Bug 625746 - Perl gives the error 'Attempt to free unreferenced scalar' with nested foreach loops using the same variable
Perl gives the error 'Attempt to free unreferenced scalar' with nested foreac...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: perl (Show other bugs)
5.5
All Linux
low Severity low
: rc
: ---
Assigned To: Petr Pisar
Petr Šplíchal
: Patch
Depends On:
Blocks: 626411
  Show dependency treegraph
 
Reported: 2010-08-20 06:36 EDT by Issue Tracker
Modified: 2016-05-31 21:40 EDT (History)
7 users (show)

See Also:
Fixed In Version: perl-5.8.8-34.el5
Doc Type: Bug Fix
Doc Text:
Cause Running two nested loops using the same iterator. Consequence Interpreter tries to double-free the iterator resulting in a warning. Referring such variable causes run-time error. Fix Fix for handling shared iterator has been back-ported from Perl 5.10.1. Result Interpreter handles shared iterators properly.
Story Points: ---
Clone Of:
: 626411 (view as bug list)
Environment:
Last Closed: 2012-02-21 00:40:12 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Fix backported from perl-5.10.1 (18.88 KB, patch)
2010-08-26 13:05 EDT, Petr Pisar
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
CPAN 70660 None None None Never
Red Hat Product Errata RHBA-2012:0199 normal SHIPPED_LIVE perl bug fix update 2012-02-20 09:54:01 EST

  None (edit)
Description Issue Tracker 2010-08-20 06:36:50 EDT
Escalated to Bugzilla from IssueTracker
Comment 1 Issue Tracker 2010-08-20 06:36:51 EDT
Event posted on 2010-08-19 16:33 BST by spoyarek

Problem Description:

Perl gives the error "Attempt to free unreferenced scalar" with nested foreach loops using the same variable.

How Reproducible:

Always

Steps to Reproduce:

1) Execute the following perl script:

#! /usr/bin/perl
use strict;
my $element;
foreach $element ("a", "b") {
foreach $element ("c", "d") {1;}
}

Actual Result:

Attempt to free unreferenced scalar: SV 0x986b90c, Perl interpreter: 0x986a008.
Attempt to free unreferenced scalar: SV 0x986b918, Perl interpreter: 0x986a008.

Expected result:

No output.

Additional Information:

This seems to have been fixed in 5.8.9 and in 5.10.x.
This event sent from IssueTracker by mpoole  [Support Engineering Group]
 issue 1285203
Comment 2 Martin Poole 2010-08-20 06:39:39 EDT
Upstream bug http://rt.perl.org/rt3/Public/Bug/Display.html?id=24254  fix in change #26027
Comment 3 Martin Poole 2010-08-20 07:43:22 EDT
Is not the upstream quoted. That patch is in the current RHEL5 build.
Comment 4 Petr Pisar 2010-08-24 10:32:02 EDT
This bug has been fixed by upstream between 5.10.0 and 5.10.1 versions. Because RHEL-5.5 contains perl-5.8.8, there is low possibility the patch will be applicable.
Comment 5 Petr Pisar 2010-08-26 03:46:43 EDT
I managed to back-port the patch however I discovered vanilla 5.8.8 perl compiled on Fedora does not suffer from this problem. I'm going to clone my development environment into RHEL-5.5 to get normative environment because there are significant differences (RHEL's spec file does not compile in Fedora, vanilla 5.8.8 does not compile in Fedora without hacks, RHEL's spec file adds bunch of patches etc.).
Comment 6 Petr Pisar 2010-08-26 12:33:26 EDT
When applying my vanilla-5.8.8 patch onto perl-5.8.8-27, I got short conflict:

***************
*** 285,295 ****

  #define POPLOOP(cx)                                                   \
        SvREFCNT_dec(cx->blk_loop.iterlval);                            \
-       if (CxITERVAR(cx)) {                                            \
-           SV **s_v_p = CxITERVAR(cx);                                 \
-           sv_2mortal(*s_v_p);                                         \
-           *s_v_p = cx->blk_loop.itersave;                             \
-       }                                                               \
        if (cx->blk_loop.iterary && cx->blk_loop.iterary != PL_curstack)\
            SvREFCNT_dec(cx->blk_loop.iterary);

--- 284,289 ----

  #define POPLOOP(cx)                                                   \
        SvREFCNT_dec(cx->blk_loop.iterlval);                            \
        if (cx->blk_loop.iterary && cx->blk_loop.iterary != PL_curstack)\
            SvREFCNT_dec(cx->blk_loop.iterary);



The conflicting lines has been added by perl-5.8.8-bug24254.patch (bug #379791):

@@ -286,9 +286,14 @@ struct block_loop {
 #define POPLOOP(cx)                            \
    SvREFCNT_dec(cx->blk_loop.iterlval);                \
    if (CxITERVAR(cx)) {                        \
-       SV **s_v_p = CxITERVAR(cx);                 \
-       sv_2mortal(*s_v_p);                     \
-       *s_v_p = cx->blk_loop.itersave;             \
+       if (SvPADMY(cx->blk_loop.itersave)) {           \
+           SV **s_v_p = CxITERVAR(cx);             \
+           sv_2mortal(*s_v_p);                 \
+           *s_v_p = cx->blk_loop.itersave;             \
+       }                               \
+       else {                          \
+           SvREFCNT_dec(cx->blk_loop.itersave);            \
+       }                               \
    }                               \
    if (cx->blk_loop.iterary && cx->blk_loop.iterary != PL_curstack)\
        SvREFCNT_dec(cx->blk_loop.iterary);


After disabling perl-5.8.8-bug24254.patch, this issue disappeared. More ever the test case from bug #379791 did not show any problems. Only a test added by perl-5.8.8-bug24254.patch failed.
Comment 7 Petr Pisar 2010-08-26 13:05:17 EDT
Created attachment 441278 [details]
Fix backported from perl-5.10.1

Diff against perl-5.8.8-27. Fixes this issue, does not break bug #379791, all tests pass, no memory leaks.
Comment 8 RHEL Product and Program Management 2011-01-11 15:12:05 EST
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 9 RHEL Product and Program Management 2011-01-11 18:22:29 EST
This request was erroneously denied for the current release of
Red Hat Enterprise Linux.  The error has been fixed and this
request has been re-proposed for the current release.
Comment 10 RHEL Product and Program Management 2011-05-31 09:16:12 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 14 Petr Pisar 2011-09-21 10:22:00 EDT
How to test

Test case in first comment exhibits warning on error output.

Following code causes run-time error with non-zero exit code:

my $global_var;
my $ref_global_var = \$global_var;
for (1..2) {
    my $element;
    for $element (0) {
        for $element (0) {}
    }
   
    local $local_var = 42;
    local $ref_local_var = \$local_var;
    $global_var = $local_var;
    $global_var = $$local_var;
    $$ref_global_var = $local_var;
}
Comment 15 Petr Pisar 2011-09-21 10:22:00 EDT
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause
    Running two nested loops using the same iterator.
Consequence
    Interpreter tries to double-free the iterator resulting in
    a warning. Referring such variable causes run-time error.
Fix
    Fix for handling shared iterator has been back-ported from
    Perl 5.10.1.
Result
    Interpreter handles shared iterators properly.
Comment 19 errata-xmlrpc 2012-02-21 00:40:12 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0199.html

Note You need to log in before you can comment on or make changes to this bug.