B::PADOP->gv should not allow fetching values from a pad that's not the op's

[p5pRT]

Migrated from rt.perl.org#74040 (status was 'resolved')

Searchable as RT74040$

[p5pRT]

From @rafl

Created by rafl@perldition.org

Commit f746176 broke Devel-Caller, at least on some perls.

The tests segfault while calling B​::PADOP->gv, which is trying to
dereference a NULL SV from the current pad.

The code in question is this define in B.xs​:

#define PADOP_gv(o) ((o->op_padix \
  && SvTYPE(PAD_SVl(o->op_padix)) == SVt_PVGV) \
  ? (GV*)PAD_SVl(o->op_padix) : (GV *)NULL)

PAD_SVl returns NULL, causing a segfault in SvTYPE. I suspect the GV
downgrading introduced in f746176 is causing NULL GVs to show in the
pad, where there previously weren't any.

Unfortunately I'm unable to to come up with a test case that involves
only B itself. However, the attached patch fixes the issue by checking
PAD_SVl(o->op_padix) before calling SvTYPE​:

Perl Info

Flags:
    category=library
    severity=high
    module=B

Site configuration information for perl 5.12.0:

Configured by rafl at Sun Apr  4 00:53:53 CEST 2010.

Summary of my perl5 (revision 5 version 12 subversion 0) configuration:
   
  Platform:
    osname=linux, osvers=2.6.32.3, archname=x86_64-linux-thread-multi
    uname='linux seekuh 2.6.32.3 #2 smp mon jan 18 12:48:27 cet 2010 x86_64 gnulinux '
    config_args='-Dusedevel -DEBUGGING -Doptimize=-O0 -ggdb3 -Accflags=-Wall -Wextra -des -Dusethreads -Dusemultiplicity -Dprefix=/tmp/rc3-inst'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=define, usemultiplicity=define
    useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -Wall -Wextra -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-O0 -ggdb3',
    cppflags='-D_REENTRANT -D_GNU_SOURCE -Wall -Wextra -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include'
    ccversion='', gccversion='4.4.3', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='cc', ldflags =' -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64
    libs=-lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lpthread -lc -lgdbm_compat
    perllibs=-lnsl -ldl -lm -lcrypt -lutil -lpthread -lc
    libc=/lib/libc-2.10.2.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.10.2'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -O0 -ggdb3 -L/usr/local/lib -fstack-protector'

Locally applied patches:
    RC3


@INC for perl 5.12.0:
    /tmp/rc3-inst/lib/perl5/site_perl/5.12.0/x86_64-linux-thread-multi
    /tmp/rc3-inst/lib/perl5/site_perl/5.12.0
    /tmp/rc3-inst/lib/perl5/5.12.0/x86_64-linux-thread-multi
    /tmp/rc3-inst/lib/perl5/5.12.0
    .


Environment for perl 5.12.0:
    HOME=/home/rafl
    LANG=C
    LANGUAGE (unset)
    LC_CTYPE=de_DE.UTF-8
    LD_LIBRARY_PATH=/home/rafl/.local/lib:
    LOGDIR (unset)
    PATH=/home/rafl/.perl/bin:/home/rafl/.local/bin:/home/rafl/.perl/bin:/home/rafl/.local/bin:/usr/local/bin:/usr/bin:/bin:/usr/games
    PERL_BADLANG (unset)
    SHELL=zsh

[p5pRT]

From @rafl

0001-Make-sure-PADOP_gv-checks-that-the-pad-actually-cont.patch

From 8a5fca807c0394d03ed7cb9268cc4a5564996868 Mon Sep 17 00:00:00 2001
From: Florian Ragwitz <rafl@debian.org>
Date: Sun, 4 Apr 2010 04:36:11 +0200
Subject: [PATCH] Make sure PADOP_gv checks that the pad actually contains a scalar before dereferencing it as such.

