any perl versions core dumps with this code

[p5pRT]

Migrated from rt.perl.org#15005 (status was 'resolved')

Searchable as RT15005$

[p5pRT]

From sem@ciam.ru

Created by sem@ciam.ru

This code always make perl core dump​:
****************************************
my %level_warnings;
sub stat_level_warning
{
  sub ($level, $message) = @​_;
  if( $level_warnings{$message} eq undef )
  {
  $level_warnings{$message} = [];
  for my $l ( 0 .. $levels )
  {
  $level_warnings{$message}->[$l] = 0;
  }
  }
  $level_warnings{$message}->[$level]++;
}
*****************************************
Yes, line 4 has error - "sub" instead of "my".

Perl 5.005, 5.6.x and 5.8.0 was tested.

Perl Info

Flags:
    category=core
    severity=high

Site configuration information for perl v5.8.0:

Configured by sem at Wed Jul 17 19:07:24 MSD 2002.

Summary of my perl5 (revision 5.0 version 8 subversion 0) configuration:
  Platform:
    osname=freebsd, osvers=4.6-release-p1, archname=i386-freebsd-thread-multi
    uname='freebsd avim.ciam.ru 4.6-release-p1 freebsd 4.6-release-p1 #0: fri jul 12 20:33:42 msd 2002 root@orion.ciam.ru:usrsrcsyscompileavim i386 '
    config_args=''
    hint=recommended, useposix=true, d_sigaction=define
    usethreads=define use5005threads=undef useithreads=define usemultiplicity=define
    useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
    use64bitint=undef use64bitall=undef uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='gcc', ccflags ='-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -I/usr/local/include',
    optimize='-O',
    cppflags='-DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -I/usr/local/include'
    ccversion='', gccversion='2.95.3 20010315 (release) [FreeBSD]', gccosandvers=''
    intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
    ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=4, prototype=define
  Linker and Libraries:
    ld='gcc', ldflags ='-pthread -Wl,-E  -L/usr/local/lib'
    libpth=/usr/lib /usr/local/lib
    libs=-lgdbm -lm -lc_r -lcrypt -lutil
    perllibs=-lm -lc_r -lcrypt -lutil
    libc=, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags=' '
    cccdlflags='-DPIC -fpic', lddlflags='-shared  -L/usr/local/lib'

Locally applied patches:
    


@INC for perl v5.8.0:
    /usr/local/lib/perl5/5.8.0/i386-freebsd-thread-multi
    /usr/local/lib/perl5/5.8.0
    /usr/local/lib/perl5/site_perl/5.8.0/i386-freebsd-thread-multi
    /usr/local/lib/perl5/site_perl/5.8.0
    /usr/local/lib/perl5/site_perl
    .


Environment for perl v5.8.0:
    HOME=/home/sem
    LANG=ru_RU.KOI8-R
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/sem/bin:/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/bin:/usr/local/sbin:/usr/X11R6/bin:.
    PERL_BADLANG (unset)
    SHELL=/bin/tcsh

[p5pRT]

From @nwc10

On Wed, Jul 17, 2002 at 06​:09​:11PM -0000, sem@​ciam.ru (via RT) wrote​:

-----------------------------------------------------------------
[Please enter your report here]
This code always make perl core dump​:
****************************************
my %level_warnings;
sub stat_level_warning
{
sub ($level, $message) = @​_;
if( $level_warnings{$message} eq undef )
{
$level_warnings{$message} = [];
for my $l ( 0 .. $levels )
{
$level_warnings{$message}->[$l] = 0;
}
}
$level_warnings{$message}->[$level]++;
}
*****************************************
Yes, line 4 has error - "sub" instead of "my".

Perl 5.005, 5.6.x and 5.8.0 was tested.

osname=freebsd\, osvers=4\.6\-release\-p1\, archname=i386\-freebsd\-thread\-multi

I can't get your code to crash on FreeBSD 4.6 with perl (patchlevel 17521,
my perl is not threaded) but I can get it to crash on arm linux and x86
Linux. On both I can reduce it to this​:

sub stat_level_warning
{
  sub ();
  if( $level_warnings{0} )
  {
  for my $l ( 0 .. 0 )
  {
  $level_warnings->[0];
  }
  }
}

