Bug#624689: perl: segfaults (dereferencing a null pointer) while evaluating a pattern match

James Vega jamessan at debian.org
Fri May 6 02:37:57 UTC 2011 

On Mon, May 02, 2011 at 07:01:02AM -0400, James Vega wrote:
> On Mon, May 02, 2011 at 01:16:37PM +0300, Niko Tyni wrote:
> > On Sat, Apr 30, 2011 at 12:34:57PM -0400, James Vega wrote:
> > > In the piece of code I'm running, an object's DESTROY method has various
> > > cleanup that it is doing.  As part of that cleanup, it calls through
> > > various functions and ends up evaluating a pattern match.  This pattern
> > > match, the last line in the below snippet, ends up crashing Perl.
> > 
> > Would it be possible to get a recipe for reproducing this?
> 
> Unfortunately, I haven't been able to boil it down to a simple test case
> yet.  It happens during a run of our test suite, which wouldn't be
> easily reproduceable outside of our environment.

In case it helps, attached is the relevant section of a valgrind log for
another instance I reproduced today.  This is actually something our code
base is running into rather frequently, but I unfortunately don't have
the time at work to whittle down the code to a reproducible base case,
especially now that we've found a work around (not performing pattern
matches in this code path).

-- 
James
GPG Key: 1024D/61326D40 2003-09-02 James Vega <jamessan at debian.org>
-------------- next part --------------
==14471== Invalid read of size 1
==14471==    at 0x82A2CEB: Perl_swash_fetch (utf8.c:1853)
==14471==    by 0x829A26D: S_regrepeat (regexec.c:5501)
==14471==    by 0x8296498: S_regmatch (regexec.c:4665)
==14471==    by 0x828CE4D: S_regtry (regexec.c:2353)
==14471==    by 0x828A1BC: Perl_regexec_flags (regexec.c:1882)
==14471==    by 0x8173F63: Perl_pp_match (pp_hot.c:1359)
==14471==    by 0x8130E13: Perl_runops_debug (dump.c:1968)
==14471==    by 0x808D1C3: Perl_call_sv (perl.c:2717)
==14471==    by 0x81A8B97: Perl_sv_clear (sv.c:5433)
==14471==    by 0x81AA26C: Perl_sv_free2 (sv.c:5694)
==14471==    by 0x81AA17B: Perl_sv_free (sv.c:5670)
==14471==    by 0x81A9F2E: Perl_sv_clear (sv.c:5551)
==14471==  Address 0xa9d2a9a is 18 bytes inside a block of size 32 free'd
==14471==    at 0x4023B6A: free (vg_replace_malloc.c:366)
==14471==    by 0x8131C61: Perl_safesysfree (util.c:262)
==14471==    by 0x81A9F57: Perl_sv_clear (sv.c:5573)
==14471==    by 0x81AA26C: Perl_sv_free2 (sv.c:5694)
==14471==    by 0x81AA17B: Perl_sv_free (sv.c:5670)
==14471==    by 0x815E1CC: Perl_hv_free_ent (hv.c:1473)
==14471==    by 0x815ECA4: S_hfreeentries (hv.c:1749)
==14471==    by 0x815EEA0: Perl_hv_undef (hv.c:1816)
==14471==    by 0x81A9466: Perl_sv_clear (sv.c:5500)
==14471==    by 0x81AA26C: Perl_sv_free2 (sv.c:5694)
==14471==    by 0x81AA17B: Perl_sv_free (sv.c:5670)
==14471==    by 0x8184A95: do_clean_objs (sv.c:499)
==14471== 
==14471== Invalid read of size 1
==14471==    at 0x82A2CEB: Perl_swash_fetch (utf8.c:1853)
