Subtle av_extend memory badness

[p5pRT]

Migrated from rt.perl.org#3263 (status was 'resolved')

Searchable as RT3263$

[p5pRT]

From @simoncozens

Created by 02552@scozens.uucp

The business about SVs overgrowing segments got me thinking. Edge cases expose bugs\, and sure enough\, perl -e '++$a[2**30]' dumps core.

This confirmed on Cygwin and Linux\, with and without Perl's malloc. The backtrace​:

154 ary[--tmp] = &PL_sv_undef; (gdb) bt #0 0x401aac in Perl_av_extend (av=0xa06764c\, key=1073741824) at av.c​:154 #1 0x401df5 in Perl_av_store (av=0xa06764c\, key=1073741824\, val=0xa059598)   at av.c​:271 #2 0x401be4 in Perl_av_fetch (av=0xa06764c\, key=1073741824\, lval=1)   at av.c​:204 #3 0x469779 in Perl_pp_aelem () at pp_hot.c​:2709 #4 0x48b4ef in Perl_runops_standard () at run.c​:25

I'll be perfectly honest here and say that I don't understand how av_extend is supposed to work. I think AvALLOC(av) may be getting a duff pointer\, because tmp (that's AvALLOC(av)-AvARRAY(av)) appears to be of the order of 2**30. But I don't really want to debug memory problems because they're really sticky and horrible. :)

(Incidentally\, ++$a[2**28] does the right thing and reports "out of memory during large request for 1073745920 bytes"\, ++$a[2**29] wraps and claims it's being asked for -2147479552 bytes. Weird\, huh?)

Perl Info

``` Site configuration information for perl v5.6.0: Configured by 02552 at Wed Mar 15 11:25:20 2000. Summary of my perl5 (revision 5.0 version 6 subversion 0) configuration: Platform: osname=cygwin, osvers=1.1.0(0.1832), archname=cygwin uname='cygwin_nt-4.0 scozens 1.1.0(0.1832) 2000-03-010 16:57:37i586 i586 unknown ' config_args='-d' hint=recommended, useposix=true, d_sigaction=define usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef useperlio=undef d_sfio=undef uselargefiles=define use64bitint=undef use64bitall=undef uselongdouble=undef usesocks=undef Compiler: cc='gcc', optimize='-O', gccversion=egcs-2.91.57 19980901 (egcs-1.1 release) cppflags='-fno-strict-aliasing -I/usr/local/include' ccflags ='-fno-strict-aliasing -I/usr/local/include' stdchar='char', d_stdstdio=undef, usevfork=false intsize=4, longsize=4, ptrsize=4, doublesize=8 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=4 alignbytes=8, usemymalloc=y, prototype=define Linker and Libraries: ld='ld2', ldflags =' -L/usr/local/lib' libpth=/usr/local/lib /tmp/bleadperl /lib /usr/lib libs=-lm -lcrypt -lcygwin -lkernel32 libc=/usr/lib/libc.a, so=dll, useshrplib=true, libperl=libperl5_6_0.a Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=dll, d_dlsymun=undef, ccdlflags=' ' cccdlflags=' ', lddlflags=' -L/usr/local/lib' Locally applied patches: v5.6.0-RC1 @INC for perl v5.6.0: /usr/local/lib/perl5/5.6.0/cygwin /usr/local/lib/perl5/5.6.0 /usr/local/lib/perl5/site_perl/5.6.0/cygwin /usr/local/lib/perl5/site_perl/5.6.0 /usr/local/lib/perl5/site_perl/5.00562/cygwin /usr/local/lib/perl5/site_perl/5.00562 /usr/local/lib/perl5/site_perl . Environment for perl v5.6.0: HOME=/home/simon LANG (unset) LANGUAGE (unset) LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/bin:/usr/local/bin:/usr/bin:/miktex/miktex/bin:/PROGRA~1/ORACLE/WIN32/bin:/WINNT/system32:/WINNT:/PROGRA~1/ORACLE/WIN16/BIN PERL_BADLANG (unset) SHELL=/bin/sh __END__ ---------------------------------------------------------------- The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited. If you received this in error, please contact the sender and delete the material from any computer. ```

[p5pRT]

From [Unknown Contact. See original ticket]

\simon\.p\.cozens@​jp\.pwcglobal\.com wrote

I'll be perfectly honest here and say that I don't understand how av_extend is supposed to work. I think AvALLOC(av) may be getting a duff pointer\, because tmp (that's AvALLOC(av)-AvARRAY(av)) appears to be of the order of 2**30. But I don't really want to debug memory problems because they're really sticky and horrible. :)

I think the essential problem is a naivety in the definition of New() :

handy.h​:538 #define New(x\,v\,n\,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))

If n is too large\, the multiply will overflow silently\, causing it to allocate a size quite different from that expected. Now when you come to write to what you think you've been allocated ...

The obvious fix is to put a check on the value of n in the four places in av.c. (And perhaps in many other places in the Perl source.)

The attached patch fixes the problem​:

./perl -e '++$a[2**30-100]' Out of memory during ridiculously large request at -e line 1.

./perl -e '++$a[2**30-50]' Array size 1073741774 too large for memory at -e line 1.

But it needs further work​:

i) I didn't know the right value to use for MAX_KEY. ii) No tests\, as I didn't know what offseets to test (same problem as (i)). iii) The error string presumably ought to be a constant (and presumably   declared in perl.h). iv) No entry in perldiag.pod. v) Should it be extended to other allocations\, e.g. in hv.c?

Mike Guy

Inline Patch

