (pc 0x00000045e6b0 sp 0x7fffdab8b090 bp 0x7fffdab8b8e0 T0)
#0 0x45e6af in unpoison_group(void*, __sanitizer​::__sanitizer_group*) /home/tivrusky/p/clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc​:962
#1 0x45f38d in __interceptor_getgrnam_r /home/tivrusky/p/clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc​:1046
#2 0x879851 in Perl_pp_ggrent /home/tivrusky/p/perl/pp_sys.c​:5274
#3 0x692213 in Perl_runops_debug /home/tivrusky/p/perl/dump.c​:2428
#4 0x4db588 in S_run_body /home/tivrusky/p/perl/perl.c​:2456
#5 0x4db588 in perl_run /home/tivrusky/p/perl/perl.c​:2372
#6 0x53f8fc in main /home/tivrusky/p/perl/miniperlmain.c​:120
#7 0x7f9e7dca5de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c​:260
#8 0x4c9f7c in _start (/home/tivrusky/p/perl/miniperl+0x4c9f7c)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /home/tivrusky/p/clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc​:962 unpoison_group(void*, __sanitizer​::__sanitizer_group*)
==1106==ABORTING

(with v5.19.11-36-g2e6f7c2 above and Ubuntu 13.10.)

I'm not convinced it is a problem with perl, although the latest
trunk of clang does it as well so maybe?

Looking at the latest ASan src code, my suspicion is that it lies there
rather than in perl.

Is your host's group data source anything unusual, like LDAP say?

Can you run the following gdb session on miniperl in an affected build?

$ gdb ./miniperl
(gdb) b perl_alloc
(gdb) run -e 'getgrnam 1'
(gdb) fin
Value returned is $1 = (PerlInterpreter *) 0x61f00000ee80
(gdb) b getgrnam_r
(this should set 2 breakpoints​: fore the real function and its wrapper)

(gdb) c
(this should stop at __interceptor_getgrnam_r)

(gdb) c
(this should stop at the GLIBC getgrnam_r)

(gdb) fin
(gdb) p $1->Ireentrant_buffer->_grent_struct
(gdb) p $1->Ireentrant_buffer->_grent_buffer
(gdb) p $1->Ireentrant_buffer->_grent_size
(gdb) p $1->Ireentrant_buffer->_grent_ptr

[p5pRT]

From @greerga

On Mon, 12 May 2014, Dave Mitchell wrote​:

On Fri, May 09, 2014 at 10​:43​:11PM -0400, George Greer wrote​:

On Fri, 9 May 2014, karl williamson wrote​:

-----------------------------------------------------------------
Our smoke reports lately have been failing tests 425 and 427 in
threaded builds with lib/warnings.t under clang 4.2.1 with ASAN. For
example, http​://perl.develop-help.com/raw/?id=161123

Simplest case is​:

\./miniperl \-e 'getgrnam 1'

The "1" is arbitrary and doesn't matter so long as the group doesn't
exist.

ASAN​:SIGSEGV

==1106==ERROR​: AddressSanitizer​: SEGV on unknown address 0x000000000000 (pc 0x00000045e6b0 sp 0x7fffdab8b090 bp 0x7fffdab8b8e0 T0)
#0 0x45e6af in unpoison_group(void*, __sanitizer​::__sanitizer_group*) /home/tivrusky/p/clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc​:962
#1 0x45f38d in __interceptor_getgrnam_r /home/tivrusky/p/clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc​:1046
#2 0x879851 in Perl_pp_ggrent /home/tivrusky/p/perl/pp_sys.c​:5274
#3 0x692213 in Perl_runops_debug /home/tivrusky/p/perl/dump.c​:2428
#4 0x4db588 in S_run_body /home/tivrusky/p/perl/perl.c​:2456
#5 0x4db588 in perl_run /home/tivrusky/p/perl/perl.c​:2372
#6 0x53f8fc in main /home/tivrusky/p/perl/miniperlmain.c​:120
#7 0x7f9e7dca5de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c​:260
#8 0x4c9f7c in _start (/home/tivrusky/p/perl/miniperl+0x4c9f7c)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /home/tivrusky/p/clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc​:962 unpoison_group(void*, __sanitizer​::__sanitizer_group*)
==1106==ABORTING

(with v5.19.11-36-g2e6f7c2 above and Ubuntu 13.10.)

I'm not convinced it is a problem with perl, although the latest
trunk of clang does it as well so maybe?

Looking at the latest ASan src code, my suspicion is that it lies there
rather than in perl.

Is your host's group data source anything unusual, like LDAP say?

No, a regular boring standalone Ubuntu 13.10 system. "group​: compat" in
nsswitch.conf

Can you run the following gdb session on miniperl in an affected build?

$ gdb ./miniperl
(gdb) b perl_alloc
(gdb) run -e 'getgrnam 1'
(gdb) fin
Value returned is $1 = (PerlInterpreter *) 0x61f00000ee80
(gdb) b getgrnam_r
(this should set 2 breakpoints​: fore the real function and its wrapper)

(gdb) c
(this should stop at __interceptor_getgrnam_r)

(gdb) c
(this should stop at the GLIBC getgrnam_r)

(gdb) fin
(gdb) p $1->Ireentrant_buffer->_grent_struct
(gdb) p $1->Ireentrant_buffer->_grent_buffer
(gdb) p $1->Ireentrant_buffer->_grent_size
(gdb) p $1->Ireentrant_buffer->_grent_ptr

(gdb) b perl_alloc
Breakpoint 1 at 0x4ca238​: file perl.c, line 196.
(gdb) run -e 'getgrnam 1'
Starting program​: /home/perl/p/perl/miniperl -e 'getgrnam 1'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Breakpoint 1, perl_alloc () at perl.c​:196
196 my_perl =
(PerlInterpreter*)PerlMem_malloc(sizeof(PerlInterpreter));
(gdb) fin
Run till exit from #0 perl_alloc () at perl.c​:196
0x000000000053f834 in main (argc=<optimized out>, argv=<optimized out>,
  env=<optimized out>) at miniperlmain.c​:111
111 my_perl = perl_alloc();
Value returned is $1 = (PerlInterpreter *) 0x61f00000ee80
(gdb) b getgrnam_r
Breakpoint 2 at 0x45f1f3​: getgrnam_r. (2 locations)
(gdb) c
Continuing.

Breakpoint 2, __interceptor_getgrnam_r ()
  at
/home/perl/p/clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc​:1042
1042 COMMON_INTERCEPTOR_ENTER(ctx, getgrnam_r, name, grp, buf,
buflen, result);
(gdb) c
Continuing.

Breakpoint 2, __getgrnam_r (name=0x60400000c7e8 "1",
resbuf=0x61600000f9c0,
  buffer=0x621000017d18 '\276' <repeats 200 times>..., buflen=4096,
  result=0x61600000f9f0) at ../nss/getXXbyYY_r.c​:150
150 ../nss/getXXbyYY_r.c​: No such file or directory.
(gdb) fin
Run till exit from #0 __getgrnam_r (name=0x60400000c7e8 "1",
  resbuf=0x61600000f9c0,
  buffer=0x621000017d18 '\276' <repeats 200 times>..., buflen=4096,
  result=0x61600000f9f0) at ../nss/getXXbyYY_r.c​:150
0x000000000045f37a in __interceptor_getgrnam_r ()
  at /home/perl/p/clang/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc​:1044
1044 int res = REAL(getgrnam_r)(name, grp, buf, buflen, result);
Value returned is $2 = 0
(gdb) p $1->Ireentrant_buffer->_grent_struct
$3 = {gr_name = 0xbebebebebebebebe <Address 0xbebebebebebebebe out of bounds>,
  gr_passwd = 0xbebebebebebebebe <Address 0xbebebebebebebebe out of bounds>,
  gr_gid = 3200171710, gr_mem = 0xbebebebebebebebe}
(gdb) p $1->Ireentrant_buffer->_grent_buffer
$4 = 0x621000017d18 '\276' <repeats 200 times>...
(gdb) p $1->Ireentrant_buffer->_grent_size
$5 = 4096
(gdb) p $1->Ireentrant_buffer->_grent_ptr
$6 = (struct group *) 0x0
(gdb)

--
George Greer

[p5pRT]

From @iabyn

On Mon, May 12, 2014 at 08​:54​:42PM -0400, George Greer wrote​:

1044 int res = REAL(getgrnam_r)(name, grp, buf, buflen, result);
Value returned is $2 = 0
(gdb) p $1->Ireentrant_buffer->_grent_struct
$3 = {gr_name = 0xbebebebebebebebe <Address 0xbebebebebebebebe out of bounds>,
gr_passwd = 0xbebebebebebebebe <Address 0xbebebebebebebebe out of bounds>,
gr_gid = 3200171710, gr_mem = 0xbebebebebebebebe}

(gdb) p $1->Ireentrant_buffer->_grent_ptr
$6 = (struct group *) 0x0

Ok, I'm fairly convinced now that its an ASan bug. I'll look into
reporting it to them. What's happening is that ASan wraps function calls
like getgrnam_r(), so that on return it can mark memory as valid that the
function has updated. But with

  int getgrnam_r(const char *name, struct group *grp,
  char *buf, size_t buflen, struct group **result);

there is only a match if the return value is zero, *and* *result is set to
non-NULL.

