Closed p5pRT closed 13 years ago
The following line makes Perl dump core:
$#a>>=1;
if @a is empty (or undefined). This seemed to me a legimiate way to halve the length of a list. Obviously $#a/=2 has the same effect and does not dump core when the list is empty and of course the list can always be tested first for non-emptiness\, so this is not at all critical\, but it has been this way since 5.0 so I thought I would report it.
Thank you for your report.
I can confirm this bug in 5.8.1 RC3 (I don't have a 5.8.3 handy to check). This bug appears to have been fixed in 5.8.5 and the latest development perl.
Test patch attached.
@schwern - Status changed from 'new' to 'resolved'
John Krivitsky wrote:
The following line makes Perl dump core:
$\#a>>=1;
if @a is empty (or undefined).
Cute...
I see you're using 5.8.3. Using my 5.8.6 build\, I get
./perl -e'$#x>>=1' Out of memory during array extend at -e line 1.
That's a bit better :)
What's happening\, I think\, is that $#a for an empty array is -1. So left shifting it _still_ gives -1\, leaving perl to try to create a 2^32 (or 64) element array.
I think the only answer if you want to use that trick to shrink your array is to explicitly check if you're already done. -- Mike rmgiroux@acm.org
I wrote:
What's happening\, I think\, is that $#a for an empty array is -1. So left shifting it _still_ gives -1\, leaving perl to try to create a 2^32 (or 64) element array.
2^31\, looks like the shift is done unsigned\, but that's not the problem.
I think the only answer if you want to use that trick to shrink your array is to explicitly check if you're already done.
Hmm\, I take that back...
perl -e'$#a=-1'
doesn't core dump\, or warn.
Neither do most other numeric ops on $#a when uninitialized.
So it looks like there's already a sanity check somewhere\, and $#a>>=1 bypasses it? -- Mike rmgiroux@acm.org
On Mon\, Dec 13\, 2004 at 09:21:48AM -0500\, Mike Giroux wrote:
I wrote:
What's happening\, I think\, is that $#a for an empty array is -1. So left shifting it _still_ gives -1\, leaving perl to try to create a 2^32 (or 64) element array.
2^31\, looks like the shift is done unsigned\, but that's not the problem.
I think that is the problem. -1 >> 1 is MAXINT\, which is 2147483647 on a 32 bit architecture. It's not too surprising that trying to create an array of that many elements is problematic.
I think the only answer if you want to use that trick to shrink your array is to explicitly check if you're already done.
Hmm\, I take that back...
perl -e'$#a=-1'
doesn't core dump\, or warn.
Why would it? $#a=-1 just makes the array empty.
Neither do most other numeric ops on $#a when uninitialized.
$#a can't be uninitialized. For an empty array\, $#a == -1.
Your first suggestion was good; check to make sure the array isn't empty before doing the shift.
Ronald
On Mon\, Dec 13\, 2004 at 10:27:16AM -0500\, Ronald J Kimball wrote:
I think the only answer if you want to use that trick to shrink your array is to explicitly check if you're already done.
Hmm\, I take that back...
perl -e'$#a=-1'
doesn't core dump\, or warn.
Why would it? $#a=-1 just makes the array empty.
Here's my first reaction:
For the same reason $#a>>=1 shouldn't. This isn't C. -1 shouldn't wrap around to MAXINT no matter what the user does.
Then I thought about it a little more. I don't know so much about bit shifting\, but isn't it pretty much asking for exactly this sort of problem?
-- Michael G Schwern schwern@pobox.com http://www.pobox.com/~schwern/ Sometimes you eat the path\, sometimes the path eats you.
Here's my first reaction:
For the same reason $#a>>=1 shouldn't. This isn't C. -1 shouldn't wrap around to MAXINT no matter what the user does.
Then I thought about it a little more. I don't know so much about bit shifting\, but isn't it pretty much asking for exactly this sort of problem?
Probably. perldoc perlop actually specifies what the behaviour should be (hoping this doesn't get horribly mis-wrapped):
Note that both "\<\<" and ">>" in Perl are implemented directly using "\<\<" and ">>" in C. If "use integer" (see "Integer Arithmetic") is in force then signed C integers are used\, else unsigned C integers are used. Either way\, the implementation isn't going to generate results larger than the size of the integer type Perl was built with (32 bits or 64 bits).
