Core dump during pseudohash access

[p5pRT]

Migrated from rt.perl.org#3268 (status was 'resolved')

Searchable as RT3268$

[p5pRT]

From dougw@safeguard.net

To​: perlbug@​perl.com Subject​: Core dump during pseudohash access Reply-To​: dougw@​safeguard.net

This is a bug report for perl from dougw@​safeguard.net\, generated with the help of perlbug 1.28 running under perl v5.6.0.

---

my $var1 =   [   {   'TYPE' => 'IDENT'\,   '_INFO' => {}   }\,   1\,2\,3   ]; $nl1=$var1->{_INFO}{RANGE}[0];

The above program coredumps since it interprets '$var1' as a pseudo-hash\, and interprets the empty hashref as an integer\, and tries to allocate that much memory for the array. I know this is an improper pseudo-hash\, but I would think you should get at the least an 'Out of memory' error\, and preferably maybe a sort of 'Bad index in pseudo hash' error instead of a core dump.

---

---

Flags​:   category=core   severity=low

---

Site configuration information for perl v5.6.0​:

Configured by dougw at Thu Mar 30 12​:29​:57 PST 2000.

Summary of my perl5 (revision 5.0 version 6 subversion 0) configuration​:   Platform​:   osname=hpux\, osvers=10.20\, archname=PA-RISC1.1   uname='hp-ux mongo b.10.20 u 9000800 245239331 unlimited-user license '   config_args='-Dprefix=~/perl -des'   hint=recommended\, useposix=true\, d_sigaction=define   usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef   useperlio=undef d_sfio=undef uselargefiles=define   use64bitint=undef use64bitall=undef uselongdouble=undef usesocks=undef   Compiler​:   cc='cc'\, optimize='-O'\, gccversion=   cppflags='-D_HPUX_SOURCE -Aa -I/usr/local/include'   ccflags =' -D_HPUX_SOURCE -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -Ae'   stdchar='unsigned char'\, d_stdstdio=define\, usevfork=false   intsize=4\, longsize=4\, ptrsize=4\, doublesize=8   d_longlong=define\, longlongsize=8\, d_longdbl=define\, longdblsize=16   ivtype='long'\, ivsize=4\, nvtype='double'\, nvsize=8\, Off_t='off_t'\, lseeksize=8   alignbytes=8\, usemymalloc=y\, prototype=define   Linker and Libraries​:   ld='ld'\, ldflags =' -L/usr/local/lib'   libpth=/usr/local/lib /lib /usr/lib /usr/ccs/lib   libs=-lnsl_s -lndbm -ldld -lm -lc -lndir -lcrypt -lsec   libc=/lib/libc.sl\, so=sl\, useshrplib=false\, libperl=libperl.a   Dynamic Linking​:   dlsrc=dl_hpux.xs\, dlext=sl\, d_dlsymun=undef\, ccdlflags='-Wl\,-E -Wl\,-B\,deferred '   cccdlflags='+z'\, lddlflags='-b +vnocompatwarnings -L/usr/local/lib'

Locally applied patches​:  

---

@​INC for perl v5.6.0​:   /home/dougw/src/Parse-RecDescent-1.77/blib/lib   /home/dougw/perl/lib/5.6.0/PA-RISC1.1   /home/dougw/perl/lib/5.6.0   /home/dougw/perl/lib/site_perl/5.6.0/PA-RISC1.1   /home/dougw/perl/lib/site_perl/5.6.0   /home/dougw/perl/lib/site_perl   .

---

Environment for perl v5.6.0​:   HOME=/home/dougw   LANG (unset)   LANGUAGE (unset)   LD_LIBRARY_PATH (unset)   LOGDIR (unset)   PATH=/home/dougw/bin​:/home/dougw/perl/bin​:/usr/bin​:/opt/ansic/bin​:/usr/ccs/bin​:/usr/contrib/bin​:/opt/nettladm/bin​:/opt/pd/bin​:/usr/bin/X11​:/usr/contrib/bin/X11​:/opt/upgrade/bin​:/opt/perf/bin​:/opt/hpnp//bin​:/opt/dtcmgr/sbin​:/opt/hparray/bin​:/opt/rdtcmgr/sbin​:/bin​:/opt/langtools/bin​:/opt/imake/bin​:/opt/pred/bin​:/opt/ignite/bin​:/opt/resmon/bin​:/usr/bin​:/usr/ccs/bin​:/usr/contrib/bin​:/opt/nettladm/bin​:/usr/bin/X11​:/usr/contrib/bin/X11​:/opt/upgrade/bin​:/opt/hpnp/bin​:/usr/local/bin​:/opt/perl5/bin​:/scope/cvs/cvsroot/bin​:/opt/fourgen731/bin​:/opt/informix730/bin​:/scope/dev/all.4gm/lib.4gs​:/scope/dev/scripts​:.   PERL5LIB=/home/dougw/src/Parse-RecDescent-1.77/blib/lib   PERL_BADLANG (unset)   SHELL=/usr/bin/sh   SHLIB_PATH (unset)

[p5pRT]

From [Unknown Contact. See original ticket]

This is a bug report for perl from dougw@​safeguard.net\, generated with the help of perlbug 1.28 running under perl v5.6.0.

