search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.98k stars 559 forks source link

SEGV in Perl_hv_common with 5.20.1 and Encode 2.62 #14126

Closed p5pRT closed 10 years ago

p5pRT commented 10 years ago

Migrated from rt.perl.org#122873 (status was 'rejected')

Searchable as RT122873$

p5pRT commented 10 years ago

From @andk

Thanks to Slaven Rezić for bringing this candidate to my attention.

The SEGV only happens occasionally while running the test t/302-content-negotiation-charset.t that comes with DROLSKY/HTTP-Headers-ActionPack-0.09.tar.gz with DANKOGAI/Encode-2.62.tar.gz installed.

I just have observed it with 5.20.1 but according to cpantesters it seems the same happened with 5.20.0\, 5.21.1\, and 5.21.3.

Very similar to my current observation is http​://www.cpantesters.org/cpan/report/45835631 where Encode 2.60 was involved.

Here is my stacktrace​:

  Core was generated by `/home/sand/src/perl/repoperls/installed-perls/perl/v5.20.1/127e/bin/perl -Mblib'.   Program terminated with signal SIGSEGV\, Segmentation fault.   #0 0x0000000000499570 in Perl_hv_common (hv=0xa\, keysv=0x2d7b8f0\,   key=0x2d86b70 "iso-8859-2"\, klen=10\, flags=-1022775292\, action=10\, val=0x0\,   hash=1) at hv.c​:637

  warning​: Source file is more recent than executable.   637 goto not_found;   (gdb) bt   #0 0x0000000000499570 in Perl_hv_common (hv=0xa\, keysv=0x2d7b8f0\,   key=0x2d86b70 "iso-8859-2"\, klen=10\, flags=-1022775292\, action=10\, val=0x0\,   hash=1) at hv.c​:637   #1 0x00000000004a5d8a in Perl_pp_helem () at pp_hot.c​:1768   #2 0x000000000049e0e3 in Perl_runops_standard () at run.c​:42   #3 0x0000000000435371 in Perl_call_sv (sv=0x2d81c20\, flags=flags@​entry=2)   at perl.c​:2756   #4 0x0000000000435828 in Perl_call_pv (   sub_name=sub_name@​entry=0x7fd6d1916c10 "Encode​::MIME​::Name​::get_mime_name"\,   flags=flags@​entry=2) at perl.c​:2645   #5 0x00007fd6d191387a in XS_Encode__XS_mime_name (cv=\)   at Encode.xs​:715   #6 0x00000000004a5220 in Perl_pp_entersub () at pp_hot.c​:2794   #7 0x000000000049e0e3 in Perl_runops_standard () at run.c​:42   #8 0x000000000043b8c8 in S_run_body (oldscope=1) at perl.c​:2456   #9 perl_run (my_perl=\) at perl.c​:2372   #10 0x000000000041de25 in main (argc=3\, argv=0x7ffffd6ab278\, env=0x7ffffd6ab298)   at perlmain.c​:114

I attach a valgrind output from running

  env PERL_DESTRUCT_LEVEL=2 valgrind --num-callers=5 \   /home/sand/src/perl/repoperls/installed-perls/perl/v5.20.1/127e/bin/perl \   -Mblib t/302-content-negotiation-charset.t

