| Store | Cart

[perl #122873] SEGV in Perl_hv_common with 5.20.1 and Encode 2.62

From: (Andreas J. Koenig) (via RT) <perl...@perl.org>
Tue, 30 Sep 2014 18:30:10 -0700
# New Ticket Created by  (Andreas J. Koenig) 
# Please include the string:  [perl #122873]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=122873 >


Thanks to Slaven Rezić for bringing this candidate to my attention.

The SEGV only happens occasionally while running the test
t/302-content-negotiation-charset.t that comes with
DROLSKY/HTTP-Headers-ActionPack-0.09.tar.gz with
DANKOGAI/Encode-2.62.tar.gz installed.

I just have observed it with 5.20.1 but according to cpantesters it
seems the same happened with 5.20.0, 5.21.1, and 5.21.3.

Very similar to my current observation is
http://www.cpantesters.org/cpan/report/45835631 where Encode
2.60 was involved.

Here is my stacktrace:

  Core was generated by `/home/sand/src/perl/repoperls/installed-perls/perl/v5.20.1/127e/bin/perl -Mblib'.
  Program terminated with signal SIGSEGV, Segmentation fault.
  #0  0x0000000000499570 in Perl_hv_common (hv=0xa, keysv=0x2d7b8f0, 
      key=0x2d86b70 "iso-8859-2", klen=10, flags=-1022775292, action=10, val=0x0, 
      hash=1) at hv.c:637

  warning: Source file is more recent than executable.
  637             goto not_found;
  (gdb) bt
  #0  0x0000000000499570 in Perl_hv_common (hv=0xa, keysv=0x2d7b8f0, 
      key=0x2d86b70 "iso-8859-2", klen=10, flags=-1022775292, action=10, val=0x0, 
      hash=1) at hv.c:637
  #1  0x00000000004a5d8a in Perl_pp_helem () at pp_hot.c:1768
  #2  0x000000000049e0e3 in Perl_runops_standard () at run.c:42
  #3  0x0000000000435371 in Perl_call_sv (sv=0x2d81c20, flag...@entry=2)
      at perl.c:2756
  #4  0x0000000000435828 in Perl_call_pv (
      sub_...@entry=0x7fd6d1916c10 "Encode::MIME::Name::get_mime_name", 
      flag...@entry=2) at perl.c:2645
  #5  0x00007fd6d191387a in XS_Encode__XS_mime_name (cv=<optimized out>)
      at Encode.xs:715
  #6  0x00000000004a5220 in Perl_pp_entersub () at pp_hot.c:2794
  #7  0x000000000049e0e3 in Perl_runops_standard () at run.c:42
  #8  0x000000000043b8c8 in S_run_body (oldscope=1) at perl.c:2456
  #9  perl_run (my_perl=<optimized out>) at perl.c:2372
  #10 0x000000000041de25 in main (argc=3, argv=0x7ffffd6ab278, env=0x7ffffd6ab298)
      at perlmain.c:114

I attach a valgrind output from running

  env PERL_DESTRUCT_LEVEL=2 valgrind  --num-callers=5 \
  /home/sand/src/perl/repoperls/installed-perls/perl/v5.20.1/127e/bin/perl \
  -Mblib  t/302-content-negotiation-charset.t