---

my $var1 =   [   {   'TYPE' => 'IDENT'\,   '_INFO' => {}   }\,   1\,2\,3   ]; $nl1=$var1->{_INFO}{RANGE}[0];

The above program coredumps since it interprets '$var1' as a pseudo-hash\, and interprets the empty hashref as an integer\, and tries to allocate that much memory for the array. I know this is an improper pseudo-hash\, but I would think you should get at the least an 'Out of memory' error\, and preferably maybe a sort of 'Bad index in pseudo hash' error instead of a core dump.

---

---

Flags​:   category=core   severity=low

---

Site configuration information for perl v5.6.0​:

Configured by dougw at Thu Mar 30 12​:29​:57 PST 2000.

Summary of my perl5 (revision 5.0 version 6 subversion 0) configuration​:   Platform​:   osname=hpux\, osvers=10.20\, archname=PA-RISC1.1   uname='hp-ux mongo b.10.20 u 9000800 245239331 unlimited-user license '   config_args='-Dprefix=~/perl -des'   hint=recommended\, useposix=true\, d_sigaction=define   usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef   useperlio=undef d_sfio=undef uselargefiles=define   use64bitint=undef use64bitall=undef uselongdouble=undef usesocks=undef   Compiler​:   cc='cc'\, optimize='-O'\, gccversion=   cppflags='-D_HPUX_SOURCE -Aa -I/usr/local/include'   ccflags =' -D_HPUX_SOURCE -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -Ae'   stdchar='unsigned char'\, d_stdstdio=define\, usevfork=false   intsize=4\, longsize=4\, ptrsize=4\, doublesize=8   d_longlong=define\, longlongsize=8\, d_longdbl=define\, longdblsize=16   ivtype='long'\, ivsize=4\, nvtype='double'\, nvsize=8\, Off_t='off_t'\, lseeksize=8   alignbytes=8\, usemymalloc=y\, prototype=define   Linker and Libraries​:   ld='ld'\, ldflags =' -L/usr/local/lib'   libpth=/usr/local/lib /lib /usr/lib /usr/ccs/lib   libs=-lnsl_s -lndbm -ldld -lm -lc -lndir -lcrypt -lsec   libc=/lib/libc.sl\, so=sl\, useshrplib=false\, libperl=libperl.a   Dynamic Linking​:   dlsrc=dl_hpux.xs\, dlext=sl\, d_dlsymun=undef\, ccdlflags='-Wl\,-E -Wl\,-B\,deferred '   cccdlflags='+z'\, lddlflags='-b +vnocompatwarnings -L/usr/local/lib'

Locally applied patches​:  

---

@​INC for perl v5.6.0​:   /home/dougw/src/Parse-RecDescent-1.77/blib/lib   /home/dougw/perl/lib/5.6.0/PA-RISC1.1   /home/dougw/perl/lib/5.6.0   /home/dougw/perl/lib/site_perl/5.6.0/PA-RISC1.1   /home/dougw/perl/lib/site_perl/5.6.0   /home/dougw/perl/lib/site_perl   .

---

Environment for perl v5.6.0​:   HOME=/home/dougw   LANG (unset)   LANGUAGE (unset)   LD_LIBRARY_PATH (unset)   LOGDIR (unset)  
PATH=/home/dougw/bin​:/home/dougw/perl/bin​:/usr/bin​:/opt/ansic/bin​:/usr/ccs/bin​:/usr/contrib/bin​:/opt/nettladm/bin​:/opt/pd/bin​:/usr/bin/X11​:/usr/contrib/bin/X11​:/opt/upgrade/bin​:/opt/perf/bin​:/opt/hpnp//bin​:/opt/dtcmgr/sbin​:/opt/hparray/bin​:/opt/rdtcmgr/sbin​:/bin​:/opt/langtools/bin​:/opt/imake/bin​:/opt/pred/bin​:/opt/ignite/bin​:/opt/resmon/bin​:/usr/bin​:/usr/ccs/bin​:/usr/contrib/bin​:/opt/nettladm/bin​:/usr/bin/X11​:/usr/contrib/bin/X11​:/opt/upgrade/bin​:/opt/hpnp/bin​:/usr/local/bin​:/opt/perl5/bin​:/scope/cvs/cvsroot/bin​:/opt/fourgen731/bin​:/opt/informix730/bin​:/scope/dev/all.4gm/lib.4gs​:/scope/dev/scripts​:.   PERL5LIB=/home/dougw/src/Parse-RecDescent-1.77/blib/lib   PERL_BADLANG (unset)   SHELL=/usr/bin/sh   SHLIB_PATH (unset)

