Bug 640719

Summary: Sending signal to thread without signal handler in thread causes perl to segfault
Product: Red Hat Enterprise Linux 6 Reporter: Marcela Mašláňová <mmaslano>
Component: perlAssignee: perl-maint-list
Status: CLOSED DUPLICATE QA Contact: BaseOS QE - Apps <qe-baseos-apps>
Severity: medium Docs Contact:
Priority: low    
Version: 6.1CC: cweyl, iarnell, kasal, lkundrak, mmaslano, ppisar, psabata, rc040203, rdevries1000, tcallawa
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: 622190 Environment:
Last Closed: 2010-10-06 17:06:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 622190    
Bug Blocks: 626330    

Description Marcela Mašláňová 2010-10-06 17:03:38 UTC 
+++ This bug was initially created as a clone of Bug #622190 +++

Description of problem:
Sending signal to thread without signal handler in thread causes perl to segfault


Version-Release number of selected component (if applicable):
perl-5.10.1-116.fc13.x86_64


How reproducible:
Every time

Steps to Reproduce:
1.
Run next program perl script:

use strict;
use threads;

sub thr_func
{
    print "thread started\n";
    while(1) {
        sleep(100);
    }
}

my $thr = threads->create('thr_func');
$thr->kill('TERM');

  
Actual results: 
catchsegv perl test.pl

produces:

*** Segmentation fault
Register dump:

 RAX: 0000000001bda7c0   RBX: 0000000001ba2040   RCX: 000000000000000a
 RDX: 0000000001beee70   RSI: 0000000000000000   RDI: 0000000001bda280
 RBP: 0000000000000001   R8 : 0000000001c03cb0   R9 : 00000000000036d3
 R10: 00007fff367f3770   R11: 000000383311eaf0   R12: 000000000000003c
 R13: 0000000000000008   R14: 0000000001bda280   R15: 0000000001c03cb0
 RSP: 00007fff367f39f0

 RIP: 00007f17604f5165   EFLAGS: 00010206

 CS: 0033   FS: 0000   GS: 0000

 Trap: 0000000e   Error: 00000006   OldMask: 00000000   CR2: 0000003c

 FPUCW: 0000037f   FPUSW: 00000000   TAG: 00000000
 RIP: 00000000   RDP: 00000000

 ST(0) 0000 0000000000000032   ST(1) 0000 000000000000000e
 ST(2) 0000 ffffffff801f8000   ST(3) 0000 ffffffff9b52007e
 ST(4) 0000 0000000000000000   ST(5) 0000 0000000000000000
 ST(6) 0000 0000000000000000   ST(7) 0000 0000000000000005
 mxcsr: 1fa0
 XMM0:  000000000000000000000000ffffff00 XMM1:  000000000000000000000000ffffff00
 XMM2:  000000000000000000000000ffffff00 XMM3:  000000000000000000000000ffffff00
 XMM4:  000000000000000000000000ffffff00 XMM5:  000000000000000000000000ffffff00
 XMM6:  000000000000000000000000ffffff00 XMM7:  000000000000000000000000ffffff00
 XMM8:  000000000000000000000000ffffff00 XMM9:  000000000000000000000000ffffff00
 XMM10: 000000000000000000000000ffffff00 XMM11: 000000000000000000000000ffffff00
 XMM12: 000000000000000000000000ffffff00 XMM13: 000000000000000000000000ffffff00
 XMM14: 000000000000000000000000ffffff00 XMM15: 000000000000000000000000ffffff00

Backtrace:
/usr/lib64/perl5/auto/threads/threads.so(XS_threads_kill+0x145)[0x7f17604f5165]
/usr/lib64/perl5/CORE/libperl.so(Perl_pp_entersub+0x5a5)[0x38330a6865]
/usr/lib64/perl5/CORE/libperl.so(Perl_runops_standard+0x16)[0x38330a4b56]
/usr/lib64/perl5/CORE/libperl.so(perl_run+0x338)[0x383304d0e8]
perl(main+0xec)[0x400cac]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x3f7581ec5d]
perl[0x400af9]


Expected results:


Additional info:

--- Additional comment from ppisar on 2010-08-17 15:59:22 CEST ---

All Fedoras affected (F14 has threads-1.75).

perl-5.10.1, threads 1.72 debug:

Program received signal SIGSEGV, Segmentation fault.
XS_threads_kill (my_perl=0x603010, cv=<value optimized out>) at threads.xs:1260
1260                PL_psig_pend[signal]++;

threads.xs:
        /* Set the signal for the thread */
        thread = S_SV_to_ithread(aTHX_ ST(0));
        MUTEX_LOCK(&thread->mutex);
        if (thread->interp) {
            dTHXa(thread->interp);
1260 →      PL_psig_pend[signal]++;
            PL_sig_pending = 1;
        }
        MUTEX_UNLOCK(&thread->mutex);

   0x00007ffff1f4614a <+298>:   mov    0x10(%r14),%r14
   0x00007ffff1f4614e <+302>:   test   %r14,%r14
   0x00007ffff1f46151 <+305>:   je     0x7ffff1f46175 <XS_threads_kill+341>
   0x00007ffff1f46153 <+307>:   mov    %r14,%rdi
   0x00007ffff1f46156 <+310>:   shl    $0x2,%r12
   0x00007ffff1f4615a <+314>:   callq  0x7ffff1f43e68 <Perl_Ipsig_pend_ptr@plt>
   0x00007ffff1f4615f <+319>:   add    (%rax),%r12
   0x00007ffff1f46162 <+322>:   mov    %r14,%rdi
=> 0x00007ffff1f46165 <+325>:   addl   $0x1,(%r12)
   0x00007ffff1f4616a <+330>:   callq  0x7ffff1f44138 <Perl_Isig_pending_ptr@plt>

%r12 has value 0x28, thus the code tries to increment value on address 0x28 that has been obtained by dereferencing %rax that is return value of Perl_Ipsig_pend_ptr@plt function. The function is hidden by PL_psig_pend macro probably.

--- Additional comment from ppisar on 2010-08-17 19:21:13 CEST ---

There is something wrong with `make install' phase of threads module. When running the test case against built but installed module, there is no segfault:

$ perl -I blib/arch -I blib/lib /tmp/perl_thread_kill 
Signal SIGTERM received, but no signal handler set.

After installing (just `make install DESTDIR=/somewhere'), run against files from DESTDIR causes segfault:

$ make install DESTDIR=/tmp/threads-1.77-build 
Files found in blib/arch: installing files in blib/lib into architecture dependent library tree
Installing /tmp/threads-1.77-build/usr/lib64/perl5/auto/threads/threads.bs
Installing /tmp/threads-1.77-build/usr/lib64/perl5/auto/threads/threads.so
Installing /tmp/threads-1.77-build/usr/lib64/perl5/threads.pm
Installing /tmp/threads-1.77-build/usr/share/man/man3/threads.3pm
Appending installation info to /tmp/threads-1.77-build/usr/lib64/perl5/perllocal.pod
$ perl -I /tmp/threads-1.77-build/usr/lib64/perl5/ /tmp/perl_thread_kill 
Segmentation fault

I verified with strace that module is loaded from desired directory only.

--- Additional comment from ppisar on 2010-08-18 11:03:13 CEST ---

So, it's not in the `make install'. The problem is with perl include paths:

petr@dhcp-0-146:/tmp/threads-1.77-build/usr/lib64/perl5 $ find
.
./threads.pm
./auto
./auto/threads
./auto/threads/.packlist
./auto/threads/threads.bs
./auto/threads/threads.so
./perllocal.pod
petr@dhcp-0-146:/tmp/threads-1.77-build/usr/lib64/perl5 $ perl -I . /tmp/perl_thread_kill 
Perl exited with active threads:
        1 running and unjoined
        0 finished and unjoined
        0 running and detached
petr@dhcp-0-146:/tmp/threads-1.77-build/usr/lib64/perl5 $ perl -I $PWD /tmp/perl_thread_kill 
Segmentation fault
Comment 2 Marcela Mašláňová 2010-10-06 17:06:23 UTC 

*** This bug has been marked as a duplicate of bug 626330 ***