Since commit f7461760 the pads might contain NULL SVs for GVs that have been
downgraded.
---
 ext/B/B.xs |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/ext/B/B.xs b/ext/B/B.xs
index 2b6fb8d..3586e76 100644
--- a/ext/B/B.xs
+++ b/ext/B/B.xs
@@ -1135,6 +1135,7 @@ SVOP_gv(o)
 #define PADOP_padix(o)	o->op_padix
 #define PADOP_sv(o)	(o->op_padix ? PAD_SVl(o->op_padix) : Nullsv)
 #define PADOP_gv(o)	((o->op_padix \
+			  && PAD_SVl(o->op_padix) \
 			  && SvTYPE(PAD_SVl(o->op_padix)) == SVt_PVGV) \
 			 ? (GV*)PAD_SVl(o->op_padix) : (GV *)NULL)
 
-- 
1.7.0.3

[p5pRT]

From @avar

On Sun, Apr 4, 2010 at 03​:01, Florian Ragwitz <perlbug-followup@​perl.org> wrote​:

# New Ticket Created by  Florian Ragwitz
# Please include the string​:  [perl #74040]
# in the subject line of all future correspondence about this issue.
# <URL​: http​://rt.perl.org/rt3/Ticket/Display.html?id=74040 >

This is a bug report for perl from rafl@​perldition.org,
generated with the help of perlbug 1.39 running under perl 5.12.0.

-----------------------------------------------------------------
[Please describe your issue here]

Commit f746176 broke Devel-Caller, at least on some perls.

The tests segfault while calling B​::PADOP->gv, which is trying to
dereference a NULL SV from the current pad.

The code in question is this define in B.xs​:

 #define PADOP_gv(o)    ((o->op_padix \
                         && SvTYPE(PAD_SVl(o->op_padix)) == SVt_PVGV) \
                        ? (GV*)PAD_SVl(o->op_padix) : (GV *)NULL)

PAD_SVl returns NULL, causing a segfault in SvTYPE. I suspect the GV
downgrading introduced in f746176 is causing NULL GVs to show in the
pad, where there previously weren't any.

Unfortunately I'm unable to to come up with a test case that involves
only B itself. However, the attached patch fixes the issue by checking
PAD_SVl(o->op_padix) before calling SvTYPE​:

I've tested this both on the current blead and blead + rafl's patch.
Here's blead on Devel​::Caller's test suite​:

  ok 62 - package called_assign(@​T​::flange)
  ok 63 - package called_assign(%T​::bar)
  ok 64 - package called_assign(%T​::baz)
  ok 65 - package called_assign(%T​::quux, %T​::bar)

  Program received signal SIGSEGV, Segmentation fault.
  0x00007ffff10b082f in XS_B__PADOP_gv (my_perl=0xa0b010, cv=<value
optimized out>) at B.c​:2657
  2657 RETVAL = PADOP_gv(o);
  (gdb) bt
  #0 0x00007ffff10b082f in XS_B__PADOP_gv (my_perl=0xa0b010,
cv=<value optimized out>) at B.c​:2657
  #1 0x000000000057cfa6 in Perl_pp_entersub (my_perl=0xa0b010) at
pp_hot.c​:2882
  #2 0x0000000000519e0b in Perl_runops_debug (my_perl=0xa0b010) at
dump.c​:2049
  #3 0x0000000000454908 in S_run_body (my_perl=0xa0b010,
oldscope=1) at perl.c​:2303
  #4 0x0000000000453c56 in perl_run (my_perl=0xa0b010) at perl.c​:2233
  #5 0x00000000004230ad in main (argc=3, argv=0x7fffffffe0e8,
env=0x7fffffffe108) at perlmain.c​:117

But with rafl's patch all tests are OK​:

  ok 65 - package called_assign(%T​::quux, %T​::bar)
  ok 66 - package called_assign(%T​::flange)
  ok 67 - called_as_method
  ok 68 - called_as_method
  ok 69 - called_as_method
  ok 70
  # cunning coy tests
  ok 71 - real( $coy, $coy )
  # concat
  ok 72 - real( $coy, $coy )
  # print 1

Devel​::Caller is depended on by a lot of CPAN[1], in particular
MX​::Params​::Validate is used by a lot of Moose modules.

