Bug#624689: perl: segfaults (dereferencing a null pointer) while evaluating a pattern match
James Vega
jamessan at debian.org
Sat Apr 30 16:34:57 UTC 2011
Package: perl
Version: 5.10.1-20
Severity: normal
*** Please type your report below this line ***
In the piece of code I'm running, an object's DESTROY method has various
cleanup that it is doing. As part of that cleanup, it calls through
various functions and ends up evaluating a pattern match. This pattern
match, the last line in the below snippet, ends up crashing Perl.
The pattern match works fine when called directly in the DESTROY,
instead of through a series of other function calls, and in various
other scenarios.
I initially saw the bug at work (on Windows) using Perl 5.8.9, Perl
5.10.1, and Perl 5.12.1. I'm reporting it here since perl-debug made it
easy for me to get a backtrace to provide.
sub isIPv4OrIPv6
{
my ($ipString) = @_;
my $ip_regex_ipv4 = '^[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}$';
my $ip_regex_ipv6 = '^\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}[:\w]{0,5}[:\w]{0,5}[:\w]{0,5}$';
my $ip_regex_v6ll = '^\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}:\w{0,4}[:\w]{0,5}[:\w]{0,5}%\w+$';
if ($ipString =~ m/$ip_regex_ipv4/i) {
-- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.38-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages perl depends on:
ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co
ii libc6 2.11.2-11 Embedded GNU C Library: Shared lib
ii libdb4.7 4.7.25-17 Berkeley v4.7 Database Libraries [
ii libgdbm3 1.8.3-9 GNU dbm database routines (runtime
ii perl-base 5.10.1-20 minimal Perl system
ii perl-modules 5.10.1-20 Core Perl modules
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
Versions of packages perl recommends:
ii netbase 4.45 Basic TCP/IP networking system
Versions of packages perl suggests:
pn libterm-readline-gnu-perl | l <none> (no description available)
ii make 3.81-8.1 An utility for Directing compilati
ii perl-doc 5.10.1-20 Perl documentation
-- no debconf information
--
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
(gdb) bt full
#0 0x082a3078 in S_swash_get (my_perl=0x99c1008, swash=0xd9ef59c, start=0, span=128) at utf8.c:1885
swatch = 0x8187715
l = 0x0
lend = 0x2e3d9658 <Address 0x2e3d9658 out of bounds>
x = 0xd52613c "10"
xend = 0x99c1008 "\244\230\200\r\360F"
s = 0x31 <Address 0x31 out of bounds>
lcur = 0
xcur = 0
scur = 228059168
hv = 0x0
listsvp = 0x0
typesvp = 0x0
bitssvp = 0x0
nonesvp = 0x0
extssvp = 0x0
typestr = 0x9 <Address 0x9 out of bounds>
typeto = 228521004
bits = 32
octets = 7
none = 3213325128
end = 24
#1 0x082a2982 in Perl_swash_fetch (my_perl=0x99c1008, swash=0xd9ef59c, ptr=0xd52613c "10", do_utf8=1 '\001') at utf8.c:1824
code_point = 49
svp = 0x0
hv = 0x0
klen = 0
off = 49
slen = 0
needents = 128
tmps = 0x0
bit = 228433996
swatch = 0xd9ef42c
tmputf8 = "\000"
c = 49
#2 0x08287187 in S_find_byclass (my_perl=0x99c1008, prog=0xa004c54, c=0xa004d10, s=0xd52613c "10", strend=0xd52613e "", reginfo=0xbf8775e4) at regexec.c:1477
doevery = 1
m = 0xb77aefa1 "\201\303S\260"
ln = 3213325992
lnc = 161223872
uskip = 1
c1 = 16
c2 = 135821096
e = 0xbf8775b8 "\330v\207\277\265\270(\b\b\020\234\tTL"
tmp = 1
do_utf8 = 1 '\001'
progi = 0xa004cfc
#3 0x0828b8b5 in Perl_regexec_flags (my_perl=0x99c1008, prog=0xa004c54, stringarg=0xd52613c "10", strend=0xd52613e "", strbeg=0xd52613c "10", minend=0, sv=0xd51c264, data=0x0, flags=3) at regexec.c:2085
s = 0xd52613c "10"
c = 0xa004d10
startpos = 0xd52613c "10"
minlen = 1
dontbother = 0
end_shift = 0
scream_pos = -1
scream_olds = 0x0
do_utf8 = 1 '\001'
multiline = 0
progi = 0xa004cfc
reginfo = {prog = 0xa004c54, bol = 0xd52613c "10", till = 0xd52613c "10", sv = 0xd51c264, ganch = 0xb76cdbbd "e\203=\f", cutpoint = 0x0}
swap_on_fail = 0 '\000'
re_debug_flags = 0
#4 0x08173f64 in Perl_pp_match (my_perl=0x99c1008) at pp_hot.c:1359
sp = 0xd8098a4
targ = 0xd51c264
pm = 0xa0046f0
dynpm = 0xa0046f0
t = 0xd52613c "10"
s = 0xd52613c "10"
strend = 0xd52613e ""
global = 0
r_flags = 3
truebase = 0xd52613c "10"
rx = 0xa004c54
rxtainted = 0 '\000'
gimme = 0
len = 2
minmatch = 0
oldsave = 141
update_minmatch = 1
had_zerolen = 0
gpos = 0
#5 0x08130e14 in Perl_runops_debug (my_perl=0x99c1008) at dump.c:1968
No locals.