```diff --- ./av.c.orig Sun Mar 5 09:56:54 2000 +++ ./av.c Fri May 19 13:01:40 2000 @@ -16,6 +16,9 @@ #define PERL_IN_AV_C #include "perl.h" +/* temporary kludge - what is the "right" max value for a Size_t ? */ +#define MAX_KEY ((UV_MAX - 256) / sizeof(SV*)) + void Perl_av_reify(pTHX_ AV *av) { @@ -115,6 +118,9 @@ #if defined(STRANGE_MALLOC) || defined(MYMALLOC) Renew(AvALLOC(av),newmax+1, SV*); #else + if (newmax > MAX_KEY) + Perl_croak(aTHX_ "Array size %d too large for memory", + newmax); bytes = (newmax + 1) * sizeof(SV*); #define MALLOC_OVERHEAD 16 itmp = MALLOC_OVERHEAD; @@ -144,6 +150,9 @@ } else { newmax = key < 3 ? 3 : key; + if (newmax > MAX_KEY) + Perl_croak(aTHX_ "Array size %d too large for memory", + newmax); New(2,AvALLOC(av), newmax+1, SV*); ary = AvALLOC(av) + 1; tmp = newmax; @@ -337,6 +346,8 @@ sv_upgrade((SV *) av,SVt_PVAV); AvFLAGS(av) = AVf_REAL; if (size) { /* `defined' was returning undef for size==0 anyway. */ + if (size > MAX_KEY) + Perl_croak(aTHX_ "Array size %d too large for memory", size); New(4,ary,size,SV*); AvALLOC(av) = ary; SvPVX(av) = (char*)ary; @@ -360,6 +371,8 @@ av = (AV*)NEWSV(9,0); sv_upgrade((SV *)av, SVt_PVAV); + if (size > MAX_KEY) + Perl_croak(aTHX_ "Array size %d too large for memory", size); New(4,ary,size+1,SV*); AvALLOC(av) = ary; Copy(strp,ary,size,SV*); End of patch ```

[p5pRT]

From [Unknown Contact. See original ticket]

simon.p.cozens@​jp.pwcglobal.com writes​:

The business about SVs overgrowing segments got me thinking. Edge cases expose bugs\, and sure enough\, perl -e '++$a[2**30]' dumps core.

(Incidentally\, ++$a[2**28] does the right thing and reports "out of memory during large request for 1073745920 bytes"\, ++$a[2**29] wraps and claims it's being asked for -2147479552 bytes. Weird\, huh?)

It is quite normal\, and discused on p5p several times. One *could* check a limit for maximal n (void*)[n] at Configure time\, but such checks would still slow down execution with questionable advantages...

