From nobody@FreeBSD.org  Tue Jan 11 21:01:51 2005
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id E2E4116A4CE
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Jan 2005 21:01:51 +0000 (GMT)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B16B043D41
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Jan 2005 21:01:51 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j0BL1p3I072389
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 11 Jan 2005 21:01:51 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j0BL1pZ8072388;
	Tue, 11 Jan 2005 21:01:51 GMT
	(envelope-from nobody)
Message-Id: <200501112101.j0BL1pZ8072388@www.freebsd.org>
Date: Tue, 11 Jan 2005 21:01:51 GMT
From: Jonas Nagel <fireball@zerouptime.ch>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [perl] coredump in perl 5.8.5 in malloc()-call from Perl_pp_split()
X-Send-Pr-Version: www-2.3

>Number:         76120
>Category:       ports
>Synopsis:       coredump in perl 5.8.5 in malloc()-call from Perl_pp_split()
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    tobez
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jan 11 21:10:12 GMT 2005
>Closed-Date:    Mon Sep 12 13:31:09 CEST 2005
>Last-Modified:  Mon Sep 12 13:31:09 CEST 2005
>Originator:     Jonas Nagel
>Release:        FreeBSD-5.3-p2
>Organization:
-
>Environment:
reeBSD hirtnb04.hirtdom.local 5.3-RELEASE-p2 FreeBSD 5.3-RELEASE-p2 #3: 
Tue Dec 14 02:06:15 CET 2004   
root@hirtnb04.hirtdom.local:/usr/obj/usr/src/sys/HIRTNB04  i386
>Description:
Below is my PERL sub which causes the coredump (with debug outputs):

sub pkt_btoh {
	my @pkt = ();

warn("debug1!\n");
	my $tmp = unpack("H*",shift);
warn("debug2! $tmp\n");
	'
warn("debug3!\n");
	my $rng = (scalar(@tmp)/2);

	for (my $i = 0; $i < $rng; $i++) {
		my $hex1 = shift(@tmp);
		my $hex2 = shift(@tmp);
		print $hex1 . $hex2 ."\n";
		$pkt[$i] = shift(@tmp) . shift(@tmp);
	}
	
#	$ret = join(":",@pkt);
	
	return @pkt;
}

And here's the evaluation of the issue:

root@hirtnb04:/home/fireball/perl/projekt/src# ./arpsentry-proto.pl acx0
Network is: 192.168.0.0, Mask is 255.255.255.0
debug1!
debug2! ffffffffffff0080c8ad7aec080600010800060400010080c8ad7aecc0a80067000000000000c0a8000a
Segmentation fault (core dumped)
root@hirtnb04:/home/fireball/perl/projekt/src# gdb perl perl.core
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...(no debugging symbols found)...
Core was generated by `perl'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so
Reading symbols from /lib/libm.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libm.so.2
Reading symbols from /lib/libcrypt.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/libcrypt.so.2
Reading symbols from /lib/libutil.so.4...(no debugging symbols found)...done.
Loaded symbols for /lib/libutil.so.4
Reading symbols from /lib/libc.so.5...(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.5
Reading symbols from /usr/local/lib/perl5/site_perl/5.8.5/mach/auto/Net/Pcap/Pcap.so...(no debugging symbols found)...done.
Loaded symbols for /usr/local/lib/perl5/site_perl/5.8.5/mach/auto/Net/Pcap/Pcap.so
Reading symbols from /usr/lib/libpcap.so.3...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpcap.so.3
Reading symbols from /libexec/ld-elf.so.1...(no debugging symbols found)...done.
Loaded symbols for /libexec/ld-elf.so.1
#0  0x2809b328 in Perl_malloc () from /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so
(gdb) bt
#0  0x2809b328 in Perl_malloc () from /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so
#1  0x280f1d53 in Perl_sv_grow () from /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so
#2  0x280f6a02 in Perl_newSV () from /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so
#3  0x2810d623 in Perl_pp_split () from /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so
#4  0x280e811d in Perl_runops_standard () from /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so
#5  0x28097443 in S_call_body () from /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so
#6  0x28096f7a in Perl_call_sv () from /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so
#7  0x2828bbea in callback_wrapper () from /usr/local/lib/perl5/site_perl/5.8.5/mach/auto/Net/Pcap/Pcap.so
#8  0x282a1d37 in pcap_lookupnet () from /usr/lib/libpcap.so.3
#9  0x282a2adb in pcap_loop () from /usr/lib/libpcap.so.3
#10 0x2828c6c1 in XS_Net__Pcap_loop () from /usr/local/lib/perl5/site_perl/5.8.5/mach/auto/Net/Pcap/Pcap.so
#11 0x280ef570 in Perl_pp_entersub () from /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so
#12 0x280e811d in Perl_runops_standard () from /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so
#13 0x28096a8a in S_run_body () from /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so
#14 0x28096715 in perl_run () from /usr/local/lib/perl5/5.8.5/mach/CORE/libperl.so
#15 0x08048fc8 in main ()
(gdb)
>How-To-Repeat:
Well one should think the problem should be reproducable by
$ perl -e 'my @tmp = split(//,"ffffffffffff0080c8ad7aec080600010800060400010080c8ad7aecc0a80067000000000000c0a8000a");'