--Message-Boundary-9140--

[p5pRT]

From [Unknown Contact. See original ticket]

To​: perlbug@​perl.com Subject​: [ID 20000519.006] Core dump during array allocation Reply-To​: dougw@​safeguard.net

This is a bug report for perl from dougw@​safeguard.net\, generated with the help of perlbug 1.28 running under perl v5.6.0.

---

This is a followup to the initial bug report. I believe it doesn't necessarily have anything to do with pseudo-hashes\, just array allocations of certain sizes.

The two middle assignments below core dumped when the value was between those values\, while the other two and values outside that range give the friendly 'Out of memory during (ridiculously)? large request' errors. The range changed slightly when perl was compiled with debugging enabled (and then I got 'panic​:' errors from malloc).

my @​var1;

# Out of memory #$var1[ 1_082_131_454 ] = 5;

# Core dump #$var1[ 1_082_131_453 ] = 5;

# Core dump $var1[ 1_073_741_823 ] = 5;

# Out of memory #$var1[ 1_073_741_822 ] = 5;

---

---

Flags​:   category=core   severity=low

---

Site configuration information for perl v5.6.0​:

Configured by dougw at Thu Mar 30 12​:29​:57 PST 2000.

Summary of my perl5 (revision 5.0 version 6 subversion 0) configuration​:   Platform​:   osname=hpux\, osvers=10.20\, archname=PA-RISC1.1   uname='hp-ux mongo b.10.20 u 9000800 245239331 unlimited-user license '   config_args='-Dprefix=~/perl -des'   hint=recommended\, useposix=true\, d_sigaction=define   usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef   useperlio=undef d_sfio=undef uselargefiles=define   use64bitint=undef use64bitall=undef uselongdouble=undef usesocks=undef   Compiler​:   cc='cc'\, optimize='-O'\, gccversion=   cppflags='-D_HPUX_SOURCE -Aa -I/usr/local/include'   ccflags =' -D_HPUX_SOURCE -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -Ae'   stdchar='unsigned char'\, d_stdstdio=define\, usevfork=false   intsize=4\, longsize=4\, ptrsize=4\, doublesize=8   d_longlong=define\, longlongsize=8\, d_longdbl=define\, longdblsize=16   ivtype='long'\, ivsize=4\, nvtype='double'\, nvsize=8\, Off_t='off_t'\, lseeksize=8   alignbytes=8\, usemymalloc=y\, prototype=define   Linker and Libraries​:   ld='ld'\, ldflags =' -L/usr/local/lib'   libpth=/usr/local/lib /lib /usr/lib /usr/ccs/lib   libs=-lnsl_s -lndbm -ldld -lm -lc -lndir -lcrypt -lsec   libc=/lib/libc.sl\, so=sl\, useshrplib=false\, libperl=libperl.a   Dynamic Linking​:   dlsrc=dl_hpux.xs\, dlext=sl\, d_dlsymun=undef\, ccdlflags='-Wl\,-E -Wl\,-B\,deferred '   cccdlflags='+z'\, lddlflags='-b +vnocompatwarnings -L/usr/local/lib'

Locally applied patches​:  

---

@​INC for perl v5.6.0​:   /home/dougw/src/Parse-RecDescent-1.77/blib/lib   /home/dougw/perl/lib/5.6.0/PA-RISC1.1   /home/dougw/perl/lib/5.6.0   /home/dougw/perl/lib/site_perl/5.6.0/PA-RISC1.1   /home/dougw/perl/lib/site_perl/5.6.0   /home/dougw/perl/lib/site_perl   .

