segfault with exit in (?{ ... })

[p5pRT]

Migrated from rt.perl.org#3590 (status was 'resolved')

Searchable as RT3590$

[p5pRT]

From [email protected]

Created by [email protected]

Hiho,
Running this program with 5.6.0 segfaults during the exit() call. I
originally discovered the problem with a backtick `program` call instead of
an exit(), but this test script is smaller.

  #!/usr/local/bin/perl -w
  use strict;
  use re 'eval';
  use re 'debug';

  sub size() {
  print "BAILING\n";
  exit(0);
  }

  $_ = "ABC";
  print "STRING​: $_\n";
  my $open;

  "ABC" =~ m{
  A
  B
  (?{ size() })
  C
  }x;

Oddly enough, the print and the declaration of $open are required to trigger
the bug -- removing/moving either causes the segfault to not happen.

Here's a gdb session​:

  gdb ./perl
  GNU gdb 4.18
  Copyright 1998 Free Software Foundation, Inc.
  GDB is free software, covered by the GNU General Public License, and you are
  welcome to change it and/or distribute copies of it under certain conditions.
  Type "show copying" to see the conditions.
  There is absolutely no warranty for GDB. Type "show warranty" for details.
  This GDB was configured as "i386-mandrake-linux"...
  (gdb) run /tmp/foo2
  Starting program​: /usr/src/perl-5.6.0/./perl /tmp/foo2
  Compiling REx `
  A
  B
  (?{ size() })
  C
  '
  size 7 first at 1
  1​: EXACT <AB>(3)
  3​: EVAL(5)
  5​: EXACT <C>(7)
  7​: END(0)
  anchored `ABC' at 0 (checking anchored) minlen 3 with eval
  STRING​: ABZ
  Guessing start of match, REx `
  A
  B
  (?{ size() })
  C
  ' against `ABC'...
  Found anchored substr `ABC' at offset 0...
  Guessed​: match at offset 0
  Matching REx `
  A
  B
  (?{ size() })
  C
  ' against `ABC'
  Setting an EVAL scope, savestack=17
  0 <> <ABC> | 1​: EXACT <AB>
  2 <AB> <C> | 3​: EVAL
  re_eval 0x810bf08
  BAILING

  Program received signal SIGSEGV, Segmentation fault.
  Perl_leave_scope (base=0) at scope.c​:825
  825 if (SvREFCNT(sv) <= 1 && !SvOBJECT(sv)) {
  (gdb) print sv
  $1 = (SV *) 0x0
  (gdb) where
  #0 Perl_leave_scope (base=0) at scope.c​:825
  #1 0x80aff65 in Perl_pop_scope () at scope.c​:144
  #2 0x805ee92 in S_my_exit_jump () at perl.c​:3672
  #3 0x805ecf9 in Perl_my_exit (status=0) at perl.c​:3622
  #4 0x80b731d in Perl_pp_exit () at pp_ctl.c​:2472
  #5 0x80949ed in Perl_runops_standard () at run.c​:27
  #6 0x401cc91a in S_regmatch (prog=0x810b4c4) at re_exec.c​:2307
  #7 0x401cabe9 in S_regtry (prog=0x810b488, startpos=0x810b3e8 "ABC") at re_exec.c​:1715
  #8 0x401ca4ed in my_regexec (prog=0x810b488, stringarg=0x810b3e8 "ABC", strend=0x810b3eb "",
  strbeg=0x810b3e8 "ABC", minend=0, sv=0x810a3b4, data=0x0, flags=2) at re_exec.c​:1509
  #9 0x8096cfd in Perl_pp_match () at pp_hot.c​:1027
  #10 0x80949ed in Perl_runops_standard () at run.c​:27
  #11 0x805bd4e in S_run_body (oldscope=1) at perl.c​:1401
  #12 0x805bad8 in perl_run (my_perl=0x80f0858) at perl.c​:1325
  #13 0x8059903 in main (argc=2, argv=0xbffff374, env=0xbffff380) at perlmain.c​:52
  (gdb)

(not knowing anything about perl internals, I just issued the following
queries hoping that they'd be helpful)

  (gdb) print PL_savestack_ix
  3
  (gdb) print PL_savestack@​5
  {0x80fda70, 0x80fb3e8, 0x0, 0x0, 0x80f47b0}
  (gdb) print *PL_savestack@​5
  {{any_ptr = 0xffffffff, any_i32 = -1, any_iv = -1, any_long = -1, any_dptr = 0xffffffff,
  any_dxptr = 0xffffffff}, {any_ptr = 0x80ef570, any_i32 = 135198064, any_iv = 135198064, any_long = 135198064,
  any_dptr = 0x80ef570 <PL_tmps_floor>, any_dxptr = 0x80ef570 <PL_tmps_floor>}, {any_ptr = 0x4, any_i32 = 4,
  any_iv = 4, any_long = 4, any_dptr = 0x4, any_dxptr = 0x4}, {any_ptr = 0x4, any_i32 = 4, any_iv = 4,
  any_long = 4, any_dptr = 0x4, any_dxptr = 0x4}, {any_ptr = 0x12, any_i32 = 18, any_iv = 18, any_long = 18,
  any_dptr = 0x12, any_dxptr = 0x12}}

  (gdb) print PL_savestack[3].any_long
  4
  (gdb) print PL_curpad@​10
  {0x810b6e0, 0x0, 0x0, 0x0, 0x0, 0x7b, 0xbffff374, 0x0, 0x80f7c7c, 0x80f0ae4}
  (gdb) print **PL_curpad
  {sv_any = 0x0, sv_refcnt = 2147483635, sv_flags = 8388608}

Perl Info

Flags:
    category=core
    severity=medium

Site configuration information for perl v5.6.0:

Configured by jfriedl at Sat Jul 29 20:09:33 PDT 2000.