or at least by
$ perl -e 'my @tmp = split(//,(99999 x "f"));'

- but it isn't.

If anybody has an Idea why my func crashes - I'm happy to help if I can.
Maybe it has anything to do with the binary string I unpack to hex in 
the line before...some whitespace, which I can't see in the debug 
output?
>Fix:

>Release-Note:
>Audit-Trail:

From: Jonas Nagel <fireball@zerouptime.ch>
To: FreeBSD-gnats-submit@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org
Cc:  
Subject: Re: ports/76120: [perl] coredump in perl 5.8.5 in malloc()-call
 from Perl_pp_split()
Date: Tue, 11 Jan 2005 22:22:01 +0100

 I just noticed that the split()-line somehow disappeared above and was repl=
 aced by a=20
 pound sign (=A3) for some reason.
 
 This should be:
 my @tmp =3D split(//,$tmp);
 
 --=20
  Jonas Nagel <fireball@zerouptime.ch>
Responsible-Changed-From-To: freebsd-ports-bugs->tobez 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Jan 12 05:20:04 GMT 2005 
Responsible-Changed-Why:  
Over to maintainer. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76120 

From: Anton Berezin <tobez@tobez.org>
To: Jonas Nagel <fireball@zerouptime.ch>
Cc: FreeBSD-gnats-submit@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org
Subject: Re: ports/76120: [perl] coredump in perl 5.8.5 in malloc()-call from Perl_pp_split()
Date: Thu, 13 Jan 2005 10:57:22 +0100

 On Tue, Jan 11, 2005 at 10:22:01PM +0100, Jonas Nagel wrote:
 > I just noticed that the split()-line somehow disappeared above and was replaced by a 
 > pound sign () for some reason.
 > 
 > This should be:
 > my @tmp = split(//,$tmp);
 
 Jonas, could you maybe re-post a complete minimal script that reproduces
 the problem?  Otherwise it is a bit cryptic.
 
 Thanks,
 \Anton.
 -- 
 The moronity of the universe is a monotonically increasing function. --
 Jarkko Hietaniemi

From: Jonas Nagel <fireball@zerouptime.ch>
To: Anton Berezin <tobez@tobez.org>
Cc: FreeBSD-gnats-submit@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org
Subject: Re: ports/76120: [perl] coredump in perl 5.8.5 in malloc()-call
 from Perl_pp_split()
Date: Thu, 13 Jan 2005 13:24:25 +0100

 On Thu, 13 Jan 2005 10:57:22 +0100
 Anton Berezin <tobez@tobez.org> wrote:
 > Jonas, could you maybe re-post a complete minimal script that
 > reproduces the problem?  Otherwise it is a bit cryptic.
 
 Of course; actually I thought this question would come but didn't want
 to completely clutter up the bug report in first place.
 
 Here a complete script; I also noticed, that the problem apppears only
 while I am using the Pcap-Filter function. If I comment setArpFilt()
 from the code, then it doesn't crash anymore.
 