-- 
andreas

==22122== Memcheck, a memory error detector
==22122== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al.
==22122== Using Valgrind-3.9.0 and LibVEX; rerun with -h for copyright info
==22122== Command: /home/sand/src/perl/repoperls/installed-perls/perl/v5.20.1/127e/bin/perl -Mblib t/302-content-negotiation-charset.t
==22122== 
ok 1 - use HTTP::Headers::ActionPack;
ok 2 - An object of class 'HTTP::Headers::ActionPack::ContentNegotiation' isa 'HTTP::Headers::ActionPack::ContentNegotiation'
ok 3 - ... got nothing back when there are no choices
==22122== Invalid write of size 8
==22122==    at 0x6C3C869: XS_Encode__XS_mime_name (Encode.xs:713)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==    by 0x49E0E2: Perl_runops_standard (run.c:42)
==22122==    by 0x43B8C7: perl_run (perl.c:2456)
==22122==    by 0x41DE24: main (perlmain.c:114)
==22122==  Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
==22122== Invalid write of size 8
==22122==    at 0x43523F: Perl_call_sv (perl.c:2721)
==22122==    by 0x6C3C879: XS_Encode__XS_mime_name (Encode.xs:715)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==    by 0x49E0E2: Perl_runops_standard (run.c:42)
==22122==    by 0x43B8C7: perl_run (perl.c:2456)
==22122==  Address 0x5d36c08 is 40 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
==22122== Invalid read of size 8
==22122==    at 0x4A4DC1: Perl_pp_entersub (pp_hot.c:2531)
==22122==    by 0x435795: Perl_call_sv (perl.c:2756)
==22122==    by 0x6C3C879: XS_Encode__XS_mime_name (Encode.xs:715)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==    by 0x49E0E2: Perl_runops_standard (run.c:42)
==22122==  Address 0x5d36c08 is 40 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
==22122== Invalid read of size 8
==22122==    at 0x4C2CB38: memcpy@@GLIBC_2.14 (mc_replace_strmem.c:882)
==22122==    by 0x4A5058: Perl_pp_entersub (pp_hot.c:2702)
==22122==    by 0x435795: Perl_call_sv (perl.c:2756)
==22122==    by 0x6C3C879: XS_Encode__XS_mime_name (Encode.xs:715)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==  Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
==22122== Invalid write of size 8
==22122==    at 0x49E9DA: Perl_pp_gv (pp_hot.c:99)
==22122==    by 0x49E0E2: Perl_runops_standard (run.c:42)
==22122==    by 0x435370: Perl_call_sv (perl.c:2756)
==22122==    by 0x6C3C879: XS_Encode__XS_mime_name (Encode.xs:715)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==  Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
==22122== Invalid read of size 8
==22122==    at 0x4A0746: Perl_pp_rv2av (pp_hot.c:871)
==22122==    by 0x49E0E2: Perl_runops_standard (run.c:42)
==22122==    by 0x435370: Perl_call_sv (perl.c:2756)
==22122==    by 0x6C3C879: XS_Encode__XS_mime_name (Encode.xs:715)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==  Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
==22122== Invalid write of size 8
==22122==    at 0x4A0845: Perl_pp_rv2av (pp_hot.c:908)
==22122==    by 0x49E0E2: Perl_runops_standard (run.c:42)
==22122==    by 0x435370: Perl_call_sv (perl.c:2756)
==22122==    by 0x6C3C879: XS_Encode__XS_mime_name (Encode.xs:715)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==  Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
==22122== Invalid write of size 8
==22122==    at 0x4A0087: Perl_pp_aelemfast (pp_hot.c:740)
==22122==    by 0x49E0E2: Perl_runops_standard (run.c:42)
==22122==    by 0x435370: Perl_call_sv (perl.c:2756)
==22122==    by 0x6C3C879: XS_Encode__XS_mime_name (Encode.xs:715)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==  Address 0x5d36c08 is 40 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
==22122== Invalid read of size 8
==22122==    at 0x4A5C56: Perl_pp_helem (pp_hot.c:1745)
==22122==    by 0x49E0E2: Perl_runops_standard (run.c:42)
==22122==    by 0x435370: Perl_call_sv (perl.c:2756)
==22122==    by 0x6C3C879: XS_Encode__XS_mime_name (Encode.xs:715)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==  Address 0x5d36c08 is 40 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
==22122== Invalid read of size 8