Summary of my perl5 (revision 5.0 version 6 subversion 0) configuration:
  Platform:
    osname=linux, osvers=2.2.15, archname=i686-linux
    uname='linux fummy.dsl.yahoo.com 2.2.16 #6 smp sun jul 23 11:26:16 pdt 2000 i686 unknown '
    config_args='-ds -e -A optimize=-g'
    hint=previous, useposix=true, d_sigaction=define
    usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
    useperlio=undef d_sfio=undef uselargefiles=define 
    use64bitint=undef use64bitall=undef uselongdouble=undef usesocks=undef
  Compiler:
    cc='cc', optimize='-O2 -g', gccversion=pgcc-2.91.66 19990314 (egcs-1.1.2 release)
    cppflags='-fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
    ccflags ='-fno-strict-aliasing -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
    stdchar='char', d_stdstdio=define, usevfork=false
    intsize=4, longsize=4, ptrsize=4, doublesize=8
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, usemymalloc=n, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib
    libs=-lnsl -lndbm -lgdbm -ldb -ldl -lm -lc -lposix -lcrypt
    libc=/lib/libc-2.1.1.so, so=so, useshrplib=false, libperl=libperl.a
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-rdynamic'
    cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.6.0:
    /home/jfriedl/lib/perl
    /home/jfriedl/lib/perl/yahoo
    /usr/local/lib/perl5/5.6.0/i686-linux
    /usr/local/lib/perl5/5.6.0
    /usr/local/lib/perl5/site_perl/5.6.0/i686-linux
    /usr/local/lib/perl5/site_perl/5.6.0
    /usr/local/lib/perl5/site_perl
    .


Environment for perl v5.6.0:
    HOME=/home/jfriedl
    LANG (unset)
    LANGUAGE (unset)
    LD_LIBRARY_PATH=/usr/local/pgsql/lib:/home/jfriedl/src/rvplayer5.0
    LOGDIR (unset)
    PATH=/home/jfriedl/bin:/home/jfriedl/common/bin:/usr/local/gcc-2.95.2/bin:.:/usr/local/pgsql/bin:/usr/local/bin:/usr/X11R6/bin:/bin:/usr/bin:/usr/sbin:/sbin:/home/jfriedl/src/rvplayer5.0
    PERLLIB=/home/jfriedl/lib/perl:/home/jfriedl/lib/perl/yahoo
    PERL_BADLANG (unset)
    SHELL=/bin/tcsh

[p5pRT]

From [Unknown Contact. See original ticket]

Jeffrey Friedl writes​:

Running this program with 5.6.0 segfaults during the exit() call.

This same script on NT segfaults also from an invalid pointer read at
scope.c​:825. Maybe this Purify traceback will help​:

  Perl_leave_scope [scope.c​:825]
  ptr = (void*)&PL_curpad[SSPOPLONG];
  sv = *(SV**)ptr;
  /* Can clear pad variable in place? */
=> if (SvREFCNT(sv) <= 1 && !SvOBJECT(sv)) {
  if (SvTHINKFIRST(sv))
  sv_force_normal(sv);
  if (SvMAGICAL(sv))
  Perl_pop_scope [scope.c​:144]
  {
  dTHR;
  I32 oldsave = PL_scopestack[--PL_scopestack_ix];
=> LEAVE_SCOPE(oldsave);
  }
 
  void
  S_my_exit_jump [perl.c​:3672]
  if (cxstack_ix > 0)
  dounwind(0);
  POPBLOCK(cx,PL_curpm);
  => LEAVE;
  }
 
  JMPENV_JUMP(2);
  Perl_my_exit [perl.c​:3622]
  STATUS_NATIVE_SET(status);
  break;
  }
  => my_exit_jump();
  }
 
  void
  Perl_pp_exit [pp_ctl.c​:2472]
  #endif
  }
  PL_exit_flags |= PERL_EXIT_EXPECTED;
  => my_exit(anum);
  PUSHs(&PL_sv_undef);
  RETURN;
  }
  Perl_runops_debug [run.c​:56]
  S_regmatch [re_exec.c​:2307]
  S_regtry [re_exec.c​:1715]
  my_regexec [re_exec.c​:1509]
  Perl_pp_match [pp_hot.c​:1027]

====================================================
Mark Leighton Fisher Thomson Consumer Electronics
fisherm@​tce.com Indianapolis, IN, USA
"Display some adaptability." -- Doug Shaftoe, _Cryptonomicon_

[p5pRT]

From @cpansprout

This has been fixed by the commits leading up to eb58a7e.

[p5pRT]

@cpansprout - Status changed from 'open' to 'resolved'