perl5 icon indicating copy to clipboard operation
perl5 copied to clipboard
verified publisher icon Perl

perls (including bleadperl) segfault/etc. with recursion+sub{}+map pure-Perl code.

Open p5pRT opened this issue 10 years ago • 8 comments

Migrated from rt.perl.org#125244 (status was 'open')

Searchable as RT125244$

p5pRT avatar May 24 '15 13:05 p5pRT

From @shlomif

Hi all,

the following code​:

< CODE >

#!perl @​F=(0..9,0); sub r{   my($y,@​x)=@​_;   map{   ref$_ ? (&$_) :$_   }   @​d=(@​F,   ($y && sub{@​F[$y-1,-1-$y]=($")x2;r(@​x)}),   @​F%2|$y?@​F​:()) } print r 1,1,3..@​F/2-1

< / CODE >

Gives me this​:

< SHELL > shlomif@​telaviv1​:~/Download/unpack/perl/p5/possible-perl-bug-segfault-on-nAF$ perl perl-bug.pl Bizarre copy of UNKNOWN in map iterator at perl-bug.pl line 9. Attempt to free unreferenced scalar​: SV 0xf8b408, Perl interpreter​: 0xf57010 at perl-bug.pl line 9. shlomif@​telaviv1​:~/Download/unpack/perl/p5/possible-perl-bug-segfault-on-nAF$ /home/shlomif/apps/perl/bleadperl/bin/perl5.22.0 perl-bug.pl panic​: attempt to copy freed scalar 2335670 to 233af70 at perl-bug.pl line 9. Segmentation fault shlomif@​telaviv1​:~/Download/unpack/perl/p5/possible-perl-bug-segfault-on-nAF$ perl -v

This is perl 5, version 20, subversion 1 (v5.20.1) built for x86_64-linux-thread-multi (with 1 registered patch, see perl -V for more detail)

Copyright 1987-2014, Larry Wall

Perl may be copied only under the terms of either the Artistic License or the GNU General Public License, which may be found in the Perl 5 source kit.

Complete documentation for Perl, including FAQ lists, should be found on this system using "man perl" or "perldoc perl". If you have access to the Internet, point your browser at http​://www.perl.org/, the Perl Home Page.

shlomif@​telaviv1​:~/Download/unpack/perl/p5/possible-perl-bug-segfault-on-nAF$

< / SHELL>

This code can also be found here​:

https://github.com/shlomif/possible-perl-bug--sandglass-golf

Some credits - a similar program was written as a solution for this shinh.org golf​:

http​://golf.shinh.org/p.rb?sandglass

Regards,

  Shlomi Fish

--

Shlomi Fish http​://www.shlomifish.org/ Emma Watson Factoids - http​://shlom.in/emwatson-facts

I feel much better, now that I’ve given up hope.   — Ashleigh Brilliant

Please reply to list if it's a mailing list post - http​://shlom.in/reply .

p5pRT avatar May 24 '15 13:05 p5pRT

From @jkeenan

On Sun May 24 06​:12​:50 2015, shlomif@​shlomifish.org wrote​:

Hi all,

the following code​:

< CODE >

#!perl @​F=(0..9,0);

The Perl documentation ('perldoc perlvar') describes @​F as follows​:

##### The array @​F contains the fields of each line read in when autosplit mode is turned on. See perlrun for the -a switch. #####

Although the docs don't explicitly state that @​F is a read-only variable for use solely by the perl interpreter, it sure sounds to me like a variable which ought to be treated as read-only.

So why are you trying to assign to it (other than playing golf)?