Program received signal SIGSEGV, Segmentation fault.
Perl_pad_free (po=4) at op.c​:611
611 SvPADTMP_off(PL_curpad[po]);
(gdb) where
#0 Perl_pad_free (po=4) at op.c​:611
#1 0x00044c38 in Perl_op_clear (o=0x124b90) at op.c​:917
#2 0x00044c38 in Perl_op_clear (o=0x124b90) at op.c​:917
#3 0x00044b88 in Perl_op_free (o=0x124b90) at op.c​:788
#4 0x00044b48 in Perl_op_free (o=0x124be8) at op.c​:776
#5 0x00044b48 in Perl_op_free (o=0x124c50) at op.c​:776
#6 0x00044b48 in Perl_op_free (o=0x124ce0) at op.c​:776
#7 0x00044b48 in Perl_op_free (o=0x124d08) at op.c​:776
#8 0x00044b48 in Perl_op_free (o=0x124d28) at op.c​:776
#9 0x00044b48 in Perl_op_free (o=0x124d90) at op.c​:776
#10 0x00044b48 in Perl_op_free (o=0x124db8) at op.c​:776
#11 0x00044b48 in Perl_op_free (o=0x124de0) at op.c​:776
#12 0x00044b48 in Perl_op_free (o=0x124e40) at op.c​:776
#13 0x0004e164 in Perl_newATTRSUB (floor=107, o=0x0, proto=0x0, attrs=0x0,
  block=0x124e40) at op.c​:5000
#14 0x00042204 in Perl_yyparse () at perly.y​:355
#15 0x000201e8 in S_parse_body (env=0x0, xsinit=0x1dc7c <xs_init>)
  at perl.c​:1519
#16 0x0001fca0 in perl_parse (my_perl=0x4, xsinit=0x1dc7c <xs_init>, argc=3,
  argv=0xbffffd14, env=0x0) at perl.c​:1041
#17 0x0001dc08 in main (argc=3, argv=0xbffffd14, env=0x6) at perlmain.c​:83
#18 0x400e4b54 in __libc_start_main () from /lib/libc.so.6
#19 0x400e4b54 in __libc_start_main () from /lib/libc.so.6
#20 0x00080816 in Perl_sv_2pv_flags (sv=0x1ccb0, lp=0x3, flags=6) at sv.c​:3089
Cannot access memory at address 0x3003e59c
(gdb) print po
$4 = 4
(gdb) print PL_curpad[po]
$5 = (SV *) 0x6

PL_curpad[po] was 0x19 on your version of the code.

Running under valgrind I see this​:

nick@​penfold​:~/build$ valgrind /usr/local/perl17559-g/bin/perl5.8.0 crash
==29470== valgrind-1.0pre2, a memory error detector for x86 GNU/Linux.
==29470== Copyright (C) 2000-2002, and GNU GPL'd, by Julian Seward.
==29470== Estimated CPU clock rate is 262 MHz
==29470== For more details, rerun with​: -v
==29470==
==29470== Invalid read of size 4
==29470== at 0x80894E8​: Perl_pad_free (op.c​:610)
==29470== by 0x8089A08​: Perl_op_clear (op.c​:917)
==29470== by 0x8089772​: Perl_op_free (op.c​:788)
==29470== by 0x8089715​: Perl_op_free (op.c​:776)
==29470== Address 0x40B8C2AC is 0 bytes after a block of size 16 alloc'd
==29470== at 0x40042BDB​: malloc (vg_clientfuncs.c​:100)
==29470== by 0x80AFB87​: Perl_safesysmalloc (util.c​:78)
==29470== by 0x80C1477​: Perl_av_extend (av.c​:150)
==29470== by 0x80C1898​: Perl_av_store (av.c​:275)
syntax error at crash line 3, near "sub ();"
Execution of crash aborted due to compilation errors.
==29470==
==29470== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 0 from 0)
==29470== malloc/free​: in use at exit​: 42374 bytes in 479 blocks.
==29470== malloc/free​: 597 allocs, 118 frees, 49668 bytes allocated.
==29470== For a detailed leak analysis, rerun with​: --leak-check=yes
==29470== For counts of detected errors, rerun with​: -v

(that same perl and same script will SEGV when not running under valgrind)

I don't know what to do next, but I hope that this information is useful to
someone else.