I'd say this warrants a RC4.

1. http​://deps.cpantesters.org/depended-on-by.pl?dist=Devel-Caller-2.04
2. http​://deps.cpantesters.org/depended-on-by.pl?dist=MooseX-Params-Validate-0.14

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @nwc10

On Sat, Apr 03, 2010 at 08​:01​:25PM -0700, Florian Ragwitz wrote​:

-----------------------------------------------------------------
[Please describe your issue here]

Commit f746176 broke Devel-Caller, at least on some perls.

The tests segfault while calling B​::PADOP->gv, which is trying to
dereference a NULL SV from the current pad.

The code in question is this define in B.xs​:

#define PADOP_gv(o) ((o->op_padix \
&& SvTYPE(PAD_SVl(o->op_padix)) == SVt_PVGV) \
? (GV*)PAD_SVl(o->op_padix) : (GV *)NULL)

PAD_SVl returns NULL, causing a segfault in SvTYPE. I suspect the GV
downgrading introduced in f746176 is causing NULL GVs to show in the
pad, where there previously weren't any.

Vincent is right - this smells bad.

0x00002ac24582620a in XS_B__PADOP_gv (my_perl=0xa0b010, cv=0xca25e8)
  at B.c​:2657
2657 RETVAL = PADOP_gv(o);
(gdb) p o->op_padix
$1 = 258
(gdb) p my_perl->Icurpad
$2 = (SV **) 0xd5cbd8
(gdb) p my_perl->Icurpad[258]
$3 = (SV *) 0x0

Right. So the value at that offset *is* NULL.

(gdb) p my_perl->Icomppad
$4 = (AV *) 0xd1e458
(gdb) p my_perl->Icomppad->sv_u.svu_array
$5 = (SV **) 0xd5cbd8
(gdb) call Perl_sv_dump(my_perl, my_perl->Icomppad)
SV = PVAV(0xcdafa8) at 0xd1e458
  REFCNT = 1
  FLAGS = ()
  ARRAY = 0xd5cbd8
  FILL = 217
  MAX = 253
  ARYLEN = 0x0
  FLAGS = (REAL)

But that array only has 218 elements, offsets 0 to 217. So 258 is way out of
bounds. How did *that* happen?

Here's what the neighbouring non-NULL entries (that far out of range) look
like​:

(gdb) call Perl_sv_dump(my_perl, my_perl->Icurpad[257])
SV = UNKNOWN(0x48) (0x50ec8348e5894855) at 0x55ba1c
  REFCNT = 3363670344
  FLAGS = (PADSTALE,PADMY,SMG,IOK,NOK,ROK,WEAKREF,READONLY,PCS_IMPORTED,EVALED)
(gdb) call Perl_sv_dump(my_perl, my_perl->Icurpad[259])

Program received signal SIGSEGV, Segmentation fault.
0x0000000000516fa4 in Perl_sv_dump (my_perl=0xa0b010, sv=0x10502a4)
  at dump.c​:2012
2012 if (SvROK(sv))
The program being debugged was signaled while in a function called from GDB.
GDB remains in the frame where the signal was received.
To change this behavior use "set unwindonsignal on"
Evaluation of the expression containing the function (Perl_sv_dump) will be abandoned.

Ooopsy.

I think, therefore, that the patch (unfortunately) is papering over symptoms,
rather than addressing the real underlying cause. Unfortunately, I don't know
what the underlying cause is, and don't have time right now to work it out.
(Only hunch - what type is the op? Is it the correct type for PADOP_gv to be
valid on it?)

Nicholas Clark

[p5pRT]

From @nwc10

On Sun, Apr 04, 2010 at 10​:15​:24PM +0100, Nicholas Clark wrote​:

On Sat, Apr 03, 2010 at 08​:01​:25PM -0700, Florian Ragwitz wrote​:

-----------------------------------------------------------------
[Please describe your issue here]

Commit f746176 broke Devel-Caller, at least on some perls.

