search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.9k stars 538 forks source link

"double free or corruption" with threads and Bencode #8740

Closed p5pRT closed 17 years ago

p5pRT commented 17 years ago

Migrated from rt.perl.org#41273 (status was 'resolved')

Searchable as RT41273$

p5pRT commented 17 years ago

From kwolf@suse.de

Created by kwolf@suse.de

When using both threads and the Bencode module\, Perl will crash on termination of a thread that has been detached or should be joined now. I could reproduce the crash with the following test script on i386\, x86_64 and ppc32 (so the problem seems to be architecture independent)​:

  #!/usr/bin/perl -w

  use strict;   use warnings;

  use threads;   use Bencode;

  sub active_mcast_threads_each() {}

  my $thread = threads->new(\&active_mcast_threads_each);   $thread->join();

The Bencode module (from CPAN) does not include external libraries\, it consists of plain Perl code. I tried to track the problem down and found that it occurs only when a regular expression in Bencode's _bdecode_chuck sub has been evaluated (this is done on initialization of the module\, with $_ = 'i1e'). The corrensponding code from Bencode is​:

  my $str_rx = qr/ \G ( 0 | [1-9] \d* ) : ( (??{   # workaround​: can't use quantifies > 32766 in patterns\,   # so for eg. 65536 chars produce something like '(?s).{32766}.{32766}.{4}'   $q = int( $^N \/ 32766 );   $r = $^N % 32766;   $q--\, $r += 32766 if $q and not $r;   "(?s)" . ( ".{32766}" x $q ) . ".{$r}"   }) ) /x;

  m/$str_rx/xgc;

When executing the script using Bencode and $thread->join (or $thread->detach followed by sleep 1 to make sure the thread has enough time to return)\, the following error message is printed​:

*** glibc detected *** /usr/bin/perl​: double free or corruption (!prev)​: 0x00000000007998e0 *** ======= Backtrace​: ========= /lib64/libc.so.6[0x2b039f7f637e] /lib64/libc.so.6(__libc_free+0x6c)[0x2b039f7f799c] /usr/bin/perl(Perl_pregfree+0x159)[0x462b89] /usr/bin/perl(perl_destruct+0xe34)[0x426094] /usr/lib/perl5/5.8.8/x86_64-linux-thread-multi/auto/threads/threads.so[0x2b039fa1deea] /usr/lib/perl5/5.8.8/x86_64-linux-thread-multi/auto/threads/threads.so(XS_threads_join+0x25b)[0x2b039fa1e6db] /usr/bin/perl(Perl_pp_entersub+0x402)[0x482cf2] /usr/bin/perl(Perl_runops_debug+0x11e)[0x46515e] /usr/bin/perl(perl_run+0x3fc)[0x424c1c] /usr/bin/perl(main+0xe4)[0x41d6c4] /lib64/libc.so.6(__libc_start_main+0xf4)[0x2b039f7a8154] /usr/bin/perl[0x41d549] ======= Memory map​: ======== 00400000-00533000 r-xp 00000000 08​:02 37752 /usr/bin/perl 00632000-00639000 rw-p 00132000 08​:02 37752 /usr/bin/perl 00639000-007a7000 rw-p 00639000 00​:00 0 [heap] 40000000-40001000 ---p 40000000 00​:00 0 40001000-40801000 rw-p 40001000 00​:00 0 2aaaaab00000-2aaaaab21000 rw-p 2aaaaab00000 00​:00 0 2aaaaab21000-2aaaaac00000 ---p 2aaaaab21000 00​:00 0 2aaaaac00000-2aaaaac0d000 r-xp 00000000 08​:02 22761 /lib64/libgcc_s.so.1 2aaaaac0d000-2aaaaad0c000 ---p 0000d000 08​:02 22761 /lib64/libgcc_s.so.1 2aaaaad0c000-2aaaaad0d000 rw-p 0000c000 08​:02 22761 /lib64/libgcc_s.so.1 2b039f1c5000-2b039f1e0000 r-xp 00000000 08​:02 17809 /lib64/ld-2.4.so 2b039f1e0000-2b039f1e1000 rw-p 2b039f1e0000 00​:00 0 2b039f1e1000-2b039f1e2000 r--p 00000000 08​:02 18644 /usr/lib/locale/de_DE.utf8/LC_IDENTIFICATION 2b039f1e2000-2b039f1e9000 r--s 00000000 08​:02 20831 /usr/lib64/gconv/gconv-modules.cache 2b039f1e9000-2b039f1ea000 r--p 00000000 08​:02 21296 /usr/lib/locale/de_DE.utf8/LC_MEASUREMENT 2b039f1ea000-2b039f1eb000 r--p 00000000 08​:02 21128 /usr/lib/locale/de_DE.utf8/LC_TELEPHONE 2b039f1eb000-2b039f1ec000 r--p 00000000 08​:02 18643 /usr/lib/locale/de_DE.utf8/LC_ADDRESS 2b039f1ec000-2b039f1ed000 r--p 00000000 08​:02 18646 /usr/lib/locale/de_DE.utf8/LC_NAME 2b039f1ed000-2b039f1ee000 r--p 00000000 08​:02 21292 /usr/lib/locale/de_DE.utf8/LC_PAPER 2b039f1ee000-2b039f1ef000 r--p 00000000 08​:02 21153 /usr/lib/locale/de_DE.utf8/LC_MESSAGES/SYS_LC_MESSAGES 2b039f1ef000-2b039f1f0000 r--p 00000000 08​:02 21129 /usr/lib/locale/de_DE.utf8/LC_MONETARY 2b039f201000-2b039f202000 rw-p 2b039f201000 00​:00 0 2b039f202000-2b039f2d9000 r--p 00000000 08​:02 21298 /usr/lib/locale/de_DE.utf8/LC_COLLATE 2b039f2d9000-2b039f2da000 r--p 00000000 08​:02 18647 /usr/lib/locale/de_DE.utf8/LC_TIME 2b039f2da000-2b039f2db000 r--p 00000000 08​:02 21221 /usr/lib/locale/de_DE.utf8/LC_NUMERIC 2b039f2e0000-2b039f2e2000 rw-p 0001b000 08​:02 17809 /lib64/ld-2.4.so 2b039f2e2000-2b039f336000 r-xp 00000000 08​:02 17824 /lib64/libm-2.4.so 2b039f336000-2b039f435000 ---p 00054000 08​:02 17824 /lib64/libm-2.4.so 2b039f435000-2b039f437000 rw-p 00053000 08​:02 17824 /lib64/libm-2.4.so 2b039f437000-2b039f439000 r-xp 00000000 08​:02 17822 /lib64/libdl-2.4.so 2b039f439000-2b039f539000 ---p 00002000 08​:02 17822 /lib64/libdl-2.4.so 2b039f539000-2b039f53b000 rw-p 00002000 08​:02 17822 /lib64/libdl-2.4.so 2b039f53b000-2b039f544000 r-xp 00000000 08​:02 17820 /lib64/libcrypt-2.4.so 2b039f544000-2b039f643000 ---p 00009000 08​:02 17820 /lib64/libcrypt-2.4.so 2b039f643000-2b039f646000 rw-p 00008000 08​:02 17820 /lib64/libcrypt-2.4.so 2b039f646000-2b039f675000 rw-p 2b039f646000 00​:00 0 2b039f675000-2b039f686000 r-xp 00000000 08​:02 17842 /lib64/libpthread-2.4.so 2b039f686000-2b039f785000 ---p 00011000 08​:02 17842 /lib64/libpthread-2.4.so 2b039f785000-2b039f787000 rw-p 00010000 08​:02 17842 /lib64/libpthread-2.4.so 2b039f787000-2b039f78b000 rw-p 2b039f787000 00​:00 0 2b039f78b000-2b039f8b1000 r-xp 00000000 08​:02 17816 /lib64/libc-2.4.so 2b039f8b1000-2b039f9b1000 ---p 00126000 08​:02 17816 /lib64/libc-2.4.so 2b039f9b1000-2b039f9b4000 r--p 00126000 08​:02 17816 /lib64/libc-2.4.so 2b039f9b4000-2b039f9b6000 rw-p 00129000 08​:02 17816 Abgebrochen

Perl Info ``` Flags: category=core severity=medium This perlbug was built using Perl v5.8.8 - Fri Jun 16 12:08:12 UTC 2006 It is being executed now by Perl v5.8.8 - Fri Jun 16 12:04:24 UTC 2006. Site configuration information for perl v5.8.8: Configured by abuild at Fri Jun 16 12:04:24 UTC 2006. Summary of my perl5 (revision 5 version 8 subversion 8) configuration: Platform: osname=linux, osvers=2.6.16, archname=x86_64-linux-thread-multi uname='linux icecream 2.6.16 #1 smp mon nov 21 10:07:49 utc 2005 x86_64 x86_64 x86_64 gnulinux ' config_args='-ds -e -Dprefix=/usr -Dvendorprefix=/usr -Dinstallusrbinperl -Dusethreads -Di_db -Di_dbm -Di_ndbm -Di_gdbm -Duseshrplib=true -Doptimize=-O2 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -g -Wall -pipe' hint=recommended, useposix=true, d_sigaction=define usethreads=define use5005threads=undef useithreads=define usemultiplicity=define useperlio=define d_sfio=undef uselargefiles=define usesocks=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n, bincompat5005=undef Compiler: cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBUGGING -fno-strict-aliasing -pipe -Wdeclaration-after-statement -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64', optimize='-O2 -fmessage-length=0 -Wall -D_FORTIFY_SOURCE=2 -g -Wall -pipe', cppflags='-D_REENTRANT -D_GNU_SOURCE -DTHREADS_HAVE_PIDS -DDEBUGGING -fno-strict-aliasing -pipe -Wdeclaration-after-statement' ccversion='', gccversion='4.1.0 (SUSE Linux)', gccosandvers='' intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678 d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16 ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8 alignbytes=8, prototype=define Linker and Libraries: ld='cc', ldflags =' -L/usr/local/lib64' libpth=/lib64 /usr/lib64 /usr/local/lib64 libs=-lm -ldl -lcrypt -lpthread perllibs=-lm -ldl -lcrypt -lpthread libc=/lib64/libc-2.4.so, so=so, useshrplib=true, libperl=libperl.so gnulibc_version='2.4' Dynamic Linking: dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E -Wl,-rpath,/usr/lib/perl5/5.8.8/x86_64-linux-thread-multi/CORE' cccdlflags='-fPIC', lddlflags='-shared -L/usr/local/lib64' Locally applied patches: @INC for perl v5.8.8: /usr/lib/perl5/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/5.8.8 /usr/lib/perl5/site_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/site_perl/5.8.8 /usr/lib/perl5/site_perl /usr/lib/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi /usr/lib/perl5/vendor_perl/5.8.8 /usr/lib/perl5/vendor_perl . Environment for perl v5.8.8: HOME=/suse/kwolf LANG=de_DE.UTF-8 LANGUAGE (unset) LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/suse/kwolf/bin:/usr/local/bin:/usr/bin:/usr/X11R6/bin:/bin:/usr/games:/opt/gnome/bin:/opt/kde3/bin:/usr/lib64/jvm/jre/bin:/work/src/bin:/work/src/bin/tools PERL_BADLANG (unset) SHELL=/bin/bash --D02E327157.1168706113/e88.suse.de-- ```
p5pRT commented 17 years ago

From @iabyn

On Mon\, Jan 15\, 2007 at 04​:45​:16AM -0800\, Kevin Wolf wrote​:

When using both threads and the Bencode module\, Perl will crash on termination of a thread that has been detached or should be joined now.

Thanks for the report. I can reduce the problem to

  use threads ();

  "i" =~ /\GX(?{})/;

  sub foo() {}   threads->create(\&foo)->join;

and is now fixed in bleedperl with the change below

Dave

-- print+qq&$}$"$/$s$\,$*${d}$g$s$@​$.$q$\,$​:$.$q$^$\,$@​$*$~$;$.$q$m&if+map{m\,^\d{0\\,}\,\,${$​::{$'}}=chr($"+=$&||1)}q&10m22\,42}6​:17*2~2.3@​3;^2dg3q/s"&=~m*\d\*.*g

Change 29837 by davem@​davem-pigeon on 2007/01/15 18​:19​:20

  when cloning PL_regex_pad\, copy SVf_BREAK flag too

Affected files ...

... //depot/perl/sv.c#1351 edit

Differences ...

==== //depot/perl/sv.c#1351 (text) ====

@​@​ -11025\,6 +11025\,8 @​@​   newSViv(PTR2IV(CALLREGDUPE(   INT2PTR(REGEXP *\, SvIVX(regex))\, param))))   ; + if (SvFLAGS(regex) & SVf_BREAK) + SvFLAGS(sv) |= SVf_BREAK; /* unrefcnted PL_curpm */   av_push(PL_regex_padav\, sv);   }   }

p5pRT commented 17 years ago

The RT System itself - Status changed from 'new' to 'open'

p5pRT commented 17 years ago

@iabyn - Status changed from 'open' to 'resolved'