Nicholas Clark
--
Even better than the real thing​: http​://nms-cgi.sourceforge.net/

[p5pRT]

From perlbug@perl.org

On Wed, Jul 17, 2002 at 06​:09​:11PM -0000, sem@​ciam.ru (via RT) wrote​:

-----------------------------------------------------------------
[Please enter your report here]
This code always make perl core dump​:
****************************************
my %level_warnings;
sub stat_level_warning
{
sub ($level, $message) = @​_;
if( $level_warnings{$message} eq undef )
{
$level_warnings{$message} = [];
for my $l ( 0 .. $levels )
{
$level_warnings{$message}->[$l] = 0;
}
}
$level_warnings{$message}->[$level]++;
}
*****************************************
Yes, line 4 has error - "sub" instead of "my".

Perl 5.005, 5.6.x and 5.8.0 was tested.

osname=freebsd\, osvers=4\.6\-release\-p1\, archname=i386\-freebsd\-thread\-multi

I can't get your code to crash on FreeBSD 4.6 with perl (patchlevel 17521,
my perl is not threaded) but I can get it to crash on arm linux and x86
Linux. On both I can reduce it to this​:

sub stat_level_warning
{
  sub ();
  if( $level_warnings{0} )
  {
  for my $l ( 0 .. 0 )
  {
  $level_warnings->[0];
  }
  }
}

Program received signal SIGSEGV, Segmentation fault.
Perl_pad_free (po=4) at op.c​:611
611 SvPADTMP_off(PL_curpad[po]);
(gdb) where
#0 Perl_pad_free (po=4) at op.c​:611
#1 0x00044c38 in Perl_op_clear (o=0x124b90) at op.c​:917
#2 0x00044c38 in Perl_op_clear (o=0x124b90) at op.c​:917
#3 0x00044b88 in Perl_op_free (o=0x124b90) at op.c​:788
#4 0x00044b48 in Perl_op_free (o=0x124be8) at op.c​:776
#5 0x00044b48 in Perl_op_free (o=0x124c50) at op.c​:776
#6 0x00044b48 in Perl_op_free (o=0x124ce0) at op.c​:776
#7 0x00044b48 in Perl_op_free (o=0x124d08) at op.c​:776
#8 0x00044b48 in Perl_op_free (o=0x124d28) at op.c​:776
#9 0x00044b48 in Perl_op_free (o=0x124d90) at op.c​:776
#10 0x00044b48 in Perl_op_free (o=0x124db8) at op.c​:776
#11 0x00044b48 in Perl_op_free (o=0x124de0) at op.c​:776
#12 0x00044b48 in Perl_op_free (o=0x124e40) at op.c​:776
#13 0x0004e164 in Perl_newATTRSUB (floor=107, o=0x0, proto=0x0, attrs=0x0,
  block=0x124e40) at op.c​:5000
#14 0x00042204 in Perl_yyparse () at perly.y​:355
#15 0x000201e8 in S_parse_body (env=0x0, xsinit=0x1dc7c <xs_init>)
  at perl.c​:1519
#16 0x0001fca0 in perl_parse (my_perl=0x4, xsinit=0x1dc7c <xs_init>, argc=3,
  argv=0xbffffd14, env=0x0) at perl.c​:1041
#17 0x0001dc08 in main (argc=3, argv=0xbffffd14, env=0x6) at perlmain.c​:83
#18 0x400e4b54 in __libc_start_main () from /lib/libc.so.6
#19 0x400e4b54 in __libc_start_main () from /lib/libc.so.6
#20 0x00080816 in Perl_sv_2pv_flags (sv=0x1ccb0, lp=0x3, flags=6) at sv.c​:3089
Cannot access memory at address 0x3003e59c
(gdb) print po
$4 = 4
(gdb) print PL_curpad[po]
$5 = (SV *) 0x6

PL_curpad[po] was 0x19 on your version of the code.

Running under valgrind I see this​:

nick@​penfold​:~/build$ valgrind /usr/local/perl17559-g/bin/perl5.8.0 crash
==29470== valgrind-1.0pre2, a memory error detector for x86 GNU/Linux.
==29470== Copyright (C) 2000-2002, and GNU GPL'd, by Julian Seward.
==29470== Estimated CPU clock rate is 262 MHz
==29470== For more details, rerun with​: -v
==29470==
==29470== Invalid read of size 4
==29470== at 0x80894E8​: Perl_pad_free (op.c​:610)
==29470== by 0x8089A08​: Perl_op_clear (op.c​:917)
==29470== by 0x8089772​: Perl_op_free (op.c​:788)
==29470== by 0x8089715​: Perl_op_free (op.c​:776)
==29470== Address 0x40B8C2AC is 0 bytes after a block of size 16 alloc'd
==29470== at 0x40042BDB​: malloc (vg_clientfuncs.c​:100)
==29470== by 0x80AFB87​: Perl_safesysmalloc (util.c​:78)
==29470== by 0x80C1477​: Perl_av_extend (av.c​:150)
==29470== by 0x80C1898​: Perl_av_store (av.c​:275)
syntax error at crash line 3, near "sub ();"
Execution of crash aborted due to compilation errors.
==29470==
==29470== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 0 from 0)
==29470== malloc/free​: in use at exit​: 42374 bytes in 479 blocks.
==29470== malloc/free​: 597 allocs, 118 frees, 49668 bytes allocated.
==29470== For a detailed leak analysis, rerun with​: --leak-check=yes
==29470== For counts of detected errors, rerun with​: -v

(that same perl and same script will SEGV when not running under valgrind)

I don't know what to do next, but I hope that this information is useful to
someone else.

Nicholas Clark
--
Even better than the real thing​: http​://nms-cgi.sourceforge.net/

[p5pRT]

From @floatingatoll

[nick@​unfortu.net - Wed Jul 17 12​:55​:36 2002]​:

On Wed, Jul 17, 2002 at 06​:09​:11PM -0000, sem@​ciam.ru (via RT) wrote​:

sub stat_level_warning
{
sub ();
if( $level_warnings{0} )
{
for my $l ( 0 .. 0 )
{
$level_warnings->[0];
}
}
}

Reduced the test case to​:

#!perl
sub k {
  sub ();
  for $l ( 0 .. 0 ) { $m }
}
__END__

Running perl with -Dl gives you some interesting output​:

./perl -Dl 15005.pl
(15005.pl​:0) ENTER scope 2 at perly.c​:1528
zsh​: segmentation fault (core dumped) ./perl -Dl 15005.pl

Included also are a gdb and valgrind against @​17821, redhat x86, ithreads.

R.

===> gdb stack trace, perl@​17821

Program received signal SIGSEGV, Segmentation fault.
0x187371 in Perl_pad_swipe (my_perl=0x804c330, po=4) at op.c​:635
635 SvPADTMP_off(PL_curpad[po]);
(gdb) bt
#0 0x187371 in Perl_pad_swipe (my_perl=0x804c330, po=4) at op.c​:635
#1 0x187710 in Perl_op_clear (my_perl=0x804c330, o=0x8066f48) at op.c​:822
#2 0x1875c5 in Perl_op_free (my_perl=0x804c330, o=0x8066f48) at op.c​:788
#3 0x187566 in Perl_op_free (my_perl=0x804c330, o=0x8067020) at op.c​:776
#4 0x187566 in Perl_op_free (my_perl=0x804c330, o=0x80670b8) at op.c​:776
#5 0x187566 in Perl_op_free (my_perl=0x804c330, o=0x8067220) at op.c​:776
#6 0x187566 in Perl_op_free (my_perl=0x804c330, o=0x8067248) at op.c​:776
#7 0x187566 in Perl_op_free (my_perl=0x804c330, o=0x8067268) at op.c​:776
#8 0x187566 in Perl_op_free (my_perl=0x804c330, o=0x80672f0) at op.c​:776
#9 0x19635a in Perl_newATTRSUB (my_perl=0x804c330, floor=107, o=
0x8066e50,
  proto=0x0, attrs=0x0, block=0x80672f0) at op.c​:4992
#10 0x183273 in Perl_yyparse (my_perl=0x804c330) at perly.y​:355
#11 0x1495cb in S_parse_body (my_perl=0x804c330, env=0x0,
  xsinit=0x80494a0 <xs_init>) at perl.c​:1521
#12 0x148171 in perl_parse (my_perl=0x804c330, xsinit=0x80494a0 <xs_init>,
  argc=2, argv=0xbffff494, env=0x0) at perl.c​:1043
#13 0x804940d in main (argc=2, argv=0xbffff494, env=0xbffff4a0)
  at perlmain.c​:83