The tests segfault while calling B​::PADOP->gv, which is trying to
dereference a NULL SV from the current pad.

The code in question is this define in B.xs​:

#define PADOP_gv(o) ((o->op_padix \
&& SvTYPE(PAD_SVl(o->op_padix)) == SVt_PVGV) \
? (GV*)PAD_SVl(o->op_padix) : (GV *)NULL)

PAD_SVl returns NULL, causing a segfault in SvTYPE. I suspect the GV
downgrading introduced in f746176 is causing NULL GVs to show in the
pad, where there previously weren't any.

Vincent is right - this smells bad.

0x00002ac24582620a in XS_B__PADOP_gv (my_perl=0xa0b010, cv=0xca25e8)
at B.c​:2657
2657 RETVAL = PADOP_gv(o);
(gdb) p o->op_padix
$1 = 258
(gdb) p my_perl->Icurpad
$2 = (SV **) 0xd5cbd8
(gdb) p my_perl->Icurpad[258]
$3 = (SV *) 0x0

Right. So the value at that offset *is* NULL.

(gdb) p my_perl->Icomppad
$4 = (AV *) 0xd1e458
(gdb) p my_perl->Icomppad->sv_u.svu_array
$5 = (SV **) 0xd5cbd8
(gdb) call Perl_sv_dump(my_perl, my_perl->Icomppad)
SV = PVAV(0xcdafa8) at 0xd1e458
REFCNT = 1
FLAGS = ()
ARRAY = 0xd5cbd8
FILL = 217
MAX = 253
ARYLEN = 0x0
FLAGS = (REAL)

But that array only has 218 elements, offsets 0 to 217. So 258 is way out of
bounds. How did *that* happen?

This is a different run​:

(gdb) call Perl_get_cv(my_perl, "Devel​::Caller​::called_with", 0)
$9 = (CV *) 0xd1e4a0
(gdb) call Perl_sv_dump(my_perl, $9)
SV = PVCV(0xd115c0) at 0xd1e4a0
  REFCNT = 6
  FLAGS = ()
  COMP_STASH = 0xa63d60 "Devel​::Caller"
  START = 0xd2c830 ===> 0
  ROOT = 0xd5f5e0
  GVGV​::GV = 0xd1e2d8 "Devel​::Caller" :​: "called_with"
  FILE = "/home/nick/.cpan/build/Devel-Caller-2.04-NwLzGr/blib/lib/Devel/Caller.pm"
  DEPTH = 1
  FLAGS = 0x0
  OUTSIDE_SEQ = 1832
  PADLIST = 0xd1e4b8
  OUTSIDE = 0xa63cd0 (UNIQUE)
(gdb) call Perl_sv_dump(my_perl, 0xd1e4b8)
SV = PVAV(0xcdaff8) at 0xd1e4b8
  REFCNT = 1
  FLAGS = ()
  ARRAY = 0xd2c638
  FILL = 1
  MAX = 3
  ARYLEN = 0x0
  FLAGS = ()
(gdb) p my_perl->Icomppad
$10 = (AV *) 0xd1e4e8
(gdb) p my_perl->Icurpad
$11 = (SV **) 0xd5cc68
(gdb) p ((SV **)0xd2c638)[0]
$12 = (struct sv *) 0xd1e4d0
(gdb) p ((SV **)0xd2c638)[1]
$13 = (struct sv *) 0xd1e4e8
(gdb) p my_perl->Icomppad->sv_u.svu_array
$14 = (SV **) 0xd5cc68

Note that at the time of the call the current pad, as held in PL_comppad and
PL_curpad is the pad of Devel​::Caller​::called_with, not main. Yet the code in
B.xs is accessing that pad instead of main's pad, using offsets in the OPs
for main's pad.

If I'm right, I don't know how this ever worked.