==22122==    at 0x4A5C59: Perl_pp_helem (pp_hot.c:1746)
==22122==    by 0x49E0E2: Perl_runops_standard (run.c:42)
==22122==    by 0x435370: Perl_call_sv (perl.c:2756)
==22122==    by 0x6C3C879: XS_Encode__XS_mime_name (Encode.xs:715)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==  Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
==22122== Invalid write of size 8
==22122==    at 0x4A5E3C: Perl_pp_helem (pp_hot.c:1816)
==22122==    by 0x49E0E2: Perl_runops_standard (run.c:42)
==22122==    by 0x435370: Perl_call_sv (perl.c:2756)
==22122==    by 0x6C3C879: XS_Encode__XS_mime_name (Encode.xs:715)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==  Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
==22122== Invalid read of size 8
==22122==    at 0x4A4BD0: Perl_pp_leavesub (pp_hot.c:2496)
==22122==    by 0x49E0E2: Perl_runops_standard (run.c:42)
==22122==    by 0x435370: Perl_call_sv (perl.c:2756)
==22122==    by 0x6C3C879: XS_Encode__XS_mime_name (Encode.xs:715)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==  Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
==22122== Invalid write of size 8
==22122==    at 0x4A4BFE: Perl_pp_leavesub (pp_hot.c:2501)
==22122==    by 0x49E0E2: Perl_runops_standard (run.c:42)
==22122==    by 0x435370: Perl_call_sv (perl.c:2756)
==22122==    by 0x6C3C879: XS_Encode__XS_mime_name (Encode.xs:715)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==  Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
==22122== Invalid read of size 8
==22122==    at 0x6C3C87E: XS_Encode__XS_mime_name (Encode.xs:717)
==22122==    by 0x4A521F: Perl_pp_entersub (pp_hot.c:2794)
==22122==    by 0x49E0E2: Perl_runops_standard (run.c:42)
==22122==    by 0x43B8C7: perl_run (perl.c:2456)
==22122==    by 0x41DE24: main (perlmain.c:114)
==22122==  Address 0x5d36c00 is 32 bytes inside a block of size 1,024 free'd
==22122==    at 0x4C2A7CE: realloc (vg_replace_malloc.c:687)
==22122==    by 0x4842C9: Perl_safesysrealloc (util.c:244)
==22122==    by 0x49C870: Perl_av_extend_guts (av.c:154)
==22122==    by 0x4CA5F9: Perl_stack_grow (scope.c:38)
==22122==    by 0x49E78F: Perl_pp_const (pp_hot.c:44)
==22122== 
ok 4 - ... first value in the header wins when priorities are equal
ok 5 - ... higher priority charset is chosen over lower
ok 6 - ... got ISO-8859-1 even when it is not explicitly asked for
ok 7 - ... charset explicitly listed in header is preferred over ISO-8859-1 default
ok 8 - ... got default back when the default is in list of choices and default is ok
ok 9 - ... got default back when the default is in list of choices but not an exact match and default is ok
ok 10 - ... got nothing back when default is not in list of choices
ok 11 - ... if default is listed as priority 0.0 it is not returned
ok 12 - ... if default is listed as priority 0 it is not returned (0 == 0.0)
ok 13 - ... if * is listed as priority 0.0 then default is not returned
ok 14 - ... if * is listed as priority 0.5 but default is 0.0 then default is not returned, but * can match other choices
ok 15 - ... charsets in header are canonicalized
ok 16 - ... the match is returned as formatted in the list of choices, without canonicalization
1..16
==22122== 
==22122== HEAP SUMMARY:
==22122==     in use at exit: 7,998,904 bytes in 23,148 blocks
==22122==   total heap usage: 68,345 allocs, 45,197 frees, 16,433,032 bytes allocated
==22122== 
==22122== LEAK SUMMARY:
==22122==    definitely lost: 0 bytes in 0 blocks
==22122==    indirectly lost: 0 bytes in 0 blocks
==22122==      possibly lost: 5,236,190 bytes in 3,197 blocks
==22122==    still reachable: 2,762,714 bytes in 19,951 blocks
==22122==         suppressed: 0 bytes in 0 blocks
==22122== Rerun with --leak-check=full to see details of leaked memory
==22122== 
==22122== For counts of detected and suppressed errors, rerun with: -v
==22122== ERROR SUMMARY: 14 errors from 14 contexts (suppressed: 2 from 2)

Recent Messages in this Thread
(Andreas J. Koenig) (via RT) Oct 01, 2014 01:30 am
Tony Cook via RT Oct 02, 2014 01:17 am
Messages in this thread