---

Environment for perl v5.6.0​:   HOME=/home/dougw   LANG (unset)   LANGUAGE (unset)   LD_LIBRARY_PATH (unset)   LOGDIR (unset)   PATH=/home/dougw/bin​:/home/dougw/perl/bin​:/usr/bin​:/opt/ansic/bin​:/usr/ccs/bin​:/usr/contrib/bin​:/opt/nettladm/bin​:/opt/pd/bin​:/usr/bin/X11​:/usr/contrib/bin/X11​:/opt/upgrade/bin​:/opt/perf/bin​:/opt/hpnp//bin​:/opt/dtcmgr/sbin​:/opt/hparray/bin​:/opt/rdtcmgr/sbin​:/bin​:/opt/langtools/bin​:/opt/imake/bin​:/opt/pred/bin​:/opt/ignite/bin​:/opt/resmon/bin​:/usr/bin​:/usr/ccs/bin​:/usr/contrib/bin​:/opt/nettladm/bin​:/usr/bin/X11​:/usr/contrib/bin/X11​:/opt/upgrade/bin​:/opt/hpnp/bin​:/usr/local/bin​:/opt/perl5/bin​:/scope/cvs/cvsroot/bin​:/opt/fourgen731/bin​:/opt/informix730/bin​:/scope/dev/all.4gm/lib.4gs​:/scope/dev/scripts​:.   PERL5LIB=/home/dougw/src/Parse-RecDescent-1.77/blib/lib   PERL_BADLANG (unset)   SHELL=/usr/bin/sh   SHLIB_PATH (unset)

[p5pRT]

From [Unknown Contact. See original ticket]

the problem is triggered in this program​: my @​var1; $#var1 = 2_147_483_647;

and the problem is that the malloc routines are called by way of the New() macro​: #define New(x\,v\,n\,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))

and if n is in a range of certain very large numbers\, multiplying it by sizeof(t) results in a very small number. So we get a few bytes of memory allocated when we think we have a very large number\, and a seg fault results when we are initializing the very large array above.

What I'd like to ask is for comments on changing new to the below​: Are the types right? Can/should we change sizeof(t) to Size_t_size? Should I32_MAX/Size_t_size just be another defined constant\, or should we just let the c optimizer optimize this away to another constant? Is this the best place to patch it? Should Newc()\, Newz()\, Renew()\, and Renewc() be patched the same way? Is this the best choice of error message? What else am I missing???

Proposed new New() ############################ #define New(x\,v\,n\,t) \   ( \   ((n) > (I32_MAX/Size_t_size)) \   ? (PerlIO_puts(Perl_error_log\,PL_no_mem)\, my_exit(1)) \   : (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))) \   )

[p5pRT]

From [Unknown Contact. See original ticket]

Whether or not the first patch to handy.h is applied\, please apply the second patch to AUTHORS (this is a temp gig\, no point in documenting this address)\, thanks.

Is my_exit() the right thing to call. Is this any better than letting perl core dump? 'Out of memory!' is a fatal error\, we could trap this and call something nicer (Perl_croak?).

Inline Patch

```diff --- handy.orig Thu Aug 23 18:20:19 2001 +++ handy.h Thu Aug 23 18:57:59 2001 @@ -575,14 +575,22 @@ #ifndef LEAKTEST -#define New(x,v,n,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))) -#define Newc(x,v,n,t,c) (v = ```

(c)safemalloc((MEM_SIZE)((n)sizeof(t)))) -#define Newz(x\,v\,n\,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))\, \ - memzero((char*)(v)\, (n)*sizeof(t)) -#define Renew(v\,n\,t) \ - (v = (t*)saferealloc((Malloc_t)(v)\,(MEM_SIZE)((n)*sizeof(t)))) -#define Renewc(v\,n\,t\,c) \ - (v = (c*)saferealloc((Malloc_t)(v)\,(MEM_SIZE)((n)*sizeof(t)))) +#define New(x\,v\,n\,t) (((n) > (I32_MAX/sizeof(t))) \ + ? (PerlIO_puts(Perl_error_log\,PL_no_mem)\, my_exit(1)\, v) \ + : (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))) +#define Newc(x\,v\,n\,t\,c) (((n) > (I32_MAX/sizeof(t))) \ + ? (PerlIO_puts(Perl_error_log\,PL_no_mem)\, my_exit(1)\, v) \ + : (v = (c*)safemalloc((MEM_SIZE)((n)*sizeof(t))))) +#define Newz(x\,v\,n\,t) (((n) > (I32_MAX/sizeof(t))) \ + ? (PerlIO_puts(Perl_error_log\,PL_no_mem)\, my_exit(1)\, v) \ + : ((v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))\, \ + memzero((char*)(v)\, (n)*sizeof(t)))) +#define Renew(v\,n\,t) (((n) > (I32_MAX/sizeof(t))) \ + ? (PerlIO_puts(Perl_error_log\,PL_no_mem)\, my_exit(1)\, v) \ + : (v = (t*)saferealloc((Malloc_t)(v)\,(MEM_SIZE)((n)*sizeof(t))))) +#define Renewc(v\,n\,t\,c) (((n) > (I32_MAX/sizeof(t))) \ + ? (PerlIO_puts(Perl_error_log\,PL_no_mem)\, my_exit(1)\, v) \ + : (v = (c*)saferealloc((Malloc_t)(v)\,(MEM_SIZE)((n)*sizeof(t))))) #define Safefree(d) safefree((Malloc_t)(d))

#else /* LEAKTEST */

####################################################################

Inline Patch