 It appears that the Pcap filter function prepares the packet contents in
 a way that leads to a crash within the PERL split() function. If there
 is also a problem in the Pcap code, is another question. I can't see the
 reason from debug output.
 
  #!/usr/local/bin/perl -w
 
 use strict;
 use Net::Pcap;
 
 my $err = "";
 my $mynet = "";
 my $mymask = "";
 my $dev = "";
 
 my $pcap_t = "";
 my $snaplen = 1024;
 my $promisc = 1;
 my $to_ms = 100;
 
 my $cnt = -1;
 my $inst = 1;
 
 if(!$ARGV[0]) {
 	die("Specify at least one argument!\n");
 }
 
 $dev = $ARGV[0];
 if(Net::Pcap::lookupnet($dev, \$mynet, \$mymask, \$err)) {
 	die("$err\n");
 }
 
 print("Network is: ". inet_ntoa($mynet) .", Mask is ".
 inet_ntoa($mymask) ."\n");
 
 $pcap_t = Net::Pcap::open_live($dev, $snaplen, $promisc, $to_ms, \$err);
 if(!$pcap_t) {
 	die("$err\n");
 }
 
 # &setArpFilt($pcap_t, $mymask);
 
 Net::Pcap::loop($pcap_t, $cnt, \&display_pkt, $inst);
 
 Net::Pcap::close($pcap_t);
 
 exit;
 
 sub inet_ntoa {
 	return join ".",unpack("CCCC",pack("N",shift));
 }
 
 sub inet_atoh {
 	return split(//,unpack("H*",pack("CCCC",split(/\./,shift))));
 }
 
 sub pkt_btoh {
 	my @pkt = ();
 
 	my $tmp = unpack("H*",shift);
 	my @tmp = split(//,$tmp);
 	
 	my $rng = (scalar(@tmp)/2);
 	for (my $i = 0; $i < $rng; $i++) { 
 		$pkt[$i] = shift(@tmp) . shift(@tmp);
 	}
 	
 	return @pkt;
 }
 
 sub display_pkt {
 	my($inst, $hdr, $pkt) = @_;
 	
 	my @pkt = &pkt_btoh($pkt);
 	if (isArpBC(@pkt)) {
 			print("I$inst: $hdr->{'len'} $hdr->{'caplen'} $hdr->{'tv_usec'} - ". join("",@pkt) ."\n");	
 	}
 }
 
 sub setArpFilt {
 	my $pcap_t = shift;
 	my $netmask = shift;
 	my $optimize = 1;
 	my $filter_t = "";
 	my $filter_str = "arp";
 	
 	if(Net::Pcap::compile($pcap_t, \$filter_t, $filter_str, $optimize, $netmask)) {
 		die("Net::Pcap::compile returned error: ". Net::Pcap::geterr($pcap_t). "\n");
 	}
 	if(Net::Pcap::setfilter($pcap_t, $filter_t)) {
 		die("Net::Pcap::setfilter returned error: ". Net::Pcap::geterr($pcap_t). "\n");	}
 	
 	return;
 }
 
 -- 
  Jonas Nagel <fireball@zerouptime.ch>

From: Jonas Nagel <fireball@zerouptime.ch>
To: tobez@tobez.org
Cc: FreeBSD-gnats-submit@FreeBSD.org, freebsd-ports-bugs@FreeBSD.org
Subject: Re: ports/76120: [perl] coredump in perl 5.8.5 in malloc()-call
 from Perl_pp_split()
Date: Fri, 14 Jan 2005 16:23:04 +0100

 On Thu, 13 Jan 2005 17:19:44 +0100
 Jonas Nagel <fireball@zerouptime.ch> wrote:
 
  On Thu, 13 Jan 2005 13:40:35 +0100
  Anton Berezin <tobez@FreeBSD.org> wrote:
   