And why shouldn't someone reply, "There's no bug in Perl here. You're simply doing something you shouldn't"?

sub r{ my($y,@​x)=@​_; map{ ref$_ ? (&$_) :$_ } @​d=(@​F, ($y && sub{@​F[$y-1,-1-$y]=($")x2;r(@​x)}), @​F%2|$y?@​F​:()) } print r 1,1,3..@​F/2-1

< / CODE >

Gives me this​:

< SHELL > shlomif@​telaviv1​:~/Download/unpack/perl/p5/possible-perl-bug-segfault- on-nAF$ perl perl-bug.pl Bizarre copy of UNKNOWN in map iterator at perl-bug.pl line 9. Attempt to free unreferenced scalar​: SV 0xf8b408, Perl interpreter​: 0xf57010 at perl-bug.pl line 9. shlomif@​telaviv1​:~/Download/unpack/perl/p5/possible-perl-bug- segfault-on-nAF$ /home/shlomif/apps/perl/bleadperl/bin/perl5.22.0 perl-bug.pl panic​: attempt to copy freed scalar 2335670 to 233af70 at perl-bug.pl line 9. Segmentation fault shlomif@​telaviv1​:~/Download/unpack/perl/p5/possible-perl-bug-segfault- on-nAF$ perl -v

This is perl 5, version 20, subversion 1 (v5.20.1) built for x86_64-linux-thread-multi (with 1 registered patch, see perl -V for more detail)

Thank you very much.

-- James E Keenan (jkeenan@​cpan.org)

p5pRT avatar May 24 '15 21:05 p5pRT

The RT System itself - Status changed from 'new' to 'open'

p5pRT avatar May 24 '15 21:05 p5pRT

From @shlomif

Hi all!

On Sun May 24 14​:37​:29 2015, jkeenan wrote​:

On Sun May 24 06​:12​:50 2015, shlomif@​shlomifish.org wrote​:

Hi all,

the following code​:

< CODE >

#!perl @​F=(0..9,0);

The Perl documentation ('perldoc perlvar') describes @​F as follows​:

##### The array @​F contains the fields of each line read in when autosplit mode is turned on. See perlrun for the -a switch. #####

Although the docs don't explicitly state that @​F is a read-only variable for use solely by the perl interpreter, it sure sounds to me like a variable which ought to be treated as read-only.

So why are you trying to assign to it (other than playing golf)?

That was the only reason - it just was convenient in the golf challenge. Anyway, I've now replaced @​F with @​g and got the same segfault or otherwise erroneous behaviour.

<CODE>

#!perl @​g=(0..9,0); sub r{   my($y,@​x)=@​_;   map{   ref$_ ? (&$_) :$_   }   @​d=(@​g,   ($y && sub{@​g[$y-1,-1-$y]=($")x2;r(@​x)}),   @​g%2|$y?@​g​:()) } print r 1,1,3..@​g/2-1

</CODE>

So like I suspected - @​F is not particularly special or magical.

And why shouldn't someone reply, "There's no bug in Perl here. You're simply doing something you shouldn't"?

But why does it result in a segfault? Programs in general should not segfault, and the code seems enough like one with only defined behaviour.

Regards,

-- Shlomi Fish

p5pRT avatar May 25 '15 05:05 p5pRT

From @tamias

On Sun, May 24, 2015 at 02​:37​:30PM -0700, James E Keenan via RT wrote​:

On Sun May 24 06​:12​:50 2015, shlomif@​shlomifish.org wrote​:

Hi all,

the following code​:

< CODE >

#!perl @​F=(0..9,0);

The Perl documentation ('perldoc perlvar') describes @​F as follows​:

##### The array @​F contains the fields of each line read in when autosplit mode is turned on. See perlrun for the -a switch. #####

Although the docs don't explicitly state that @​F is a read-only variable for use solely by the perl interpreter, it sure sounds to me like a variable which ought to be treated as read-only.

The docs don't state that because it's not the case. What in this code makes you think that @​F cannot be assigned to?

% perl -MO=Deparse -lane '' BEGIN { $/ = "\n"; $\ = "\n"; } LINE​: while (defined($_ = <ARGV>)) {   chomp $_;   our(@​F) = split(' ', $_, 0); } -e syntax OK

The whole point of @​F is that you can operate on its contents, including modifying them, in a command-line filter.

And why shouldn't someone reply, "There's no bug in Perl here. You're simply doing something you shouldn't"?

Because that someone would be wrong.

Ronald

p5pRT avatar May 25 '15 05:05 p5pRT

From @iabyn

On Sun, May 24, 2015 at 06​:12​:50AM -0700, shlomif@​shlomifish.org wrote​:

the following code​: Gives me this​:

< SHELL > shlomif@​telaviv1​:~/Download/unpack/perl/p5/possible-perl-bug-segfault-on-nAF$ perl perl-bug.pl Bizarre copy of UNKNOWN in map iterator at perl-bug.pl line 9. Attempt to free unreferenced scalar​: SV 0xf8b408, Perl interpreter​: 0xf57010 at

The code can be reduced to this​:

  my @​d;

  sub r {   my($n)=@​_;   warn "n=$n\n";   @​d = ();   if ($n) {   @​d= (   sub {   warn " recursing\n";   r(0);   },   0   );   }   warn " mapping...\n";   map { ref$_ ? (&$_) :$_ } @​d;   1;   }

  r(1);

which on a debugging blead gives​:

  n=1   mapping...   recursing   n=0   mapping...   perl​: sv.c​:6536​: Perl_sv_clear​: Assertion `((svtype)((sv)->sv_flags & 0xff)) != (svtype)0xff' failed.

Its a another "stack not refcounted" bug, or more specifically, its bad to free the elements of an array (@​d) while you're iterating over them.

I'll attach this ticket to   #77706​: [META] stack not reference counted issues then presumably we'll continue to ignore this issue as before.

-- You never really learn to swear until you learn to drive.

p5pRT avatar May 25 '15 10:05 p5pRT

@iabyn (or anyone), do we have a TODO-ed test in our test suite that exercises this code?

my @d;

sub r {
    my($n)=@_;
    warn "n=$n\n";
    @d = ();
    if ($n) {
        @d= (
            sub {
                warn " recursing\n";
                r(0);
            },
            0
        );
    }
    warn " mapping...\n";
    map { ref $_ ? (&$_) : $_ } @d;
    1;
}

r(1);

I ran this code against two different perl executables on Ubuntu Linux: one regular, one debugging, neither threaded. I got slightly different output from the two instances.

regular:

$ bleadperl -v | head -2 | tail -1
This is perl 5, version 43, subversion 4 (v5.43.4 (v5.43.3-153-ga816864f53)) built for x86_64-linux

$ bleadperl -V::config_args
'-des -Dusedevel -Uversiononly -Dprefix=/home/jkeenan/testing/blead -Dman1dir=none -Dman3dir=none';

$ bleadperl gh-14716-recursion-sub-map.pl
n=1
 mapping...
 recursing
n=0
 mapping...
Segmentation fault (core dumped)

debugging:

$ $THISPERL -v | head -2 | tail -1
This is perl 5, version 43, subversion 4 (v5.43.4 (v5.43.3-222-g6c696391d6)) built for x86_64-linux

$ $THISPERL -V::config_args
'-des -Dusedevel -DDEBUGGING -Dprefix=/home/jkeenan/testing/6c696391d6 -Uversiononly -Dman1dir=none -Dman3dir=none';

$ $THISPERL gh-14716-recursion-sub-map.pl
n=1
 mapping...
 recursing
n=0
 mapping...
perl: sv.c:7213: Perl_sv_clear: Assertion `!SvIS_FREED(sv)' failed.
Aborted (core dumped)

This should be made into a TODO-ed regression test, but I don't know what successful completion would actually look like.

jkeenan avatar Oct 18 '25 19:10 jkeenan

On Sat, Oct 18, 2025 at 12:58:46PM -0700, James E Keenan wrote:

This should be made into a TODO-ed regression test, but I don't know what successful completion would actually look like.

It succeeds on a PERL_RC_STACK build.

I don't think there's any particular need for regression test.

iabyn avatar Oct 21 '25 08:10 iabyn