Ilya

[p5pRT]

From [Unknown Contact. See original ticket]

simon.p.cozens@​jp.pwcglobal.com writes​:

The business about SVs overgrowing segments got me thinking. Edge cases expose bugs\, and sure enough\, perl -e '++$a[2**30]' dumps core.

(Incidentally\, ++$a[2**28] does the right thing and reports "out of memory during large request for 1073745920 bytes"\, ++$a[2**29] wraps and claims it's being asked for -2147479552 bytes. Weird\, huh?)

It is quite normal\, and discused on p5p several times. One *could* check a limit for maximal n (void*)[n] at Configure time\, but such checks would still slow down execution with questionable advantages...

Ilya

[p5pRT]

From 0body0@rambler.ru

For 5.10.0 Cygwin Tolyan@​zion ~ $ perl -e'print ++$a[2**31]' Out of memory during array extend at -e line 1.

All ok

For ActiveStatePerl 5.10.0 C​:\Documents and Settings\Tolyan>perl -e"print ++$a[2**30]" Out of memory during array extend at -e line 1.

Very old bug....

[p5pRT]

From PeterCMartini@GMail.com

I believe this ticket was resolved by PERL_MALLOC_WRAP and it's MEM_WRAP_CHECKs.

[p5pRT]

From @jkeenan

On Sun Dec 09 16​:41​:27 2012\, pcm wrote​:

I believe this ticket was resolved by PERL_MALLOC_WRAP and it's MEM_WRAP_CHECKs.

I get these results on Perl 5.16.0 on both Darwin/PPC and Linux/i386​:

##### $ perl -e'print ++$a[2**31]' Out of memory during array extend at -e line 1.

$ perl -e"print ++$a[2**30]" Can't modify anonymous list ([]) in preincrement (++) at -e line 1\, at EOF Execution of -e aborted due to compilation errors. ##### Is the fatal error I get in the 2**30 case expected? If so\, then this ticket should be closed.

Thank you very much. Jim Keenan

[p5pRT]

From @doy

On Mon\, Jan 14\, 2013 at 04​:18​:25PM -0800\, James E Keenan via RT wrote​:

On Sun Dec 09 16​:41​:27 2012\, pcm wrote​:

I believe this ticket was resolved by PERL_MALLOC_WRAP and it's MEM_WRAP_CHECKs.

I get these results on Perl 5.16.0 on both Darwin/PPC and Linux/i386​:

##### $ perl -e'print ++$a[2**31]' Out of memory during array extend at -e line 1.

$ perl -e"print ++$a[2**30]" Can't modify anonymous list ([]) in preincrement (++) at -e line 1\, at EOF Execution of -e aborted due to compilation errors. ##### Is the fatal error I get in the 2**30 case expected? If so\, then this ticket should be closed.

That's because you're using double quotes in the second example\, and so the string actually being evaluated by perl is 'print ++[2**30]'. I get these results​:

  $ perl -e'print ++$a[2**31]'   Modification of non-creatable array value attempted\, subscript   -2147483648 at -e line 1.

  $ perl -e'print ++$a[2**30]'   1

-doy

[p5pRT]

From @jkeenan

On Mon Jan 14 16​:23​:28 2013\, doy@​tozt.net wrote​:

On Mon\, Jan 14\, 2013 at 04​:18​:25PM -0800\, James E Keenan via RT wrote​:

On Sun Dec 09 16​:41​:27 2012\, pcm wrote​:

I believe this ticket was resolved by PERL_MALLOC_WRAP and it's MEM_WRAP_CHECKs.

I get these results on Perl 5.16.0 on both Darwin/PPC and Linux/i386​:

##### $ perl -e'print ++$a[2**31]' Out of memory during array extend at -e line 1.

$ perl -e"print ++$a[2**30]" Can't modify anonymous list ([]) in preincrement (++) at -e line 1\, at EOF Execution of -e aborted due to compilation errors. ##### Is the fatal error I get in the 2**30 case expected? If so\, then this ticket should be closed.

That's because you're using double quotes in the second example\, and so the string actually being evaluated by perl is 'print ++[2**30]'. I get these results​:

$ perl -e'print ++$a[2**31]' Modification of non-creatable array value attempted\, subscript -2147483648 at -e line 1.

