search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.91k stars 542 forks source link

Failed eval in sort causes segfault #20261

Closed sisyphus-ppcg closed 2 years ago

sisyphus-ppcg commented 2 years ago

Description An eval that results in a syntax error inside of a sort causes a segmentation fault. This reproduces on v5.36.0 and v5.30.0 but does not segfault on a very old version of Perl (v5.16.3) so it was introduced somewhere between those versions.

Steps to Reproduce Run the following code:

@a = sort{eval"("}1,2

Expected behavior No segfault.

Perl configuration

Summary of my perl5 (revision 5 version 36 subversion 0) configuration:

  Platform:
    osname=linux
    osvers=5.10.0-13-cloud-amd64
    archname=x86_64-linux-gnu
    uname='linux 5918bdee5462 5.10.0-13-cloud-amd64 #1 smp debian 5.10.106-1 (2022-03-17) x86_64 gnulinux '
    config_args='-Darchname=x86_64-linux-gnu -Duse64bitall -Duseshrplib -Dvendorprefix=/usr/local -des'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
  Compiler:
    cc='cc'
    ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O2'
    cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='10.2.1 20210110'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib
    libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.31.so
    so=so
    useshrplib=true
    libperl=libperl.so
    gnulibc_version='2.31'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E -Wl,-rpath,/usr/local/lib/perl5/5.36.0/x86_64-linux-gnu/CORE'
    cccdlflags='-fPIC'
    lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl):
  Compile-time options:
    HAS_TIMES
    PERLIO_LAYERS
    PERL_COPY_ON_WRITE
    PERL_DONT_CREATE_GVSV
    PERL_MALLOC_WRAP
    PERL_OP_PARENT
    PERL_PRESERVE_IVUV
    USE_64_BIT_ALL
    USE_64_BIT_INT
    USE_LARGE_FILES
    USE_LOCALE
    USE_LOCALE_COLLATE
    USE_LOCALE_CTYPE
    USE_LOCALE_NUMERIC
    USE_LOCALE_TIME
    USE_PERLIO
    USE_PERL_ATOF
  Built under linux
  Compiled at Aug 23 2022 04:45:16
  @INC:
    /usr/local/lib/perl5/site_perl/5.36.0/x86_64-linux-gnu
    /usr/local/lib/perl5/site_perl/5.36.0
    /usr/local/lib/perl5/vendor_perl/5.36.0/x86_64-linux-gnu
    /usr/local/lib/perl5/vendor_perl/5.36.0
    /usr/local/lib/perl5/5.36.0/x86_64-linux-gnu
    /usr/local/lib/perl5/5.36.0
jkeenan commented 2 years ago

Bisection points to commit 5b4a51d7c850b274c4a37452f256afb7cd5013c1 from August 2017.

commit 5b4a51d7c850b274c4a37452f256afb7cd5013c1
Author:     Zefram <zefram@fysh.org>
AuthorDate: Sun Mar 26 21:53:29 2017 +0100
Commit:     Steve Hay <steve.m.hay@googlemail.com>
CommitDate: Tue Aug 29 08:16:46 2017 +0100

    set up catchable runloops early enough

Since the author is no longer active, can someone take a look at this? @tonycoz, @demerphq, @steve-m-hay perhaps?

jkeenan commented 2 years ago

Complication: When, on a machine different from the one on which I did the bisection, I tried to build perl at the commit identified above as "first bad," the build failed like this:

cc -fstack-protector-strong -L/usr/local/lib -o miniperl \
    opmini.o perlmini.o  gv.o toke.o perly.o pad.o regcomp.o dump.o util.o mg.o reentr.o mro_core.o keywords.o hv.o av.o run.o pp_hot.o sv.o pp.o scope.o pp_ctl.o pp_sys.o doop.o doio.o regexec.o utf8.o taint.o deb.o universal.o globals.o perlio.o perlapi.o numeric.o mathoms.o locale.o pp_pack.o pp_sort.o caretx.o dquote.o time64.o  miniperlmain.o  -lpthread -lnsl -ldl -lm -lcrypt -lutil -lc 
./miniperl -w -Ilib -Idist/Exporter/lib -MExporter -e '<?>' || sh -c 'echo >&2 Failed to build miniperl.  Please run make minitest; exit 1'
Attempt to free unreferenced scalar: SV 0x5636338232b0.
Segmentation fault
Failed to build miniperl. Please run make minitest
make: *** [makefile:364: lib/buildcustomize.pl] Error 1

So there's a possibility that the bisection may have found a different problem.

demerphq commented 2 years ago

I can't reproduce on blead. Perhaps this is already fixed in latest blead?

./perl -le'@x= sort { eval "(" } (1,2); print $@';
syntax error at (eval 1) line 1, at EOF
./perl -v

This is perl 5, version 37, subversion 4 (v5.37.4 (v5.37.2-449-gcb80945103)) built for x86_64-linux-thread-multi

Copyright 1987-2022, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl".  If you have access to the
Internet, point your browser at https://www.perl.org/, the Perl Home Page.

Wouldn't surprise me if the commits I merged recently fixed this, although I have not bisected.

I think this can be closed unless someone can come up with a reproduction script for latest blead.

sisyphus-ppcg commented 2 years ago

Yep seems fixed in blead for me as well. I'll close this for now.

demerphq commented 2 years ago

FWIW, I think it was probably fixed by the patches in #20182

jkeenan commented 2 years ago

Okay, so for the record, let's now try to bisect to find out when the code in question no longer crashed. Using this invocation:

perl Porting/bisect.pl \
--start=v5.36.0 \
--expect-fail -e '@a = sort{eval"("}1,2'

... I got this commit:

commit 16e43efd81368f85ada6f2d40658b305d92ba57e (HEAD, refs/bisect/bad)
Author:     David Mitchell <davem@iabyn.nospamdeletethisbit.com>
AuthorDate: Sat Jul 9 14:20:07 2022 +0100
Commit:     David Mitchell <davem@iabyn.nospamdeletethisbit.com>
CommitDate: Sat Jul 9 14:31:17 2022 +0100

    fix another panic from eval {} inside /(?{...})/

    GH #19390
bram-perl commented 2 years ago

Extra test cases should be added for it; Also in combination with BEGIN and UNITCHECK, something like (untested): @a = sort{eval" UNITCHECK{die}"}1,2

demerphq commented 2 years ago

@bram-perl done: https://github.com/Perl/perl5/pull/20263