So $#a>>=1 is correctly shifting down to MAXINT\, unless use integer is in scope.
perl -Minteger -e'$#a>>=1' doesn't core or warn. -- Mike
From: jk@smartguide.com.au
Hi Guys! Pardon me for saying so\, but the reason I posted this in the first place was because I didn't think that any instruction should actually make perl dump core.
I don't think you're going to find anyone on p5p who disagrees with that\, unless you're playing with unpack in odd ways.
Well\, as I found out the hard way back in 2001\, there's a perl instruction that dumps core by design :)
http://www.xray.mpe.mpg.de/mailing-lists/perl5-porters/2001-12/msg01547.html -- Mike
Ronald J Kimball \rjk\-perl\-p5p@​tamias\.net wrote:
On Mon\, Dec 13\, 2004 at 09:21:48AM -0500\, Mike Giroux wrote:
I wrote:
What's happening\, I think\, is that $#a for an empty array is -1. So left shifting it _still_ gives -1\, leaving perl to try to create a 2^32 (or 64) element array.
2^31\, looks like the shift is done unsigned\, but that's not the problem.
I think that is the problem. -1 >> 1 is MAXINT\, which is 2147483647 on a 32 bit architecture. It's not too surprising that trying to create an array of that many elements is problematic.
D'oh! Of course\, you're right.
I was insufficiently caffeinated when I didn't notice that\, that's my excuse and I'm sticking to it :) -- Mike
Hi Guys! Pardon me for saying so\, but the reason I posted this in the first place was because I didn't think that any instruction should actually make perl dump core. If you do:
perl -e 'print -1>>1;'
This prints '2147483647' (on 32 bit)\, so it's definitely the problem as you suggest. I should have stated in my original posting that this is what I thought was happening. It's just that I thought this should produce an error rather than a core dump. If version 5.8.6 now does produce an error\, then I would now consider this issue resolved. It hadn't been between versions 5.0 and 5.8.3\, so naturally I came to the conclusion that it kept being overlooked\, hence my posting. Please accept my apologies for not installing the very latest version before submitting the bug (I got a bit confused and actually thought I did have the latest version). Thank you for all your help.
Kindest regards\,
jk
Quoting Mike Giroux \rmgiroux@​hotmail\.com:
Ronald J Kimball \rjk\-perl\-p5p@​tamias\.net wrote:
On Mon\, Dec 13\, 2004 at 09:21:48AM -0500\, Mike Giroux wrote:
I wrote:
What's happening\, I think\, is that $#a for an empty array is -1. So left shifting it _still_ gives -1\, leaving perl to try to create a 2^32 (or 64) element array.
2^31\, looks like the shift is done unsigned\, but that's not the problem.
I think that is the problem. -1 >> 1 is MAXINT\, which is 2147483647 on a 32 bit architecture. It's not too surprising that trying to create an array of that many elements is problematic.
D'oh! Of course\, you're right.
I was insufficiently caffeinated when I didn't notice that\, that's my excuse and I'm sticking to it :) -- Mike
On Tue\, Dec 14\, 2004 at 01:15:52AM +0800\, jk@smartguide.com.au wrote:
It's just that I thought this should produce an error rather than a core dump. If version 5.8.6 now does produce an error\, then I would now consider this issue resolved. naturally I came to the conclusion that it kept being overlooked\, hence my posting. Please accept my apologies for not installing the very latest version before submitting the bug (I got a bit confused and actually thought I did have the latest version). Thank you for all your help.
It appears to no longer be coring on 5.8.6.
You were correct in reporting the bug\, nothing should make Perl dump core (unless\, of course\, you ask it to). And as seen from all the discussion on this bug it probably was fixed incidentally as opposed to explicitly.
Just want to remind folks there is a test patch attached to this bug.
-- Michael G Schwern schwern@pobox.com http://www.pobox.com/~schwern/ Not king yet
Michael G Schwern wrote:
You were correct in reporting the bug\, nothing should make Perl dump core (unless\, of course\, you ask it to). And as seen from all the discussion on this bug it probably was fixed incidentally as opposed to explicitly.
Just want to remind folks there is a test patch attached to this bug.
