This is a bug report for perl from Niko Tyni <nt...@debian.org>,
generated with the help of perlbug 1.39 running under perl 5.10.1.
-----------------------------------------------------------------
The optimization of empty DESTROY methods introduced in commit
fbb3ee5af3d4 causes a null pointer dereference when a destructor is
declared but not defined.
% perl -e 'sub M::DESTROY; bless {}, "M"'
zsh: segmentation fault (core dumped)
This is seen in the real world with AutoLoader / AutoSplit, where
the crash prevents autoloading a DESTROY method.
http://bugs.debian.org/564074
Blead backtrace:
Core was generated by `./miniperl -e sub M::DESTROY; bless {}, "M"'.
Program terminated with signal 11, Segmentation fault.
#0 0x000000000054f83a in Perl_sv_clear (my_perl=0x2207010, sv=0x220ae28) at
sv.c:5661
5661 || CvSTART(destructor)->op_next->op_type != OP_LEAVESUB))
(gdb) bt
#0 0x000000000054f83a in Perl_sv_clear (my_perl=0x2207010, sv=0x220ae28) at
sv.c:5661
#1 0x0000000000551b49 in Perl_sv_free2 (my_perl=0x2207010, sv=0x220ae28) at
sv.c:5936
#2 0x000000000054f6a6 in Perl_sv_clear (my_perl=0x2207010, sv=0x220af78) at
sv.c:5638
#3 0x0000000000551b49 in Perl_sv_free2 (my_perl=0x2207010, sv=0x220af78) at
sv.c:5936
#4 0x00000000005cab0b in Perl_free_tmps (my_perl=0x2207010) at scope.c:167
#5 0x0000000000709457 in perl_run (my_perl=0x2207010) at perl.c:2234
#6 0x00000000006d9921 in main (argc=3, argv=0x7fff5ac22a48,
env=0x7fff5ac22a68) at miniperlmain.c:117
Proposed patch attached.
-----------------------------------------------------------------
---
Flags:
category=core
severity=medium
---
Site configuration information for perl 5.10.1:
Configured by Debian Project at Sat Nov 21 19:18:01 UTC 2009.
Summary of my perl5 (revision 5 version 10 subversion 1) configuration:
Platform:
osname=linux, osvers=2.6.31-1-amd64, archname=x86_64-linux-gnu-thread-multi
uname='linux madeleine 2.6.31-1-amd64 #1 smp mon nov 16 04:44:38 utc 2009
x86_64 gnulinux '
config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN
-Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr
-Dprivlib=/usr/share/perl/5.10 -Darchlib=/usr/lib/perl/5.10 -Dvendorprefix=/usr
-Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5
-Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.10.1
-Dsitearch=/usr/local/lib/perl/5.10.1 -Dman1dir=/usr/share/man/man1
-Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1
-Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl
-Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm
-DDEBUGGING=-g -Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.10.1
-Dd_dosuid -des'
hint=recommended, useposix=true, d_sigaction=define
useithreads=define, usemultiplicity=define
useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
use64bitint=define, use64bitall=define, uselongdouble=undef
usemymalloc=n, bincompat5005=undef
Compiler:
cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing
-pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64',
optimize='-O2 -g',
cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe
-fstack-protector -I/usr/local/include'
ccversion='', gccversion='4.3.4', gccosandvers=''
intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t',
lseeksize=8
alignbytes=8, prototype=define
Linker and Libraries:
ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64
libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
perllibs=-ldl -lm -lpthread -lc -lcrypt
libc=/lib/libc-2.10.1.so, so=so, useshrplib=true, libperl=libperl.so.5.10.1
gnulibc_version='2.10.1'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -O2 -g -L/usr/local/lib
-fstack-protector'
Locally applied patches:
---
@INC for perl 5.10.1:
/etc/perl
/usr/local/lib/perl/5.10.1
/usr/local/share/perl/5.10.1
/usr/lib/perl5
/usr/share/perl5
/usr/lib/perl/5.10
/usr/share/perl/5.10
/usr/local/lib/site_perl
.
---
Environment for perl 5.10.1:
HOME=/home/niko
LANG=en_US.UTF-8
LANGUAGE (unset)
LC_CTYPE=fi_FI.UTF-8
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/home/niko/bin:/home/niko/bin:/home/niko/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin:/sbin:/usr/sbin
PERL_BADLANG (unset)
SHELL=/bin/zsh
>From 16026715863b1a3a6e99df6686834c9238922539 Mon Sep 17 00:00:00 2001
From: Niko Tyni <nt...@debian.org>
Date: Fri, 8 Jan 2010 21:21:57 +0200
Subject: [PATCH] Fix a NULL pointer dereference when looking for a DESTROY method
The empty DESTROY method optimization introduced by commit
fbb3ee5af3d would crash the interpreter if a DESTROY method
was declared but not actually defined.
This is seen in the real world with AutoLoader / AutoSplit,
where the crash defeats autoloading a DESTROY method.
---
sv.c | 3 ++-
t/op/method.t | 11 ++++++++++-
2 files changed, 12 insertions(+), 2 deletions(-)
diff --git a/sv.c b/sv.c
index fb82caf..ed4be5f 100644
--- a/sv.c
+++ b/sv.c
@@ -5658,7 +5658,8 @@ Perl_sv_clear(pTHX_ register SV *const sv)
&& !CvCONST(destructor)
/* Don't bother calling an empty destructor */
&& (CvISXSUB(destructor)
- || CvSTART(destructor)->op_next->op_type != OP_LEAVESUB))
+ || (CvSTART(destructor)
+ && (CvSTART(destructor)->op_next->op_type != OP_LEAVESUB))))
{
SV* const tmpref = newRV(sv);
SvREADONLY_on(tmpref); /* DESTROY() could be naughty */
diff --git a/t/op/method.t b/t/op/method.t
index afa8cfb..d2914c4 100644
--- a/t/op/method.t
+++ b/t/op/method.t
@@ -10,7 +10,7 @@ BEGIN {
require "test.pl";
}
-print "1..78\n";
+print "1..79\n";
@A::ISA = 'B';
@B::ISA = 'C';
@@ -292,3 +292,12 @@ EOT
"check if UNIVERSAL::AUTOLOAD works",
);
}
+{
+ fresh_perl_is(<<'EOT',
+sub M::DESTROY; bless {}, "M" ; print "survived\n";
+EOT
+ "survived",
+ {},
+ "no crash with a declared but missing DESTROY method"
+ );
+}
--
1.6.6