  > Ahhhh!
  > 
  > Could you send me the output of  perl -V  ?
  > 
  > I suspect the problem is related to perl malloc versus system malloc;
  > if perl -V reports that perl is built with its own malloc, a quick fix
  > will probably be to rebuild perl with system malloc:
  > 
  >    cd /usr/ports/lang/perl5.8
  >    make WITHOUT_PERL_MALLOC=yes
  > 
  > Why it is a problem is another story;  one possibility is the pcap perl
  > module bug.
  > 
  > Just guessing here, at this stage.
  > 
  > \Anton.
  > -- 
  > The moronity of the universe is a monotonically increasing function. --
  > Jarkko Hietaniemi
  
  Heh, I also see that I first compiled PERL yet with 5.2-CURRENT, but a recompile without PERL malloc did not help... :/
  
  Summary of my perl5 (revision 5 version 8 subversion 5) configuration:
    Platform:
      osname=freebsd, osvers=5.2-current, archname=i386-freebsd-64int
      uname='freebsd freebsd.org 5.2-current freebsd 5.2-current #0: mon aug 9 23:46:42 pdt 2004 kris@freebsd.org:usrsrcsysmagickernelpath 386 '
      config_args='-sde -Dprefix=/usr/local -Darchlib=/usr/local/lib/perl5/5.8.5/mach -Dprivlib=/usr/local/lib/perl5/5.8.5 -Dman3dir=/usr/local/lib/erl5/5.8.5/perl/man/man3 -Dman1dir=/usr/local/man/man1 -Dsitearch=/usr/local/lib/perl5/site_perl/5.8.5/mach -Dsitelib=/usr/local/lib/perl5/lite_perl/5.8.5 -Dscriptdir=/usr/local/bin -Dsiteman3dir=/usr/local/lib/perl5/5.8.5/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Ui_malloc -Ui_iconv -Uinstallusrbinperl -Dcc=cc -Doptimize=-O -pipe  -Duseshrplib -Dccflags=-DAPP LLIB_EXP="/usr/local/lib/perl5/5.8.5/BSDPAN" -Ud_dosuid -Ui_gdbm -Dusethreads=n -Dusemymalloc=y -Duse64bitint'
      hint=recommended, useposix=true, d_sigaction=define
      usethreads=undef use5005threads=undef useithreads=undef usemultiplicity=undef
      useperlio=define d_sfio=undef uselargefiles=define usesocks=undef
      use64bitint=define use64bitall=undef uselongdouble=undef
      usemymalloc=y, bincompat5005=undef
    Compiler:
      cc='cc', ccflags ='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.5/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-liasing -pipe -I/usr/local/include',
      optimize='-O -pipe ',
      cppflags='-DAPPLLIB_EXP="/usr/local/lib/perl5/5.8.5/BSDPAN" -DHAS_FPSETMASK -DHAS_FLOATINGPOINT_H -fno-strict-aliasing -ipe -I/usr/local/include'
      ccversion='', gccversion='3.4.2 [FreeBSD] 20040728', gccosandvers=''
      intsize=4, longsize=4, ptrsize=4, doublesize=8, byteorder=12345678
      d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=12
      ivtype='long long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
      alignbytes=4, prototype=define
    Linker and Libraries:
      ld='cc', ldflags ='-Wl,-E  -L/usr/local/lib'
      libpth=/usr/lib /usr/local/lib
      libs=-lm -lcrypt -lutil -lc
      perllibs=-lm -lcrypt -lutil -lc
      libc=, so=so, useshrplib=true, libperl=libperl.so
      gnulibc_version=''
    Dynamic Linking:
      dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='  -Wl,-R/usr/local/lib/perl5/5.8.5/mach/CORE'
      cccdlflags='-DPIC -fPIC', lddlflags='-shared  -L/usr/local/lib'
  
  Characteristics of this binary (from libperl):
    Compile-time options: USE_64_BIT_INT USE_LARGE_FILES
    Built under freebsd
    Compiled at Aug 10 2004 06:52:11
    @INC:
      /usr/local/lib/perl5/site_perl/5.8.5/mach
      /usr/local/lib/perl5/site_perl/5.8.5
      /usr/local/lib/perl5/site_perl
      /usr/local/lib/perl5/5.8.5/BSDPAN
      /usr/local/lib/perl5/5.8.5/mach
      /usr/local/lib/perl5/5.8.5
      .
  