===> valgrind 1.0.1 output

==32201== valgrind-1.0.1, a memory error detector for x86 GNU/Linux.
==32201== Copyright (C) 2000-2002, and GNU GPL'd, by Julian Seward.
==32201== Estimated CPU clock rate is 746 MHz
==32201== For more details, rerun with​: -v
==32201==
==32201== pthread_mutex_unlock​: mutex is not locked
==32201== at 0x540D87​: __pthread_mutex_unlock (in /usr/local/lib/valgrind/
libpthread.so)
==32201== by 0x62F20C​: __register_frame_info (in /lib/libc-2.1.3.so)
==32201== by 0x672FF0​: (within /lib/libutil-2.1.3.so)
==32201== by 0x672CD1​: (within /lib/libutil-2.1.3.so)
==32201==
==32201== pthread_mutex_destroy​: mutex is still in use
==32201== at 0x540004​: pthread_error (vg_libpthread.c​:233)
==32201== by 0x540DEA​: __pthread_mutex_destroy (in /usr/local/lib/
valgrind/libpthread.so)
==32201== by 0x5A5FE5​: _IO_default_finish (genops.c​:592)
==32201== by 0x5A5636​: _IO_file_finish@​@​GLIBC_2.1 (fileops.c​:163)
==32201==
==32201== Invalid read of size 4
==32201== at 0x3AA6F7​: Perl_op_clear (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3AA5C5​: Perl_op_free (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3AA566​: Perl_op_free (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3AA566​: Perl_op_free (in /home/rs/build/perl-current/
libperl.so)
==32201== Address 0x101D928 is 0 bytes after a block of size 16 alloc'd
==32201== at 0x153DD9​: malloc (in /usr/local/lib/valgrind/valgrind.so)
==32201== by 0x3E2CD6​: Perl_safesysmalloc (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3FE4EF​: Perl_av_extend (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3FF190​: Perl_av_store (in /home/rs/build/perl-current/
libperl.so)
==32201==
==32201== Invalid read of size 4
==32201== at 0x3AA358​: Perl_pad_swipe (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3AA710​: Perl_op_clear (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3AA5C5​: Perl_op_free (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3AA566​: Perl_op_free (in /home/rs/build/perl-current/
libperl.so)
==32201== Address 0x101D928 is 0 bytes after a block of size 16 alloc'd
==32201== at 0x153DD9​: malloc (in /usr/local/lib/valgrind/valgrind.so)
==32201== by 0x3E2CD6​: Perl_safesysmalloc (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3FE4EF​: Perl_av_extend (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3FF190​: Perl_av_store (in /home/rs/build/perl-current/
libperl.so)
==32201==
==32201== Invalid read of size 4
==32201== at 0x3AA36B​: Perl_pad_swipe (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3AA710​: Perl_op_clear (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3AA5C5​: Perl_op_free (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3AA566​: Perl_op_free (in /home/rs/build/perl-current/
libperl.so)
==32201== Address 0x101D928 is 0 bytes after a block of size 16 alloc'd
==32201== at 0x153DD9​: malloc (in /usr/local/lib/valgrind/valgrind.so)
==32201== by 0x3E2CD6​: Perl_safesysmalloc (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3FE4EF​: Perl_av_extend (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3FF190​: Perl_av_store (in /home/rs/build/perl-current/
libperl.so)
==32201==
==32201== Invalid read of size 4
==32201== at 0x3AA371​: Perl_pad_swipe (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3AA710​: Perl_op_clear (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3AA5C5​: Perl_op_free (in /home/rs/build/perl-current/
libperl.so)
==32201== by 0x3AA566​: Perl_op_free (in /home/rs/build/perl-current/
libperl.so)
==32201== Address 0x8 is not stack'd, malloc'd or free'd

===> ./perl -Dl 15005.pl
(15005.pl​:0) ENTER scope 2 at perly.c​:1528
zsh​: segmentation fault (core dumped) ./perl -Dl 15005.pl

[p5pRT]

From spamme@gameknot.com

Here's another example of the code that causes the compiler to seg fault
(core dumped)​:

#!/usr/bin/perl
 
use strict;
 
my $pooh = pooh( "???", 1 );
 
sub pooh
{
  sub ($result,$swap) = @​_;
 
  my $r1 = 0;
  my $r2 = 0;
 
  return "$r1-$r2";
}

[p5pRT]

From @jhi

Perl has now been patched to give the following error​:
Illegal declaration of anonymous subroutine at x line 4.
The fix will be in Perl 5.8.1, whenever that happens.
I'm marking the problem ticket as resolved.

[p5pRT]

@jhi - Status changed from 'new' to 'resolved'