$ perl -e'print ++$a[2**30]' 1

Copying your last command exactly and running it\, I get on both machines​:

$ perl -e'print ++$a[2**30]' Out of memory during array extend at -e line 1.

Does this mean the bug is still present in many environments?

Thank you very much. Jim Keenan

[p5pRT]

From @bulk88

On Mon Jan 14 17​:21​:07 2013\, jkeenan wrote​:

Copying your last command exactly and running it\, I get on both machines​:

$ perl -e'print ++$a[2**30]' Out of memory during array extend at -e line 1.

Does this mean the bug is still present in many environments?

Thank you very much. Jim Keenan

______________________________________________________________________ C​:\Documents and Settings\Owner\Desktop>perl -e "print ++$a[2**30]" Out of memory during array extend at -e line 1.

C​:\Documents and Settings\Owner\Desktop>perl -e "print ++$a[2**31]" Out of memory during array extend at -e line 1.

C​:\Documents and Settings\Owner\Desktop>perl -V Summary of my perl5 (revision 5 version 10 subversion 0) configuration​:   Platform​:   osname=MSWin32\, osvers=5.00\, archname=MSWin32-x86-multi-thread   uname=''   config_args='undef'   hint=recommended\, useposix=true\, d_sigaction=undef   useithreads=define\, usemultiplicity=define   useperlio=define\, d_sfio=undef\, uselargefiles=define\, usesocks=undef   use64bitint=undef\, use64bitall=undef\, uselongdouble=undef   usemymalloc=n\, bincompat5005=undef   Compiler​:   cc='cl'\, ccflags ='-nologo -GF -W3 -MD -Zi -DNDEBUG -O1 -DWIN32 -D_CONSOLE - DNO_STRICT -DHAVE_DES_FCRYPT -DUSE_SITECUSTOMIZE -DPRIVLIB_LAST_IN_INC -DPERL_IM PLICIT_CONTEXT -DPERL_IMPLICIT_SYS -DUSE_PERLIO -DPERL_MSVCRT_READFIX'\,   optimize='-MD -Zi -DNDEBUG -O1'\,   cppflags='-DWIN32'   ccversion='13.10.6030'\, gccversion=''\, gccosandvers=''   intsize=4\, longsize=4\, ptrsize=4\, doublesize=8\, byteorder=1234   d_longlong=undef\, longlongsize=8\, d_longdbl=define\, longdblsize=10   ivtype='long'\, ivsize=4\, nvtype='double'\, nvsize=8\, Off_t='__int64'\, lseeksi ze=8   alignbytes=8\, prototype=define   Linker and Libraries​:   ld='link'\, ldflags ='-nologo -nodefaultlib -debug -opt​:ref\,icf -libpath​:"C​: \Perl\lib\CORE" -machine​:x86'   libpth=\lib   libs= oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32 .lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws2_ 32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib msvcrt.lib   perllibs= oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comd lg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws2_32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib msvcrt.lib   libc=msvcrt.lib\, so=dll\, useshrplib=true\, libperl=perl510.lib   gnulibc_version=''   Dynamic Linking​:   dlsrc=dl_win32.xs\, dlext=dll\, d_dlsymun=undef\, ccdlflags=' '   cccdlflags=' '\, lddlflags='-dll -nologo -nodefaultlib -debug -opt​:ref\,icf - libpath​:"C​:\Perl\lib\CORE" -machine​:x86'

Characteristics of this binary (from libperl)​:   Compile-time options​: MULTIPLICITY PERL_DONT_CREATE_GVSV   PERL_IMPLICIT_CONTEXT PERL_IMPLICIT_SYS   PERL_MALLOC_WRAP PL_OP_SLAB_ALLOC USE_ITHREADS   USE_LARGE_FILES USE_PERLIO USE_SITECUSTOMIZE   Locally applied patches​:   ActivePerl Build 1003 [285500]   33741 avoids segfaults invoking S_raise_signal() (on Linux)   33763 Win32 process ids can have more than 16 bits   32809 Load 'loadable object' with non-default file extension   32728 64-bit fix for Time​::Local   Built under MSWin32   Compiled at May 13 2008 16​:52​:49   %ENV​:   PERL_JSON_BACKEND="JSON​::XS"   PERL_YAML_BACKEND="YAML"   @​INC​:   C​:/Perl/site/lib   C​:/Perl/lib   .