==14471==    by 0x8299F4D: S_regrepeat (regexec.c:5472)
==14471==    by 0x8296696: S_regmatch (regexec.c:4698)
==14471==    by 0x828CE4D: S_regtry (regexec.c:2353)
==14471==    by 0x828A1BC: Perl_regexec_flags (regexec.c:1882)
==14471==    by 0x8173F63: Perl_pp_match (pp_hot.c:1359)
==14471==    by 0x8130E13: Perl_runops_debug (dump.c:1968)
==14471==    by 0x808D1C3: Perl_call_sv (perl.c:2717)
==14471==    by 0x81A8B97: Perl_sv_clear (sv.c:5433)
==14471==    by 0x81AA26C: Perl_sv_free2 (sv.c:5694)
==14471==    by 0x81AA17B: Perl_sv_free (sv.c:5670)
==14471==    by 0x81A9F2E: Perl_sv_clear (sv.c:5551)
==14471==  Address 0xa9d2a9a is 18 bytes inside a block of size 32 free'd
==14471==    at 0x4023B6A: free (vg_replace_malloc.c:366)
==14471==    by 0x8131C61: Perl_safesysfree (util.c:262)
==14471==    by 0x81A9F57: Perl_sv_clear (sv.c:5573)
==14471==    by 0x81AA26C: Perl_sv_free2 (sv.c:5694)
==14471==    by 0x81AA17B: Perl_sv_free (sv.c:5670)
==14471==    by 0x815E1CC: Perl_hv_free_ent (hv.c:1473)
==14471==    by 0x815ECA4: S_hfreeentries (hv.c:1749)
==14471==    by 0x815EEA0: Perl_hv_undef (hv.c:1816)
==14471==    by 0x81A9466: Perl_sv_clear (sv.c:5500)
==14471==    by 0x81AA26C: Perl_sv_free2 (sv.c:5694)
==14471==    by 0x81AA17B: Perl_sv_free (sv.c:5670)
==14471==    by 0x8184A95: do_clean_objs (sv.c:499)
==14471== 
==14471== Invalid read of size 1
==14471==    at 0x82A2CEB: Perl_swash_fetch (utf8.c:1853)
==14471==    by 0x829A593: S_regrepeat (regexec.c:5529)
==14471==    by 0x8296696: S_regmatch (regexec.c:4698)
==14471==    by 0x828CE4D: S_regtry (regexec.c:2353)
==14471==    by 0x828A1BC: Perl_regexec_flags (regexec.c:1882)
==14471==    by 0x8173F63: Perl_pp_match (pp_hot.c:1359)
==14471==    by 0x8130E13: Perl_runops_debug (dump.c:1968)
==14471==    by 0x808D1C3: Perl_call_sv (perl.c:2717)
==14471==    by 0x81A8B97: Perl_sv_clear (sv.c:5433)
==14471==    by 0x81AA26C: Perl_sv_free2 (sv.c:5694)
==14471==    by 0x81AA17B: Perl_sv_free (sv.c:5670)
==14471==    by 0x81A9F2E: Perl_sv_clear (sv.c:5551)
==14471==  Address 0xa9d2a9a is 18 bytes inside a block of size 32 free'd
==14471==    at 0x4023B6A: free (vg_replace_malloc.c:366)
==14471==    by 0x8131C61: Perl_safesysfree (util.c:262)
==14471==    by 0x81A9F57: Perl_sv_clear (sv.c:5573)
==14471==    by 0x81AA26C: Perl_sv_free2 (sv.c:5694)
==14471==    by 0x81AA17B: Perl_sv_free (sv.c:5670)
==14471==    by 0x815E1CC: Perl_hv_free_ent (hv.c:1473)
==14471==    by 0x815ECA4: S_hfreeentries (hv.c:1749)
==14471==    by 0x815EEA0: Perl_hv_undef (hv.c:1816)
==14471==    by 0x81A9466: Perl_sv_clear (sv.c:5500)
==14471==    by 0x81AA26C: Perl_sv_free2 (sv.c:5694)
==14471==    by 0x81AA17B: Perl_sv_free (sv.c:5670)
==14471==    by 0x8184A95: do_clean_objs (sv.c:499)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/perl-maintainers/attachments/20110505/35d36426/attachment.pgp>

More information about the Perl-maintainers mailing list