```diff --- AUTHORS.orig Thu Aug 23 18:42:01 2001 +++ AUTHORS Thu Aug 23 18:42:40 2001 @@ -159,7 +159,7 @@ Dominique Dumont Doug Campbell Doug MacEachern -Doug Wilson +Douglas Wilson Douglas E. Wegscheid Douglas Lankshear Dov Grobgeld ```

[p5pRT]

From [Unknown Contact. See original ticket]

I was poking about the source code some more\, realized that some people might actually use 64bit integers :)\, and that you can get in trouble whenever you do math within a New() statement\, and thought this might be better (you could also roll the HAS_64K_LIMIT check into here\, or would that be going too far?)​:

Inline Patch

```diff --- handy.orig Fri Aug 24 09:30:59 2001 +++ handy.h Fri Aug 24 09:56:12 2001 @@ -202,6 +202,12 @@ #endif +#ifdef USE_64_BIT_ALL +# define MEM_SIZE_MAX IV_MAX +#else +# define MEM_SIZE_MAX I32_MAX +#endif + /* log(2) is pretty close to 0.30103, just in case anyone is grepping for ```

it / #define BIT_DIGITS(N) (((N)*146)/485 + 1) /* log2(10) =~ 146/485 */ #define TYPE_DIGITS(T) BIT_DIGITS(sizeof(T) \ 8) @​@​ -575\,14 +581\,22 @​@​

#ifndef LEAKTEST

-#define New(x\,v\,n\,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t)))) -#define Newc(x\,v\,n\,t\,c) (v = (c*)safemalloc((MEM_SIZE)((n)*sizeof(t)))) -#define Newz(x\,v\,n\,t) (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))\, \ - memzero((char*)(v)\, (n)*sizeof(t)) -#define Renew(v\,n\,t) \ - (v = (t*)saferealloc((Malloc_t)(v)\,(MEM_SIZE)((n)*sizeof(t)))) -#define Renewc(v\,n\,t\,c) \ - (v = (c*)saferealloc((Malloc_t)(v)\,(MEM_SIZE)((n)*sizeof(t)))) +#define New(x\,v\,n\,t) ((((n) \< 0) || ((n) > (MEM_SIZE_MAX/sizeof(t)))) \ + ? (Perl_croak_nocontext("panic​: malloc")\, v) \ + : (v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))) +#define Newc(x\,v\,n\,t\,c) ((((n) \< 0) || ((n) > (MEM_SIZE_MAX/sizeof(t)))) \ + ? (Perl_croak_nocontext("panic​: malloc")\, v) \ + : (v = (c*)safemalloc((MEM_SIZE)((n)*sizeof(t))))) +#define Newz(x\,v\,n\,t) ((((n) \< 0) || ((n) > (MEM_SIZE_MAX/sizeof(t)))) \ + ? (Perl_croak_nocontext("panic​: malloc")\, v) \ + : ((v = (t*)safemalloc((MEM_SIZE)((n)*sizeof(t))))\, \ + memzero((char*)(v)\, (n)*sizeof(t)))) +#define Renew(v\,n\,t) ((((n) \< 0) || ((n) > (MEM_SIZE_MAX/sizeof(t)))) \ + ? (Perl_croak_nocontext("panic​: malloc")\, v) \ + : (v = (t*)saferealloc((Malloc_t)(v)\,(MEM_SIZE)((n)*sizeof(t))))) +#define Renewc(v\,n\,t\,c) ((((n) \< 0) || ((n) > (MEM_SIZE_MAX/sizeof(t)))) \ + ? (Perl_croak_nocontext("panic​: malloc")\, v) \ + : (v = (c*)saferealloc((Malloc_t)(v)\,(MEM_SIZE)((n)*sizeof(t))))) #define Safefree(d) safefree((Malloc_t)(d))

#else /* LEAKTEST */

[p5pRT]

@cwest - Status changed from 'open' to 'resolved'