search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.85k stars 527 forks source link

Scalar leaked in 'local $0' under ithreads + taint mode #7826

Closed p5pRT closed 18 years ago

p5pRT commented 19 years ago

Migrated from rt.perl.org#34341 (status was 'resolved')

Searchable as RT34341$

p5pRT commented 19 years ago

From stas@stason.org

Created by stas@rabbit.stason.org

The following scalar leak is reproduced under any perl 5.8+ w/ithreads​:

#!/usr/bin/perl -T use Devel​::Peek; use threads;

local $0 = "test"; # \<== XXX​: leaks scalar my $thr = threads->new(sub { Dump $0 }); $thr->join; # \<== XXX​: triggers the leak

% perl -T leak.pl SV = PVMG(0x81129a0) at 0x816dc10   REFCNT = 1   FLAGS = (GMG\,SMG\,pPOK)   IV = 0   NV = 0   PV = 0x816e370 "test"\0   CUR = 4   LEN = 5   MAGIC = 0x816e2a8   MG_VIRTUAL = &PL_vtbl_sv   MG_TYPE = PERL_MAGIC_sv(\0)   MG_OBJ = 0x816dc04   MG_LEN = 1   MG_PTR = 0x816e2c8 "0"   MAGIC = 0x816e2d8   MG_VIRTUAL = &PL_vtbl_taint   MG_TYPE = PERL_MAGIC_taint(t)   MG_OBJ = 0x816dc1c   MG_LEN = 2

Scalars leaked​: 1 leaked​: sv=0x816dc1c flags=0x084046007 refcnt=0\, Perl interpreter​: 0x8102770

As the dump shows that leaked scalar is MG_OBJ = 0x816dc1c. This magic object is a taint magic (and it happens under -T).

It happens so that ModPerl​::Registry localizes $0\, so anybody trying to spawn a thread is going to get this leak. There are probably other cases where this happens in the same way\, but at the moment I've only one *easy* testcase.

Perl Info ``` Flags: category=core severity=medium Site configuration information for perl v5.8.6: Configured by stas at Thu Mar 3 21:57:12 EST 2005. Summary of my perl5 (revision 5 version 8 subversion 6) configuration: Platform: osname=linux, osvers=2.6.8.1-12mdk, archname=i686-linux-thread-multi uname='linux rabbit.stason.org 2.6.8.1-12mdk #1 fri oct 1 12:53:41 cest 2004 i686 mobile intel(r) pentium(r) 4 - m cpu 2.00ghz unknown gnulinux ' config_args='-des -Dprefix=/home/stas/perl/5.8.7-ithread -Dusethreads -Doptimize=-g -Duseshrplib -Dusedevel -Accflags=-DDEBUG_LEAKING_SCALARS' hint=recommended, useposix=true, d_sigaction=define usethreads=define use5005threads=undef useithreads=define usemultiplicity=define useperlio=define d_sfio=undef uselargefiles=define usesocks=undef use64bitint=undef use64bitall=undef uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBUG_LEAKING_SCALARS -DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/include/gdbm', optimize='-g', cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBUG_LEAKING_SCALARS -DDEBUGGING -fno-strict-aliasing -pipe -I/usr/local/include -I/usr/include/gdbm' ccversion='', gccversion='3.4.1 (Mandrakelinux 10.1 3.4.1-4mdk)', gccosandvers='' intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=1234 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12 ivtype='long', ivsize=4, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=4, prototype=define Linker and Libraries: ld='cc', ldflags =' -L/usr/local/lib' libpth=/usr/local/lib /lib /usr/lib libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc libc=/lib/libc-2.3.3.so, so=so, useshrplib=true, libperl=libperl.so gnulibc_version='2.3.3' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/home/stas/perl/5.8.7-ithread/lib/5.8.6/i686-linux-thread-multi/CORE' cccdlflags='-fpic', lddlflags='-shared -L/usr/local/lib' Locally applied patches: MAINT23940 @INC for perl v5.8.6: /home/stas/perl/5.8.7-ithread/lib/5.8.6/i686-linux-thread-multi /home/stas/perl/5.8.7-ithread/lib/5.8.6 /home/stas/perl/5.8.7-ithread/lib/site_perl/5.8.6/i686-linux-thread-multi /home/stas/perl/5.8.7-ithread/lib/site_perl/5.8.6 /home/stas/perl/5.8.7-ithread/lib/site_perl . Environment for perl v5.8.6: HOME=/home/stas LANG=en_GB LANGUAGE=en_GB:en LC_ADDRESS=en_CA LC_COLLATE=en_GB LC_CTYPE=en_GB LC_IDENTIFICATION=en_CA LC_MEASUREMENT=en_CA LC_MESSAGES=en_GB LC_MONETARY=en_CA LC_NAME=en_CA LC_NUMERIC=en_CA LC_PAPER=en_CA LC_SOURCED=1 LC_TELEPHONE=en_CA LC_TIME=en_GB LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/usr//bin:/bin:/usr/bin:.:/usr/local/bin:/usr/X11R6/bin/:/usr/games:/home/stas/bin:/home/stas/bin:/usr/local/bin:/usr/X11R6/bin:/usr/java/j2re1.4.0/bin/ PERLDOC_PAGER=less -R PERL_BADLANG (unset) SHELL=/bin/tcsh -- __________________________________________________________________ Stas Bekman JAm_pH ------> Just Another mod_perl Hacker http://stason.org/ mod_perl Guide ---> http://perl.apache.org mailto:stas@stason.org http://use.perl.org http://apacheweek.com http://modperlbook.org http://apache.org http://ticketmaster.com ```
p5pRT commented 19 years ago