(Specifically, B​::PADOP​::sv and B​::PADOP​::gv, except when the current pad
happens to be the pad for the OPs in question)

Nicholas Clark

[p5pRT]

From @nwc10

On Mon, Apr 05, 2010 at 08​:57​:02AM +0100, Nicholas Clark wrote​:

On Sun, Apr 04, 2010 at 10​:15​:24PM +0100, Nicholas Clark wrote​:

But that array only has 218 elements, offsets 0 to 217. So 258 is way out of
bounds. How did *that* happen?

If I'm right, I don't know how this ever worked.

Pure chance.

(Specifically, B​::PADOP​::sv and B​::PADOP​::gv, except when the current pad
happens to be the pad for the OPs in question)

If I patch B.xs like this​:

Inline Patch

diff --git a/ext/B/B.xs b/ext/B/B.xs
index 2b6fb8d..3c05970 100644
--- a/ext/B/B.xs
+++ b/ext/B/B.xs
@@ -1151,6 +1151,14 @@ PADOP_sv(o)
 B::GV
 PADOP_gv(o)
 	B::PADOP o
+    CODE:
+        if (PADOP_padix(o) > AvFILL(PL_comppad)) {
+	   PerlIO_printf(PerlIO_stderr(), "%d > %d\n",
+	    (int)PADOP_padix(o), (int) AvFILL(PL_comppad));
+	}
+	RETVAL = PADOP_gv(o);
+    OUTPUT:
+	RETVAL
 
 MODULE = B	PACKAGE = B::PVOP		PREFIX = PVOP_
 

then this is what a run with 5.10.1 looks like:

ok 56 - package called_assign($T​::bar)
ok 57 - package called_assign($T​::baz)
ok 58 - package called_assign($T​::quux, $T​::bar)
ok 59 - package called_assign(@​T​::bar)
ok 60 - package called_assign(@​T​::baz)
ok 61 - package called_assign(@​T​::quux, @​T​::bar)
ok 62 - package called_assign(@​T​::flange)
ok 63 - package called_assign(%T​::bar)
ok 64 - package called_assign(%T​::baz)
ok 65 - package called_assign(%T​::quux, %T​::bar)
216 > 212
ok 66 - package called_assign(%T​::flange)
ok 67 - called_as_method
ok 68 - called_as_method
ok 69 - called_as_method
ok 70

whereas this is what a run with 5.12.0-RC3 looks like

ok 56 - package called_assign($T​::bar)
ok 57 - package called_assign($T​::baz)
ok 58 - package called_assign($T​::quux, $T​::bar)
ok 59 - package called_assign(@​T​::bar)
ok 60 - package called_assign(@​T​::baz)
220 > 217
ok 61 - package called_assign(@​T​::quux, @​T​::bar)
226 > 217
ok 62 - package called_assign(@​T​::flange)
235 > 217
ok 63 - package called_assign(%T​::bar)
242 > 217
ok 64 - package called_assign(%T​::baz)
249 > 217
252 > 217
ok 65 - package called_assign(%T​::quux, %T​::bar)
258 > 217
ok 66 - package called_assign(%T​::flange)
ok 67 - called_as_method
ok 68 - called_as_method
ok 69 - called_as_method
ok 70

So there always was a problem. If you look at the actual code in Devel​::Caller​:

  my $consider = ($op->name eq "gvsv") ? $op : $prev;
  my $gv = $consider->gv;
  print "consider​: $consider ", $consider->name, " gv $gv\n"
  if $DEBUG;
  if (ref $consider eq 'B​::PADOP') {
  print "GV is really a padgv\n" if $DEBUG;
  $gv = $padv->ARRAYelt( $consider->padix );
  print "NEW GV $gv\n" if $DEBUG;
  }

Note that as we're dealing with a PADOP, all it uses the return of ->gv for
is to print out debugging. $gv is then *correctly* assigned by getting the
pad index, and then *longhand* looking up at that index *in the correct pad*.