#6 0x0808d1c4 in Perl_call_sv (my_perl=0x99c1008, sv=0xd6067fc, flags=150) at perl.c:2717
sp = 0xd8098a0
myop = {op_next = 0x0, op_sibling = 0x0, op_ppaddr = 0, op_targ = 0, op_type = 0, op_opt = 0, op_latefree = 0, op_latefreed = 0, op_attached = 0, op_spare = 0, op_flags = 65 'A', op_private = 0 '\000', op_first = 0x0, op_other = 0xbf8778c8}
method_op = {op_next = 0xd84860c, op_sibling = 0x4, op_ppaddr = 0x8131c62 <Perl_safesysfree+343>, op_targ = 228035824, op_type = 252, op_opt = 0, op_latefree = 1, op_latefreed = 1, op_attached = 0, op_spare = 4, op_flags = 151 '\227', op_private = 13 '\r', op_first = 0x0}
oldmark = 0
retval = 0
oldscope = 2
oldcatch = 1 '\001'
ret = 0
oldop = 0x0
cur_env = {je_prev = 0x99c117c, je_buf = {{__jmpbuf = {0, 0, 0, -1081640616, -620842677, -978522588}, __mask_was_saved = 0, __saved_mask = {__val = {0, 0, 3213326472, 255, 0, 0, 3213326472, 135659754, 161222664, 161317480, 0, 0, 0, 3077364669, 3077350678, 9364644, 3078225908, 0, 3213326520, 135651881, 161222664, 161317480, 3077350678, 134633156, 3078230944, 3078225908, 3078230944, 228069228, 3213326536, 137576992, 0, 137576960}}}}, je_ret = 0, je_mustcatch = 0 '\000'}
#7 0x081a8b98 in Perl_sv_clear (my_perl=0x99c1008, sv=0xd9fa52c) at sv.c:5433
tmpref = 0xd84860c
destructor = 0xd6067fc
sp = 0xd8098a0
stash = 0xd638d2c
type = 12
sv_type_details = 0x8334260
stash = 0xb76cdbbd
#8 0x081aa26d in Perl_sv_free2 (my_perl=0x99c1008, sv=0xd9fa52c) at sv.c:5694
No locals.
#9 0x081aa17c in Perl_sv_free (my_perl=0x99c1008, sv=0xd9fa52c) at sv.c:5670
No locals.
#10 0x08184a96 in do_clean_objs (my_perl=0x99c1008, ref=0xd9ec97c) at sv.c:499
target = 0xd9fa52c
#11 0x08184570 in S_visit (my_perl=0x99c1008, f=0x8184605 <do_clean_objs>, flags=2048, mask=2048) at sv.c:441
svend = 0xd9ece8c
sv = 0xd9ec97c
sva = 0xd9ebe9c
visited = 611
#12 0x08185390 in Perl_sv_clean_objs (my_perl=0x99c1008) at sv.c:549
No locals.
#13 0x08087238 in perl_destruct (my_perl=0x99c1008) at perl.c:833
destruct_level = 0 '\000'
hv = 0x99c1008
#14 0x080647ea in main (argc=13, argv=0xbf877d34, env=0xbf877d6c) at perlmain.c:119
exitstatus = 0
(gdb) frame 1
#1 0x082a2982 in Perl_swash_fetch (my_perl=0x99c1008, swash=0xd9ef59c, ptr=0xd52613c "10", do_utf8=1 '\001') at utf8.c:1824
1824 swatch = swash_get(swash,
(gdb) p *swash
$1 = {sv_any = 0xd9ef5a8, sv_refcnt = 1, sv_flags = 4, sv_u = {svu_iv = 0, svu_uv = 0, svu_rv = 0x0, svu_pv = 0x0, svu_array = 0x0, svu_hash = 0x0, svu_gp = 0x0}}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/perl-maintainers/attachments/20110430/f3723803/attachment-0001.pgp>
More information about the Perl-maintainers
mailing list