From stas@stason.org

(resubmitting Steve Hay's followup so it'll be stored in rt)

Stas Bekman (via RT) wrote​:

# New Ticket Created by Stas Bekman # Please include the string​: [perl #34341] # in the subject line of all future correspondence about this issue. # \<URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=34341 >

This is a bug report for perl from stas@​rabbit.stason.org\, generated with the help of perlbug 1.35 running under perl v5.8.6.

----------------------------------------------------------------- [Please enter your report here]

The following scalar leak is reproduced under any perl 5.8+ w/ithreads​:

#!/usr/bin/perl -T use Devel​::Peek; use threads;

local $0 = "test"; # \<== XXX​: leaks scalar my $thr = threads->new(sub { Dump $0 }); $thr->join; # \<== XXX​: triggers the leak [...] Scalars leaked​: 1 leaked​: sv=0x816dc1c flags=0x084046007 refcnt=0\, Perl interpreter​: 0x8102770

As the dump shows that leaked scalar is MG_OBJ = 0x816dc1c. This magic object is a taint magic (and it happens under -T).

From​: Steve Hay \steve\.hay@&#8203;uk\.radan\.com

Is this anything to do with the following comment found in scope.c​::S_save_scalar_at()

  /* XXX SvMAGIC() is *shared* between osv and sv. This can   * lead to coredumps when both SVs are destroyed without one   * of their SvMAGIC() slots being NULLed. */

There's certiainly some stuff to do with taint magic and localizing going on in that function\, so since that's what this particular problem revolves around\, maybe its worth a closer look by someone that understands it?

I'm not sure what the following chunk from that function is trying to achieve​:

  if (PL_tainting && PL_tainted &&   (mg = mg_find(osv\, PERL_MAGIC_taint))) {   SAVESPTR(mg->mg_obj);   mg->mg_obj = osv;   }

but could it be related to the leaked MG_OBJ?

- Steve

p5pRT commented 18 years ago

From @iabyn

Looks like the leak has been fixed by my change #24942\, which fixed local() and magic (and specifically removed the code related to that XXX comment above)

p5pRT commented 18 years ago

@iabyn - Status changed from 'new' to 'resolved'