-- andreas

p5pRT commented 10 years ago

From @andk

==22122== Memcheck\, a memory error detector ==22122== Copyright (C) 2002-2013\, and GNU GPL'd\, by Julian Seward et al. ==22122== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info ==22122== Command​: /home/sand/src/perl/repoperls/installed-perls/perl/v5.20.1/127e/bin/perl -Mblib t/302-content-negotiation-charset.t ==22122== ok 1 - use HTTP​::Headers​::ActionPack; ok 2 - An object of class 'HTTP​::Headers​::ActionPack​::ContentNegotiation' isa 'HTTP​::Headers​::ActionPack​::ContentNegotiation' ok 3 - ... got nothing back when there are no choices ==22122== Invalid write of size 8 ==22122== at 0x6C3C869​: XS_Encode__XS_mime_name (Encode.xs​:713) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42) ==22122== by 0x43B8C7​: perl_run (perl.c​:2456) ==22122== by 0x41DE24​: main (perlmain.c​:114) ==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ==22122== Invalid write of size 8 ==22122== at 0x43523F​: Perl_call_sv (perl.c​:2721) ==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42) ==22122== by 0x43B8C7​: perl_run (perl.c​:2456) ==22122== Address 0x5d36c08 is 40 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ==22122== Invalid read of size 8 ==22122== at 0x4A4DC1​: Perl_pp_entersub (pp_hot.c​:2531) ==22122== by 0x435795​: Perl_call_sv (perl.c​:2756) ==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42) ==22122== Address 0x5d36c08 is 40 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ==22122== Invalid read of size 8 ==22122== at 0x4C2CB38​: memcpy@​@​GLIBC_2.14 (mc_replace_strmem.c​:882) ==22122== by 0x4A5058​: Perl_pp_entersub (pp_hot.c​:2702) ==22122== by 0x435795​: Perl_call_sv (perl.c​:2756) ==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ==22122== Invalid write of size 8 ==22122== at 0x49E9DA​: Perl_pp_gv (pp_hot.c​:99) ==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42) ==22122== by 0x435370​: Perl_call_sv (perl.c​:2756) ==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ==22122== Invalid read of size 8 ==22122== at 0x4A0746​: Perl_pp_rv2av (pp_hot.c​:871) ==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42) ==22122== by 0x435370​: Perl_call_sv (perl.c​:2756) ==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ==22122== Invalid write of size 8 ==22122== at 0x4A0845​: Perl_pp_rv2av (pp_hot.c​:908) ==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42) ==22122== by 0x435370​: Perl_call_sv (perl.c​:2756) ==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ==22122== Invalid write of size 8 ==22122== at 0x4A0087​: Perl_pp_aelemfast (pp_hot.c​:740) ==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42) ==22122== by 0x435370​: Perl_call_sv (perl.c​:2756) ==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== Address 0x5d36c08 is 40 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ==22122== Invalid read of size 8 ==22122== at 0x4A5C56​: Perl_pp_helem (pp_hot.c​:1745) ==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42) ==22122== by 0x435370​: Perl_call_sv (perl.c​:2756) ==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== Address 0x5d36c08 is 40 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ==22122== Invalid read of size 8 ==22122== at 0x4A5C59​: Perl_pp_helem (pp_hot.c​:1746) ==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42) ==22122== by 0x435370​: Perl_call_sv (perl.c​:2756) ==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ==22122== Invalid write of size 8 ==22122== at 0x4A5E3C​: Perl_pp_helem (pp_hot.c​:1816) ==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42) ==22122== by 0x435370​: Perl_call_sv (perl.c​:2756) ==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ==22122== Invalid read of size 8 ==22122== at 0x4A4BD0​: Perl_pp_leavesub (pp_hot.c​:2496) ==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42) ==22122== by 0x435370​: Perl_call_sv (perl.c​:2756) ==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ==22122== Invalid write of size 8 ==22122== at 0x4A4BFE​: Perl_pp_leavesub (pp_hot.c​:2501) ==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42) ==22122== by 0x435370​: Perl_call_sv (perl.c​:2756) ==22122== by 0x6C3C879​: XS_Encode__XS_mime_name (Encode.xs​:715) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ==22122== Invalid read of size 8 ==22122== at 0x6C3C87E​: XS_Encode__XS_mime_name (Encode.xs​:717) ==22122== by 0x4A521F​: Perl_pp_entersub (pp_hot.c​:2794) ==22122== by 0x49E0E2​: Perl_runops_standard (run.c​:42) ==22122== by 0x43B8C7​: perl_run (perl.c​:2456) ==22122== by 0x41DE24​: main (perlmain.c​:114) ==22122== Address 0x5d36c00 is 32 bytes inside a block of size 1\,024 free'd ==22122== at 0x4C2A7CE​: realloc (vg_replace_malloc.c​:687) ==22122== by 0x4842C9​: Perl_safesysrealloc (util.c​:244) ==22122== by 0x49C870​: Perl_av_extend_guts (av.c​:154) ==22122== by 0x4CA5F9​: Perl_stack_grow (scope.c​:38) ==22122== by 0x49E78F​: Perl_pp_const (pp_hot.c​:44) ==22122== ok 4 - ... first value in the header wins when priorities are equal ok 5 - ... higher priority charset is chosen over lower ok 6 - ... got ISO-8859-1 even when it is not explicitly asked for ok 7 - ... charset explicitly listed in header is preferred over ISO-8859-1 default ok 8 - ... got default back when the default is in list of choices and default is ok ok 9 - ... got default back when the default is in list of choices but not an exact match and default is ok ok 10 - ... got nothing back when default is not in list of choices ok 11 - ... if default is listed as priority 0.0 it is not returned ok 12 - ... if default is listed as priority 0 it is not returned (0 == 0.0) ok 13 - ... if * is listed as priority 0.0 then default is not returned ok 14 - ... if * is listed as priority 0.5 but default is 0.0 then default is not returned\, but * can match other choices ok 15 - ... charsets in header are canonicalized ok 16 - ... the match is returned as formatted in the list of choices\, without canonicalization 1..16 ==22122== ==22122== HEAP SUMMARY​: ==22122== in use at exit​: 7\,998\,904 bytes in 23\,148 blocks ==22122== total heap usage​: 68\,345 allocs\, 45\,197 frees\, 16\,433\,032 bytes allocated ==22122== ==22122== LEAK SUMMARY​: ==22122== definitely lost​: 0 bytes in 0 blocks ==22122== indirectly lost​: 0 bytes in 0 blocks ==22122== possibly lost​: 5\,236\,190 bytes in 3\,197 blocks ==22122== still reachable​: 2\,762\,714 bytes in 19\,951 blocks ==22122== suppressed​: 0 bytes in 0 blocks ==22122== Rerun with --leak-check=full to see details of leaked memory ==22122== ==22122== For counts of detected and suppressed errors\, rerun with​: -v ==22122== ERROR SUMMARY​: 14 errors from 14 contexts (suppressed​: 2 from 2)

p5pRT commented 10 years ago

From @tonycoz

On Tue Sep 30 18​:30​:09 2014\, andreas.koenig.7os6VVqR@​franz.ak.mind.de wrote​:

Thanks to Slaven Rezić for bringing this candidate to my attention.

The SEGV only happens occasionally while running the test t/302-content-negotiation-charset.t that comes with DROLSKY/HTTP-Headers-ActionPack-0.09.tar.gz with DANKOGAI/Encode-2.62.tar.gz installed.

This is a bug in Encode.

I've reported this upstream with a fix as https://rt.cpan.org/Ticket/Display.html?id=99264

The problem is Member_mime_name() calls call_pv()\, which can reallocate the stack\, but then continues to use the old stack.

Adding SPAGAIN fixes it. Method_perlio_ok() has a similar problem which I've also patched.

Tony

p5pRT commented 10 years ago

The RT System itself - Status changed from 'new' to 'open'

p5pRT commented 10 years ago

@cpansprout - Status changed from 'open' to 'rejected'