So that code will work as long as the (out of bounds) memory address that
happens to be read by B​::PADOP​::gv isn't NULL, and points *somewhere* valid,
given that the code here will read a memory location and then wrap up a
pointer, but *then nothing does anything with it*​:

#define PADOP_gv(o) ((o->op_padix \
  && SvTYPE(PAD_SVl(o->op_padix)) == SVt_PVGV) \
  ? (GV*)PAD_SVl(o->op_padix) : (GV *)NULL)

So how come B​::Concise works?

  elsif ($h{class} eq "SVOP" or $h{class} eq "PADOP") {
  unless ($h{name} eq 'aelemfast' and $op->flags & OPf_SPECIAL) {
  my $idx = ($h{class} eq "SVOP") ? $op->targ : $op->padix;
  my $preferpv = $h{name} eq "method_named";
  if ($h{class} eq "PADOP" or !${$op->sv}) {
  my $sv = (($curcv->PADLIST->ARRAY)[1]->ARRAY)[$idx];
  $h{arg} = "[" . concise_sv($sv, \%h, $preferpv) . "]";
  $h{targarglife} = $h{targarg} = "";
  } else {
  $h{arg} = "(" . concise_sv($op->sv, \%h, $preferpv) . ")";
  }
  }
  }

Because it do *doesn't use* the B​::PADOP​::gv in anger. It too does the lookup
*longhand* *in the correct pad*.

So, the simplest work around seems to be to proffer Richard a patch for
Devel​::Caller that reorders the debug code after the PADOP lookup.

The correct fix is to refactor B.xs so that its objects for OPs (or at least
PADOPs) hold a reference back to their pad (or their CV), and change PADOP_sv
and PADOP_gv to use that reference, rather than randomly looking at offsets
from the current pad.

Nicholas Clark

[p5pRT]

From @rafl

On Sun, Apr 04, 2010 at 02​:15​:59PM -0700, Nicholas Clark via RT wrote​:

But that array only has 218 elements, offsets 0 to 217. So 258 is way out of
bounds. How did *that* happen?

(Only hunch - what type is the op? Is it the correct type for PADOP_gv to be
valid on it?)

It's an OP_GV, so it's a valid PADOP for threaded perls. The opcode is
being created manually (i.e. not using newPADOP, newGVOP or anything
like that) in Perl_ck_rvconst. At that time, the padix there is within
the bounds of the comppad, and contains the expected value instead of a
NULL.

I still have no idea what's causing it to disappear later. Initially I
expected the op_clear parts of f746176 to be responsible somehow, but
that doesn't seem to be the case. gv_try_downgrade is never called for
the GV in question.

Could it be related to the slightly changed order of op construction
that f746176 introduced?

--
BOFH excuse #146​:
Communications satellite used by the military for star wars.

[p5pRT]

From @rafl

On Mon, Apr 05, 2010 at 01​:52​:55AM -0700, Nicholas Clark via RT wrote​:

Because it do *doesn't use* the B​::PADOP​::gv in anger. It too does the lookup
*longhand* *in the correct pad*.

So, the simplest work around seems to be to proffer Richard a patch for
Devel​::Caller that reorders the debug code after the PADOP lookup.

You're absolutely right. The patch is at
http​://github.com/rafl/perl-devel-caller/commit/248a23390eef48a73bb717be085da58ce50ff784

Richard has been notified.

Thanks!

--
BOFH excuse #123​:
user to computer ratio too high.

[p5pRT]

From zefram@fysh.org

It is impossible for B to determine which pad an op refers to, and
when an XS method is called it's rather unlikely that an appropriate
pad will be available at all. The B​::PADOP​::gv method was therefore
misconceived. Since this ticket was opened, it has been tweaked in commit
3a23d76 by DaveM, who was evidently
unaware of this ticket but independently discovered the bogosity. That's
probably the best resolution available. This ticket should be closed.

-zefram

[p5pRT]

@cpansprout - Status changed from 'open' to 'resolved'