C​:\Documents and Settings\Owner\Desktop> ________________________________________________________________________ C​:\p517\perl>perl -e "print ++$a[2**30]" Out of memory during array extend at -e line 1.

C​:\p517\perl>perl -e "print ++$a[2**31]" Out of memory during array extend at -e line 1.

C​:\p517\perl>perl -V Summary of my perl5 (revision 5 version 17 subversion 7 patch blead 2012-12-06.1 6​:42​:20 93a641ae382638ffd1980378be4810244d04f4b0 v5.17.6-186-g93a641a) configura tion​:   Snapshot of​: 93a641ae382638ffd1980378be4810244d04f4b0   Platform​:   osname=MSWin32\, osvers=5.1\, archname=MSWin32-x86-multi-thread   uname=''   config_args='undef'   hint=recommended\, useposix=true\, d_sigaction=undef   useithreads=define\, usemultiplicity=define   useperlio=define\, d_sfio=undef\, uselargefiles=define\, usesocks=undef   use64bitint=undef\, use64bitall=undef\, uselongdouble=undef   usemymalloc=n\, bincompat5005=undef   Compiler​:   cc='cl'\, ccflags ='-nologo -GF -W3 -MD -Zi -DNDEBUG -O1 -GL -G7 -DWIN32 -D_C ONSOLE -DNO_STRICT -DPERL_TEXTMODE_SCRIPTS -DPERL_IMPLICIT_CONTEXT -DPERL_IMPLI CIT_SYS -DUSE_PERLIO -D_USE_32BIT_TIME_T'\,   optimize='-MD -Zi -DNDEBUG -O1 -GL -G7'\,   cppflags='-DWIN32'   ccversion='13.10.6030'\, gccversion=''\, gccosandvers=''   intsize=4\, longsize=4\, ptrsize=4\, doublesize=8\, byteorder=1234   d_longlong=undef\, longlongsize=8\, d_longdbl=define\, longdblsize=8   ivtype='long'\, ivsize=4\, nvtype='double'\, nvsize=8\, Off_t='__int64'\, lseeksi ze=8   alignbytes=8\, prototype=define   Linker and Libraries​:   ld='link'\, ldflags ='-nologo -nodefaultlib -debug -opt​:ref\,icf -ltcg -libpa th​:"c​:\perl517\lib\CORE" -machine​:x86'   libpth="C​:\Program Files\Microsoft Visual Studio .NET 2003\VC7\lib"   libs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.l ib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws2_32 .lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib comctl32.lib msvcrt. lib   perllibs=oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg 32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib ws 2_32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib comctl32.lib msv crt.lib   libc=msvcrt.lib\, so=dll\, useshrplib=true\, libperl=perl517.lib   gnulibc_version=''   Dynamic Linking​:   dlsrc=dl_win32.xs\, dlext=dll\, d_dlsymun=undef\, ccdlflags=' '   cccdlflags=' '\, lddlflags='-dll -nologo -nodefaultlib -debug -opt​:ref\,icf -l tcg -libpath​:"c​:\perl517\lib\CORE" -machine​:x86'

Characteristics of this binary (from libperl)​:   Compile-time options​: HAS_TIMES HAVE_INTERP_INTERN MULTIPLICITY   PERLIO_LAYERS PERL_DONT_CREATE_GVSV   PERL_IMPLICIT_CONTEXT PERL_IMPLICIT_SYS   PERL_MALLOC_WRAP PERL_NEW_COPY_ON_WRITE   PERL_PRESERVE_IVUV USE_ITHREADS USE_LARGE_FILES   USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE   USE_LOCALE_NUMERIC USE_PERLIO USE_PERL_ATOF   Built under MSWin32   Compiled at Jan 3 2013 19​:42​:20   @​INC​:   C​:/perl517/site/lib   C​:/perl517/lib   .

C​:\p517\perl> ________________________________________________________________________ now perl 5.6 ________________________________________________________________________

C​:\Documents and Settings\Owner>perl -e "print ++$a[2**30]" *CRASH* C​:\Documents and Settings\Owner>perl -e "print ++$a[2**31]" Modification of non-creatable array value attempted\, subscript -2147483648 at -e line 1.