Thanks\, applied as #23645. I didn't notice it at first since it wasn't posted to the mailing list.
-- Mr Leopold Bloom ate with relish the inner organs of beasts and fowls. -- Ulysses
Michael G Schwern wrote:
It appears to no longer be coring on 5.8.6.
It is still crashing for me on Win32 :(
Produces an Access Violation error (more or less the Win32 equivalent of coring). Here's the call stack at the crash (using 5.8.6):
Perl_av_extend(av * 0x01830f5c\, long 2147483647) line 165 + 15 bytes Perl_av_store(av * 0x01830f5c\, long 2147483647\, sv * 0x28175070 _PL_sv_undef) line 322 + 13 bytes Perl_av_fill(av * 0x01830f5c\, long 2147483647) line 783 + 18 bytes Perl_magic_setarylen(sv * 0x01830f80\, magic * 0x01835648) line 1670 + 68 bytes Perl_mg_set(sv * 0x01830f80) line 237 + 14 bytes Perl_pp_right_shift() line 1667 + 46 bytes Perl_runops_debug() line 1449 + 9 bytes S_run_body(long 1) line 1937 perl_run(interpreter * 0x00233e90) line 1853 + 9 bytes RunPerl(int 2\, char * * 0x00232430\, char * * 0x00232c68) line 217 + 12 bytes main(int 2\, char * * 0x00232430\, char * * 0x00232c68) line 18 + 18 bytes PERL! mainCRTStartup + 227 bytes KERNEL32! 77e814c7()
At this point\, the debugger shows "newmax" is 2147483647 and "tmp" is 2147482080.
It crashes with bleadperl too.
- Steve
Radan Computational Ltd.
We would like to take this opportunity to wish all our customers\, suppliers and colleagues seasons greetings. We will not be sending corporate greetings cards this year. Instead\, we will be making a donation to charity.
The information contained in this message and any files transmitted with it are confidential and intended for the addressee(s) only. If you have received this message in error or there are any problems\, please notify the sender immediately. The unauthorized use\, disclosure\, copying or alteration of this message is strictly forbidden. Note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Radan Computational Ltd. The recipient(s) of this message should check it and any attached files for viruses: Radan Computational will accept no liability for any damage caused by any virus transmitted by this email.
@steve-m-hay - Status changed from 'resolved' to 'open'
[shay - Wed Dec 15 03:19:13 2004]:
Michael G Schwern wrote:
It appears to no longer be coring on 5.8.6.
It is still crashing for me on Win32 :(
Produces an Access Violation error (more or less the Win32 equivalent of coring). Here's the call stack at the crash (using 5.8.6):
Perl_av_extend(av * 0x01830f5c\, long 2147483647) line 165 + 15 bytes Perl_av_store(av * 0x01830f5c\, long 2147483647\, sv * 0x28175070 _PL_sv_undef) line 322 + 13 bytes Perl_av_fill(av * 0x01830f5c\, long 2147483647) line 783 + 18 bytes Perl_magic_setarylen(sv * 0x01830f80\, magic * 0x01835648) line 1670 + 68 bytes Perl_mg_set(sv * 0x01830f80) line 237 + 14 bytes Perl_pp_right_shift() line 1667 + 46 bytes Perl_runops_debug() line 1449 + 9 bytes S_run_body(long 1) line 1937 perl_run(interpreter * 0x00233e90) line 1853 + 9 bytes RunPerl(int 2\, char * * 0x00232430\, char * * 0x00232c68) line 217 + 12 bytes main(int 2\, char * * 0x00232430\, char * * 0x00232c68) line 18 + 18 bytes PERL! mainCRTStartup + 227 bytes KERNEL32! 77e814c7()
At this point\, the debugger shows "newmax" is 2147483647 and "tmp" is 2147482080.
It crashes with bleadperl too.
- Steve
Perl_av_extend() has a lot of different paths depending on several #define's. Can you please look up to see what you have for the following #defines?
PERL_MALLOC_WRAP STRANGE_MALLOC MYMALLOC
Thanks!
Fixed in 5.8.4.
@cpansprout - Status changed from 'open' to 'resolved'
Migrated from rt.perl.org#33003 (status was 'resolved')
Searchable as RT33003$