Where there is no match, but no error - such as looking up a non-existent
entry like "1" - then the return is zero, but *result is set to NULL.

Asan only uses the return value to decide whether to treat the fields of
the struct group as valid.

For some reason, on my system which just uses /etc/group, the _grent_struct
happens to be left populated with the last entry in /etc/group; on your
system (perhaps due to the NIS library?) its left with garbage, which
Asan is then trying to access.

I can't see any way to stop the smoke failures until ASan is fixed, unless
its possible for your system to use 'group​: files' and hope that the
problem goes away?

--
"Emacs isn't a bad OS once you get used to it.
It just lacks a decent editor."

[p5pRT]

From @greerga

On Tue, 13 May 2014, Dave Mitchell wrote​:

On Mon, May 12, 2014 at 08​:54​:42PM -0400, George Greer wrote​:

1044 int res = REAL(getgrnam_r)(name, grp, buf, buflen, result);
Value returned is $2 = 0
(gdb) p $1->Ireentrant_buffer->_grent_struct
$3 = {gr_name = 0xbebebebebebebebe <Address 0xbebebebebebebebe out of bounds>,
gr_passwd = 0xbebebebebebebebe <Address 0xbebebebebebebebe out of bounds>,
gr_gid = 3200171710, gr_mem = 0xbebebebebebebebe}

(gdb) p $1->Ireentrant_buffer->_grent_ptr
$6 = (struct group *) 0x0

Ok, I'm fairly convinced now that its an ASan bug. I'll look into
reporting it to them. What's happening is that ASan wraps function calls
like getgrnam_r(), so that on return it can mark memory as valid that the
function has updated. But with

int getgrnam_r(const char *name, struct group *grp,
char *buf, size_t buflen, struct group **result);

there is only a match if the return value is zero, *and* *result is set to
non-NULL.

Where there is no match, but no error - such as looking up a non-existent
entry like "1" - then the return is zero, but *result is set to NULL.

Asan only uses the return value to decide whether to treat the fields of
the struct group as valid.

For some reason, on my system which just uses /etc/group, the _grent_struct
happens to be left populated with the last entry in /etc/group; on your
system (perhaps due to the NIS library?) its left with garbage, which
Asan is then trying to access.

I can't see any way to stop the smoke failures until ASan is fixed, unless
its possible for your system to use 'group​: files' and hope that the
problem goes away?

Using "group​: files" doesn't make a difference but stopping the Name
Service Cache Daemon (nscd) does make it stop crashing. I'll leave it
that way for a while, which likely means until the machine reboots for
some reason and I forget I did that.

--
George Greer

[p5pRT]

From @iabyn

On Wed, May 14, 2014 at 11​:32​:08PM -0400, George Greer wrote​:

Using "group​: files" doesn't make a difference but stopping the Name
Service Cache Daemon (nscd) does make it stop crashing. I'll leave
it that way for a while, which likely means until the machine
reboots for some reason and I forget I did that.

I reported it to the clang bugzilla, and they've (hopefully) fixed it
in r208773 (that's for compiler-rt; I don't know whether the various
clang sub-components have independent revision numbering).

--
The Enterprise successfully ferries an alien VIP from one place to another
without serious incident.
  -- Things That Never Happen in "Star Trek" #7

[p5pRT]

From @greerga

On Sat, 17 May 2014, Dave Mitchell wrote​:

On Wed, May 14, 2014 at 11​:32​:08PM -0400, George Greer wrote​:

Using "group​: files" doesn't make a difference but stopping the Name
Service Cache Daemon (nscd) does make it stop crashing. I'll leave
it that way for a while, which likely means until the machine
reboots for some reason and I forget I did that.

I reported it to the clang bugzilla, and they've (hopefully) fixed it
in r208773 (that's for compiler-rt; I don't know whether the various
clang sub-components have independent revision numbering).

Seems to be fixed, although AddressSanitizer seems to imply LeakSanitizer
now so I might have to run the entire smoke under PERL_DESTRUCT_LEVEL.

--
George Greer

[p5pRT]

@iabyn - Status changed from 'open' to 'resolved'