C​:\Documents and Settings\Owner>perl -V Summary of my perl5 (revision 5 version 6 subversion 2) configuration​:   Platform​:   osname=MSWin32\, osvers=4.0\, archname=MSWin32-x86   uname=''   config_args='undef'   hint=recommended\, useposix=true\, d_sigaction=undef   usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=unde f   useperlio=undef d_sfio=undef uselargefiles=undef usesocks=undef   use64bitint=undef use64bitall=undef uselongdouble=undef   Compiler​:   cc='cl'\, ccflags ='-nologo -Od -Zi -MD -DNDEBUG -DWIN32 -D_CONSOLE -DNO_STRI CT -DHAVE_DES_FCRYPT -DPERL_MSVCRT_READFIX'\,   optimize='-Od -Zi -MD -DNDEBUG'\,   cppflags='-DWIN32'   ccversion=''\, gccversion=''\, gccosandvers=''   intsize=4\, longsize=4\, ptrsize=4\, doublesize=8\, byteorder=1234   d_longlong=undef\, longlongsize=8\, d_longdbl=define\, longdblsize=10   ivtype='long'\, ivsize=4\, nvtype='double'\, nvsize=8\, Off_t='off_t'\, lseeksize =4   alignbytes=8\, usemymalloc=n\, prototype=define   Linker and Libraries​:   ld='link'\, ldflags ='-nologo -nodefaultlib -debug -opt​:ref\,icf -release -li bpath​:"c​:\p56\5.6.2\lib\MSWin32-x86\CORE" -machine​:x86'   libpth="C​:\Program Files\Microsoft Visual Studio .NET 2003\VC7\lib"   libs= oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32 .lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib wsoc k32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib msvcrt.lib   perllibs= oldnames.lib kernel32.lib user32.lib gdi32.lib winspool.lib comd lg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib netapi32.lib uuid.lib wsock32.lib mpr.lib winmm.lib version.lib odbc32.lib odbccp32.lib msvcrt.lib   libc=msvcrt.lib\, so=dll\, useshrplib=yes\, libperl=perl56.lib   Dynamic Linking​:   dlsrc=dl_win32.xs\, dlext=dll\, d_dlsymun=undef\, ccdlflags=' '   cccdlflags=' '\, lddlflags='-dll -nologo -nodefaultlib -debug -opt​:ref\,icf - release -libpath​:"c​:\p56\5.6.2\lib\MSWin32-x86\CORE" -machine​:x86'

Characteristics of this binary (from libperl)​:   Compile-time options​:   Built under MSWin32   Compiled at Jan 5 2013 15​:16​:37   @​INC​:   C​:/p56/5.6.2/lib/MSWin32-x86   C​:/p56/5.6.2/lib   C​:/p56/site/5.6.2/lib/MSWin32-x86   C​:/p56/site/5.6.2/lib   .

C​:\Documents and Settings\Owner> ________________________________________________________________________

Access violation writing location 0x0181fffc. ________________________________________________________________________

perl56.dll!Perl_av_extend(av * av=0x018209a4\, long key=1073741824) Line 151 + 0xf C   perl56.dll!Perl_av_store(av * av=0x018209a4\, long key=1073741824\, sv * val=0x002325a0) Line 267 + 0xd C   perl56.dll!Perl_av_fetch(av * av=0x018209a4\, long key=1073741824\, long lval=1) Line 200 + 0x11 C   perl56.dll!Perl_pp_aelem() Line 2799 + 0x2d C   perl56.dll!Perl_runops_standard() Line 23 + 0x8 C   perl56.dll!S_run_body(long oldscope=1) Line 1474 C   perl56.dll!perl_run(interpreter * my_perl=0x00233d88) Line 1393 + 0x9 C   perl56.dll!RunPerl(int argc=3\, char * * argv=0x00233d50\, char * * env=0x00232c58) Line 319 + 0x9 C   perl.exe!main(int argc=3\, char * * argv=0x00233d50\, char * * env=0x00232c58) Line 18 + 0x12 C   perl.exe!mainCRTStartup() Line 398 + 0xe C   kernel32.dll!_BaseProcessStart@​4() + 0x23
_______________________________________________________________________