  
  -- 
   Jonas Nagel <fireball@zerouptime.ch>

From: Anton Berezin <tobez@tobez.org>
To: Jonas Nagel <fireball@zerouptime.ch>
Cc: freebsd-ports-bugs@FreeBSD.org, FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: ports/76120: [perl] coredump in perl 5.8.5 in malloc()-call from Perl_pp_split()
Date: Mon, 17 Jan 2005 14:01:20 +0100

 On Fri, Jan 14, 2005 at 04:23:04PM +0100, Jonas Nagel wrote:
 
 >  Heh, I also see that I first compiled PERL yet with 5.2-CURRENT, but
 >  a recompile without PERL malloc did not help... :/
 
 Hmm, ok, let's do it the hard way then.  :-)
 
 But I cannot run your script to test the problem, since isArpBC() is
 used but not defined.
 
 =Anton.
 -- 
 The moronity of the universe is a monotonically increasing function. --
 Jarkko Hietaniemi

From: Jonas Nagel <fireball@zerouptime.ch>
To: Anton Berezin <tobez@tobez.org>
Cc: Jonas Nagel <fireball@zerouptime.ch>,
	freebsd-ports-bugs@FreeBSD.org, FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: ports/76120: [perl] coredump in perl 5.8.5 in malloc()-call from Perl_pp_split()
Date: Mon, 17 Jan 2005 18:06:21 +0100

 > But I cannot run your script to test the problem, since isArpBC() is
 > used but not defined.
 
 Sorry, remove that if-statement with isArpBC; that is the function I did
 to check if its a) ARP and b) a ethernet broadcast packet (i.e. manually
 analysing the packet header).
 
 You must not use that query anyway, to see if you can successfully use
 the Pcap compile/setfilter methods with split().
 
 -- 
 Jonas Nagel <fireball@zerouptime.ch>
 

From: Anton Berezin <tobez@tobez.org>
To: Jonas Nagel <fireball@zerouptime.ch>
Cc: freebsd-ports-bugs@FreeBSD.org, FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: ports/76120: [perl] coredump in perl 5.8.5 in malloc()-call from Perl_pp_split()
Date: Mon, 17 Jan 2005 18:50:21 +0100

 On Mon, Jan 17, 2005 at 06:06:21PM +0100, Jonas Nagel wrote:
 > > But I cannot run your script to test the problem, since isArpBC() is
 > > used but not defined.
 > 
 > Sorry, remove that if-statement with isArpBC; that is the function I did
 > to check if its a) ARP and b) a ethernet broadcast packet (i.e. manually
 > analysing the packet header).
 > 
 > You must not use that query anyway, to see if you can successfully use
 > the Pcap compile/setfilter methods with split().
 
 Interesting.
 
 I cannot reproduce the problem here (RELENG_5 from December 22, amd64,
 5.8.5, p5-Net-Pcap 0.05).
 
 I'll try on a i386-current tomorrow, but meanwhile, if you did not
 update perl for a moderately long time, and possibly have outdated
 modules, it might be worth a try to follow procedure with regard to Perl
 upgrade from ports/UPDATING (the one which talks about reinstalling all
 Perl modules).  I am not sure it is needed and/or will fix the problem,
 but without being able to reproduce it...
 
 \Anton.
 -- 
 The moronity of the universe is a monotonically increasing function. --
 Jarkko Hietaniemi
State-Changed-From-To: open->feedback 
State-Changed-By: tobez 
State-Changed-When: Thu Jun 2 11:48:56 CEST 2005 
State-Changed-Why:  
Have you tried the same script with a more recent perl && modules? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76120 
State-Changed-From-To: feedback->closed 
State-Changed-By: tobez 
State-Changed-When: Mon Sep 12 13:16:28 CEST 2005 
State-Changed-Why:  
Feedback timeout. 

Besides, I could not reproduce the problem with 5.8.7 on CURRENT as of 
today. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=76120 
>Unformatted:
