Bug #49404 for YAML-Syck: Double Free Causes Segfault

Thu Sep 03 15:45:53 2009 frequency [...] cpan.org - Ticket created

Subject:

Double Free Causes Segfault

Hi: I'm forwarding this bug on behalf of a Debian user; original report is here: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=489100 How to reproduce: Run this simple perl script (it does it in two ways to show where error is, first way can be enabled by specifying any argument to script): [isbear:~] cat ./yamltest.pl #! /usr/bin/perl use YAML::Syck; my $db = []; my $entry = { a => 'b' }; if ( @ARGV ) { $db->[@$db] = $entry; $db->[@$db] = $db->[0]; $db->[@$db] = \$db->[0]; my $dump = Dump ( $db ); print "---- dump (db) ----\n$dump\n---- END ----\n"; my $dbcopy = Load ( $dump ); } else { $db->[@$db] = $entry; $db->[@$db] = $entry; my $dump = Dump ( $db ); print "---- dump (db) ----\n$dump\n---- END ----\n"; my $dbcopy = Load ( $dump ); $dbcopy->[@$dbcopy] = $dbcopy->[0]; my $dumpcopy = Dump ( $dbcopy ); print "---- dump (db) ----\n$dumpcopy\n---- END ----\n"; my $dbcopycopy = Load ( $dumpcopy ); } exit; # The End. Error messages (it is results on amd64, on i386 they are similar): [isbear:~] ./yamltest.pl ---- dump (db) ---- --- - &1 a: b - *1 ---- END ---- ---- dump (db) ---- --- - &1 &2 a: b - *1 - *2 ---- END ---- *** glibc detected *** /usr/bin/perl: double free or corruption (fasttop): 0x0000000000629260 *** ======= Backtrace: ========= /lib/libc.so.6[0x2b359208b01d] /lib/libc.so.6(cfree+0x76)[0x2b359208cd26] /usr/lib/perl5/auto/YAML/Syck/Syck.so(syck_st_free_nodes+0x12)[0x2b35925aa9d2] /usr/lib/perl5/auto/YAML/Syck/Syck.so(st_foreach+0x64)[0x2b35925ab374] /usr/lib/perl5/auto/YAML/Syck/Syck.so(syck_st_free+0x20)[0x2b35925aa970] /usr/lib/perl5/auto/YAML/Syck/Syck.so(syck_free_parser+0x2a)[0x2b35925aaf6a] /usr/lib/perl5/auto/YAML/Syck/Syck.so(XS_YAML__Syck_LoadYAML+0x54d)[0x2b35925b04ed] /usr/lib/libperl.so.5.10(Perl_pp_entersub+0x550)[0x2b35916bbe20] /usr/lib/libperl.so.5.10(Perl_runops_standard+0x12)[0x2b35916ba302] /usr/lib/libperl.so.5.10(perl_run+0x30f)[0x2b35916b552f] /usr/bin/perl(main+0xdc)[0x400d0c] /lib/libc.so.6(__libc_start_main+0xf4)[0x2b359203a1c4] /usr/bin/perl[0x400b69] ======= Memory map: ======== 00400000-00401000 r-xp 00000000 03:01 1030434 /usr/bin/perl 00601000-00602000 rw-p 00001000 03:01 1030434 /usr/bin/perl 00602000-006a7000 rw-p 00602000 00:00 0 [heap] 2b35913f3000-2b359140e000 r-xp 00000000 03:01 830775 /lib/ld-2.7.so 2b359140e000-2b3591411000 rw-p 2b359140e000 00:00 0 2b3591411000-2b359157c000 r--p 00000000 03:01 1045164 /usr/lib/locale/locale-archive 2b359160d000-2b359160f000 rw-p 0001a000 03:01 830775 /lib/ld-2.7.so 2b359160f000-2b3591775000 r-xp 00000000 03:01 1030431 /usr/lib/libperl.so.5.10.0 2b3591775000-2b3591974000 ---p 00166000 03:01 1030431 /usr/lib/libperl.so.5.10.0 2b3591974000-2b359197d000 rw-p 00165000 03:01 1030431 /usr/lib/libperl.so.5.10.0 2b359197d000-2b359197f000 r-xp 00000000 03:01 830781 /lib/libdl-2.7.so 2b359197f000-2b3591b7f000 ---p 00002000 03:01 830781 /lib/libdl-2.7.so 2b3591b7f000-2b3591b81000 rw-p 00002000 03:01 830781 /lib/libdl-2.7.so 2b3591b81000-2b3591bff000 r-xp 00000000 03:01 830782 /lib/libm-2.7.so 2b3591bff000-2b3591dfe000 ---p 0007e000 03:01 830782 /lib/libm-2.7.so 2b3591dfe000-2b3591e00000 rw-p 0007d000 03:01 830782 /lib/libm-2.7.so 2b3591e00000-2b3591e01000 rw-p 2b3591e00000 00:00 0 2b3591e01000-2b3591e17000 r-xp 00000000 03:01 837307 /lib/libpthread-2.7.so 2b3591e17000-2b3592016000 ---p 00016000 03:01 837307 /lib/libpthread-2.7.so 2b3592016000-2b3592018000 rw-p 00015000 03:01 837307 /lib/libpthread-2.7.so 2b3592018000-2b359201c000 rw-p 2b3592018000 00:00 0 2b359201c000-2b359215a000 r-xp 00000000 03:01 830778 /lib/libc-2.7.so 2b359215a000-2b359235a000 ---p 0013e000 03:01 830778 /lib/libc-2.7.so 2b359235a000-2b359235d000 r--p 0013e000 03:01 830778 /lib/libc-2.7.so 2b359235d000-2b359235f000 rw-p 00141000 03:01 830778 /lib/libc-2.7.so 2b359235f000-2b3592364000 rw-p 2b359235f000 00:00 0 2b3592364000-2b359236c000 r-xp 00000000 03:01 830780 /lib/libcrypt-2.7.so 2b359236c000-2b359256b000 ---p 00008000 03:01 830780 /lib/libcrypt-2.7.so 2b359256b000-2b359256d000 rw-p 00007000 03:01 830780 /lib/libcrypt-2.7.so 2b359256d000-2b359259d000 rw-p 2b359256d000 00:00 0 2b359259d000-2b35925bc000 r-xp 00000000 03:01 195489 /usr/lib/perl5/auto/YAML/Syck/Syck.so 2b35925bc000-2b35927bc000 ---p 0001f000 03:01 195489 /usr/lib/perl5/auto/YAML/Syck/Syck.so 2b35927bc000-2b35927bd000 rw-p 0001f000 03:01 195489 /usr/lib/perl5/auto/YAML/Syck/Syck.so 2b35927d3000-2b35927e9000 r-xp 00000000 03:01 830698 /lib/libgcc_s.so.1 2b35927e9000-2b35929e9000 ---p 00016000 03:01 830698 /lib/libgcc_s.so.1 2b35929e9000-2b35929ea000 rw-p 00016000 03:01 830698 /lib/libgcc_s.so.1 2b3594000000-2b3594021000 rw-p 2b3594000000 00:00 0 2b3594021000-2b3598000000 ---p 2b3594021000 00:00 0 7fff196a2000-7fff196b7000 rw-p 7ffffffea000 00:00 0 [stack] 7fff197fe000-7fff19800000 r-xp 7fff197fe000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted [isbear:~] ./yamltest.pl a ---- dump (db) ---- --- - &2 &1 a: b - *1 - !!perl/ref =: *2 ---- END ---- *** glibc detected *** /usr/bin/perl: double free or corruption (fasttop): 0x000000000062e950 *** ======= Backtrace: ========= /lib/libc.so.6[0x2b9bf6f9801d] /lib/libc.so.6(cfree+0x76)[0x2b9bf6f99d26] /usr/lib/perl5/auto/YAML/Syck/Syck.so(syck_st_free_nodes+0x12)[0x2b9bf74b79d2] /usr/lib/perl5/auto/YAML/Syck/Syck.so(st_foreach+0x64)[0x2b9bf74b8374] /usr/lib/perl5/auto/YAML/Syck/Syck.so(syck_st_free+0x20)[0x2b9bf74b7970] /usr/lib/perl5/auto/YAML/Syck/Syck.so(syck_free_parser+0x2a)[0x2b9bf74b7f6a] /usr/lib/perl5/auto/YAML/Syck/Syck.so(XS_YAML__Syck_LoadYAML+0x54d)[0x2b9bf74bd4ed] /usr/lib/libperl.so.5.10(Perl_pp_entersub+0x550)[0x2b9bf65c8e20] /usr/lib/libperl.so.5.10(Perl_runops_standard+0x12)[0x2b9bf65c7302] /usr/lib/libperl.so.5.10(perl_run+0x30f)[0x2b9bf65c252f] /usr/bin/perl(main+0xdc)[0x400d0c] /lib/libc.so.6(__libc_start_main+0xf4)[0x2b9bf6f471c4] /usr/bin/perl[0x400b69] ======= Memory map: ======== 00400000-00401000 r-xp 00000000 03:01 1030434 /usr/bin/perl 00601000-00602000 rw-p 00001000 03:01 1030434 /usr/bin/perl 00602000-006a7000 rw-p 00602000 00:00 0 [heap] 2b9bf6300000-2b9bf631b000 r-xp 00000000 03:01 830775 /lib/ld-2.7.so 2b9bf631b000-2b9bf631e000 rw-p 2b9bf631b000 00:00 0 2b9bf631e000-2b9bf6489000 r--p 00000000 03:01 1045164 /usr/lib/locale/locale-archive 2b9bf651a000-2b9bf651c000 rw-p 0001a000 03:01 830775 /lib/ld-2.7.so 2b9bf651c000-2b9bf6682000 r-xp 00000000 03:01 1030431 /usr/lib/libperl.so.5.10.0 2b9bf6682000-2b9bf6881000 ---p 00166000 03:01 1030431 /usr/lib/libperl.so.5.10.0 2b9bf6881000-2b9bf688a000 rw-p 00165000 03:01 1030431 /usr/lib/libperl.so.5.10.0 2b9bf688a000-2b9bf688c000 r-xp 00000000 03:01 830781 /lib/libdl-2.7.so 2b9bf688c000-2b9bf6a8c000 ---p 00002000 03:01 830781 /lib/libdl-2.7.so 2b9bf6a8c000-2b9bf6a8e000 rw-p 00002000 03:01 830781 /lib/libdl-2.7.so 2b9bf6a8e000-2b9bf6b0c000 r-xp 00000000 03:01 830782 /lib/libm-2.7.so 2b9bf6b0c000-2b9bf6d0b000 ---p 0007e000 03:01 830782 /lib/libm-2.7.so 2b9bf6d0b000-2b9bf6d0d000 rw-p 0007d000 03:01 830782 /lib/libm-2.7.so 2b9bf6d0d000-2b9bf6d0e000 rw-p 2b9bf6d0d000 00:00 0 2b9bf6d0e000-2b9bf6d24000 r-xp 00000000 03:01 837307 /lib/libpthread-2.7.so 2b9bf6d24000-2b9bf6f23000 ---p 00016000 03:01 837307 /lib/libpthread-2.7.so 2b9bf6f23000-2b9bf6f25000 rw-p 00015000 03:01 837307 /lib/libpthread-2.7.so 2b9bf6f25000-2b9bf6f29000 rw-p 2b9bf6f25000 00:00 0 2b9bf6f29000-2b9bf7067000 r-xp 00000000 03:01 830778 /lib/libc-2.7.so 2b9bf7067000-2b9bf7267000 ---p 0013e000 03:01 830778 /lib/libc-2.7.so 2b9bf7267000-2b9bf726a000 r--p 0013e000 03:01 830778 /lib/libc-2.7.so 2b9bf726a000-2b9bf726c000 rw-p 00141000 03:01 830778 /lib/libc-2.7.so 2b9bf726c000-2b9bf7271000 rw-p 2b9bf726c000 00:00 0 2b9bf7271000-2b9bf7279000 r-xp 00000000 03:01 830780 /lib/libcrypt-2.7.so 2b9bf7279000-2b9bf7478000 ---p 00008000 03:01 830780 /lib/libcrypt-2.7.so 2b9bf7478000-2b9bf747a000 rw-p 00007000 03:01 830780 /lib/libcrypt-2.7.so 2b9bf747a000-2b9bf74aa000 rw-p 2b9bf747a000 00:00 0 2b9bf74aa000-2b9bf74c9000 r-xp 00000000 03:01 195489 /usr/lib/perl5/auto/YAML/Syck/Syck.so 2b9bf74c9000-2b9bf76c9000 ---p 0001f000 03:01 195489 /usr/lib/perl5/auto/YAML/Syck/Syck.so 2b9bf76c9000-2b9bf76ca000 rw-p 0001f000 03:01 195489 /usr/lib/perl5/auto/YAML/Syck/Syck.so 2b9bf76e0000-2b9bf76f6000 r-xp 00000000 03:01 830698 /lib/libgcc_s.so.1 2b9bf76f6000-2b9bf78f6000 ---p 00016000 03:01 830698 /lib/libgcc_s.so.1 2b9bf78f6000-2b9bf78f7000 rw-p 00016000 03:01 830698 /lib/libgcc_s.so.1 2b9bf8000000-2b9bf8021000 rw-p 2b9bf8000000 00:00 0 2b9bf8021000-2b9bfc000000 ---p 2b9bf8021000 00:00 0 7fffb4794000-7fffb47a9000 rw-p 7ffffffea000 00:00 0 [stack] 7fffb47fe000-7fffb4800000 r-xp 7fffb47fe000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted

Thu May 20 07:09:35 2010 avar [...] cpan.org - Correspondence added

(This is a form-reply that isn't specific to your particular report) YAML::Syck has just acquired one new maintainer (me), it still doesn't have anyone that *cares* about it. But I'm willing to help solve your report & release a new version with the fix if it's easy for me. It now has a Git repository at: http://github.com/avar/YAML-Syck If your report is a patch that fixes a problem, great. Please remake the patch against Git by forking that repo and sending me a pull request on GitHub (or an update to this bug if you prefer git-format-patch(1) or some other repo provider..). Make sure to include a test for what you fixed. If your report is some code that fails (and you have a testcase for it) a patch against the test suite to demonstrate that failure would be very useful. It's OK if the test crashes and burns, see Test::More's docs for how to make TODO tests that fail now, but shouldn't. Even if it segfaults perl C<system $^X => qw/ -Mblib -MYAML::Syck .../> or something like that and checking the return value will do.

Thu May 20 07:09:37 2010 The RT System itself - Status changed from 'new' to 'open'

Thu May 20 07:09:37 2010 avar [...] cpan.org - Status changed from 'open' to 'stalled'

Mon Jul 19 16:21:56 2010 TODDR [...] cpan.org - Correspondence added

I've added test t/bug/rt-49404-double_free.t to github and it will be in 1.10_3 this week. I cannot re-produce it on my instances of perl which makes me think that this is a gcc optimization bug and nothing to do with this module. Hopefully we'll find something in cpan testers this week.

Mon Jul 19 16:21:57 2010 The RT System itself - Status changed from 'stalled' to 'open'

Tue Jul 20 00:03:01 2010 TODDR [...] cpan.org - Taken

Tue Jul 20 00:04:09 2010 TODDR [...] cpan.org - Correspondence added

Tests will set this off or been resolved at this point. thanks for the report.

Tue Jul 20 00:04:10 2010 TODDR [...] cpan.org - Status changed from 'open' to 'resolved'