-- bulk88 ~ bulk88 at hotmail.com

[p5pRT]

From @tux

On Mon\, 14 Jan 2013 17​:21​:07 -0800\, "James E Keenan via RT" \perlbug\-followup@&#8203;perl\.org wrote​:

On Mon Jan 14 16​:23​:28 2013\, doy@​tozt.net wrote​:

On Mon\, Jan 14\, 2013 at 04​:18​:25PM -0800\, James E Keenan via RT wrote​:

On Sun Dec 09 16​:41​:27 2012\, pcm wrote​:

I believe this ticket was resolved by PERL_MALLOC_WRAP and it's MEM_WRAP_CHECKs.

I get these results on Perl 5.16.0 on both Darwin/PPC and Linux/i386​:

##### $ perl -e'print ++$a[2**31]' Out of memory during array extend at -e line 1.

$ perl -e"print ++$a[2**30]" Can't modify anonymous list ([]) in preincrement (++) at -e line 1\, at EOF Execution of -e aborted due to compilation errors. ##### Is the fatal error I get in the 2**30 case expected? If so\, then this ticket should be closed.

That's because you're using double quotes in the second example\, and so the string actually being evaluated by perl is 'print ++[2**30]'. I get these results​:

$ perl -e'print ++$a[2**31]' Modification of non-creatable array value attempted\, subscript -2147483648 at -e line 1.

$ perl -e'print ++$a[2**30]' 1

Copying your last command exactly and running it\, I get on both machines​:

$ perl -e'print ++$a[2**30]' Out of memory during array extend at -e line 1.

Does this mean the bug is still present in many environments?

64bit Linux 3.4.11\, perl-5.16.2/64all​:

$ perl -le'print ++$a[2**31]' Modification of non-creatable array value attempted\, subscript -2147483648 at -e line 1.

$ perl -le'print ++$a[2**30]' 1

64bit HP-UX 11.31\, perl-5.14.2/64all

$ perl -le'print ++$a[2**31]' Modification of non-creatable array value attempted\, subscript -2147483648 at -e line 1.

$ perl -le'print ++$a[2**30]' Out of memory!

64bit HP-UX 11.31\, perl-5.16.0/64all

$ gperl -le'print ++$a[2**31]' Modification of non-creatable array value attempted\, subscript -2147483648 at -e line 1.

$ gperl -le'print ++$a[2**30]' Out of memory!

Thank you very much. Jim Keenan

-- H.Merijn Brand http​://tux.nl Perl Monger http​://amsterdam.pm.org/ using perl5.00307 .. 5.17 porting perl5 on HP-UX\, AIX\, and openSUSE http​://mirrors.develooper.com/hpux/ http​://www.test-smoke.org/ http​://qa.perl.org http​://www.goldmark.org/jeff/stupid-disclaimers/

[p5pRT]

From @iabyn

On Mon\, Jan 14\, 2013 at 05​:21​:07PM -0800\, James E Keenan via RT wrote​:

On Mon Jan 14 16​:23​:28 2013\, doy@​tozt.net wrote​:

On Mon\, Jan 14\, 2013 at 04​:18​:25PM -0800\, James E Keenan via RT wrote​:

On Sun Dec 09 16​:41​:27 2012\, pcm wrote​:

I believe this ticket was resolved by PERL_MALLOC_WRAP and it's MEM_WRAP_CHECKs.

I get these results on Perl 5.16.0 on both Darwin/PPC and Linux/i386​:

##### $ perl -e'print ++$a[2**31]' Out of memory during array extend at -e line 1.

$ perl -e"print ++$a[2**30]" Can't modify anonymous list ([]) in preincrement (++) at -e line 1\, at EOF Execution of -e aborted due to compilation errors. ##### Is the fatal error I get in the 2**30 case expected? If so\, then this ticket should be closed.

That's because you're using double quotes in the second example\, and so the string actually being evaluated by perl is 'print ++[2**30]'. I get these results​:

$ perl -e'print ++$a[2**31]' Modification of non-creatable array value attempted\, subscript -2147483648 at -e line 1.

$ perl -e'print ++$a[2**30]' 1

Copying your last command exactly and running it\, I get on both machines​:

$ perl -e'print ++$a[2**30]' Out of memory during array extend at -e line 1.

Does this mean the bug is still present in many environments?

No\, it just means your machine hasn't got enough memory to create a 1Gb array.

There's still a bug though​:

  $ perl -e'print ++$a[2**31]'   Modification of non-creatable array value attempted\, subscript   -2147483648 at -e line 1.

That means that the value 2^31 is being wrapped to a negative number. I don't know whether this is just due the general fault of the AV API using signed 32-bit values (I32)\, or whether something could be fixed *before* the value is passed to the API.

-- This email is confidential\, and now that you have read it you are legally obliged to shoot yourself. Or shoot a lawyer\, if you prefer. If you have received this email in error\, place it in its original wrapping and return for a full refund. By opening this email\, you accept that Elvis lives.

[p5pRT]

From PeterCMartini@GMail.com

On Fri\, Jan 18\, 2013 at 8​:13 AM\, Dave Mitchell \davem@&#8203;iabyn\.com wrote​:

On Mon\, Jan 14\, 2013 at 05​:21​:07PM -0800\, James E Keenan via RT wrote​:

On Mon Jan 14 16​:23​:28 2013\, doy@​tozt.net wrote​:

On Mon\, Jan 14\, 2013 at 04​:18​:25PM -0800\, James E Keenan via RT wrote​:

On Sun Dec 09 16​:41​:27 2012\, pcm wrote​:

I believe this ticket was resolved by PERL_MALLOC_WRAP and it's MEM_WRAP_CHECKs.

I get these results on Perl 5.16.0 on both Darwin/PPC and Linux/i386​:

##### $ perl -e'print ++$a[2**31]' Out of memory during array extend at -e line 1.

$ perl -e"print ++$a[2**30]" Can't modify anonymous list ([]) in preincrement (++) at -e line 1\, at EOF Execution of -e aborted due to compilation errors. ##### Is the fatal error I get in the 2**30 case expected? If so\, then this ticket should be closed.

That's because you're using double quotes in the second example\, and so the string actually being evaluated by perl is 'print ++[2**30]'. I get these results​:

$ perl -e'print ++$a[2**31]' Modification of non-creatable array value attempted\, subscript -2147483648 at -e line 1.

$ perl -e'print ++$a[2**30]' 1

Copying your last command exactly and running it\, I get on both machines​:

$ perl -e'print ++$a[2**30]' Out of memory during array extend at -e line 1.

Does this mean the bug is still present in many environments?

No\, it just means your machine hasn't got enough memory to create a 1Gb array.

There's still a bug though​:

$ perl \-e'print \+\+$a\[2\*\*31\]'
Modification of non\-creatable array value attempted\, subscript
\-2147483648 at \-e line 1\.

That means that the value 2^31 is being wrapped to a negative number. I don't know whether this is just due the general fault of the AV API using signed 32-bit values (I32)\, or whether something could be fixed *before* the value is passed to the API.

I know there's a meta ticket for all of those I32 bugs. I like this example​:

perl -wE '@​a = qw(1 2); say ++$a[2**32-1]' 3

Anyway\, this ticket was for the core dump for large array indices; it seems that issue has been resolved\, so can this ticket be closed too? The goal being to get our max ticket age under 10 years :-)

-- This email is confidential\, and now that you have read it you are legally obliged to shoot yourself. Or shoot a lawyer\, if you prefer. If you have received this email in error\, place it in its original wrapping and return for a full refund. By opening this email\, you accept that Elvis lives.

[p5pRT]

From @iabyn

On Fri\, Jan 18\, 2013 at 02​:43​:02PM -0500\, Peter Martini wrote​:

Anyway\, this ticket was for the core dump for large array indices; it seems that issue has been resolved\, so can this ticket be closed too? The goal being to get our max ticket age under 10 years :-)

Yeah\,I think it can be closed.

-- Technology is dominated by two types of people​: those who understand what they do not manage\, and those who manage what they do not understand.

[p5pRT]

@iabyn - Status changed from 'open' to 'resolved'