640719 – Sending signal to thread without signal handler in thread causes perl to segfault

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 640719 - Sending signal to thread without signal handler in thread causes perl to segfault

Summary: Sending signal to thread without signal handler in thread causes perl to segf...

Keywords:
Status:	CLOSED DUPLICATE of bug 626330
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	perl
Sub Component:
Version:	6.1
Hardware:	x86_64
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	perl-maint-list
QA Contact:	BaseOS QE - Apps
Docs Contact:
URL:
Whiteboard:
Depends On:	622190
Blocks:	626330
TreeView+	depends on / blocked

Reported:	2010-10-06 17:03 UTC by Marcela Mašláňová
Modified:	2010-10-06 17:06 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:	622190
Environment:
Last Closed:	2010-10-06 17:06:23 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Marcela Mašláňová 2010-10-06 17:03:38 UTC

+++ This bug was initially created as a clone of Bug #622190 +++

Description of problem:
Sending signal to thread without signal handler in thread causes perl to segfault


Version-Release number of selected component (if applicable):
perl-5.10.1-116.fc13.x86_64


How reproducible:
Every time

Steps to Reproduce:
1.
Run next program perl script:

use strict;
use threads;

sub thr_func
{
    print "thread started\n";
    while(1) {
        sleep(100);
    }
}

my $thr = threads->create('thr_func');
$thr->kill('TERM');

  
Actual results: 
catchsegv perl test.pl

produces:

*** Segmentation fault
Register dump:

 RAX: 0000000001bda7c0   RBX: 0000000001ba2040   RCX: 000000000000000a
 RDX: 0000000001beee70   RSI: 0000000000000000   RDI: 0000000001bda280
 RBP: 0000000000000001   R8 : 0000000001c03cb0   R9 : 00000000000036d3
 R10: 00007fff367f3770   R11: 000000383311eaf0   R12: 000000000000003c
 R13: 0000000000000008   R14: 0000000001bda280   R15: 0000000001c03cb0
 RSP: 00007fff367f39f0

 RIP: 00007f17604f5165   EFLAGS: 00010206

 CS: 0033   FS: 0000   GS: 0000

 Trap: 0000000e   Error: 00000006   OldMask: 00000000   CR2: 0000003c

 FPUCW: 0000037f   FPUSW: 00000000   TAG: 00000000
 RIP: 00000000   RDP: 00000000

 ST(0) 0000 0000000000000032   ST(1) 0000 000000000000000e
 ST(2) 0000 ffffffff801f8000   ST(3) 0000 ffffffff9b52007e
 ST(4) 0000 0000000000000000   ST(5) 0000 0000000000000000
 ST(6) 0000 0000000000000000   ST(7) 0000 0000000000000005
 mxcsr: 1fa0
 XMM0:  000000000000000000000000ffffff00 XMM1:  000000000000000000000000ffffff00
 XMM2:  000000000000000000000000ffffff00 XMM3:  000000000000000000000000ffffff00
 XMM4:  000000000000000000000000ffffff00 XMM5:  000000000000000000000000ffffff00
 XMM6:  000000000000000000000000ffffff00 XMM7:  000000000000000000000000ffffff00
 XMM8:  000000000000000000000000ffffff00 XMM9:  000000000000000000000000ffffff00
 XMM10: 000000000000000000000000ffffff00 XMM11: 000000000000000000000000ffffff00
 XMM12: 000000000000000000000000ffffff00 XMM13: 000000000000000000000000ffffff00
 XMM14: 000000000000000000000000ffffff00 XMM15: 000000000000000000000000ffffff00

Backtrace:
/usr/lib64/perl5/auto/threads/threads.so(XS_threads_kill+0x145)[0x7f17604f5165]
/usr/lib64/perl5/CORE/libperl.so(Perl_pp_entersub+0x5a5)[0x38330a6865]
/usr/lib64/perl5/CORE/libperl.so(Perl_runops_standard+0x16)[0x38330a4b56]
/usr/lib64/perl5/CORE/libperl.so(perl_run+0x338)[0x383304d0e8]
perl(main+0xec)[0x400cac]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x3f7581ec5d]
perl[0x400af9]


Expected results:


Additional info:

--- Additional comment from ppisar on 2010-08-17 15:59:22 CEST ---

All Fedoras affected (F14 has threads-1.75).

perl-5.10.1, threads 1.72 debug:

Program received signal SIGSEGV, Segmentation fault.
XS_threads_kill (my_perl=0x603010, cv=<value optimized out>) at threads.xs:1260
1260                PL_psig_pend[signal]++;

threads.xs:
        /* Set the signal for the thread */
        thread = S_SV_to_ithread(aTHX_ ST(0));
        MUTEX_LOCK(&thread->mutex);
        if (thread->interp) {
            dTHXa(thread->interp);
1260 →      PL_psig_pend[signal]++;
            PL_sig_pending = 1;
        }
        MUTEX_UNLOCK(&thread->mutex);

   0x00007ffff1f4614a <+298>:   mov    0x10(%r14),%r14
   0x00007ffff1f4614e <+302>:   test   %r14,%r14
   0x00007ffff1f46151 <+305>:   je     0x7ffff1f46175 <XS_threads_kill+341>
   0x00007ffff1f46153 <+307>:   mov    %r14,%rdi
   0x00007ffff1f46156 <+310>:   shl    $0x2,%r12
   0x00007ffff1f4615a <+314>:   callq  0x7ffff1f43e68 <Perl_Ipsig_pend_ptr@plt>
   0x00007ffff1f4615f <+319>:   add    (%rax),%r12
   0x00007ffff1f46162 <+322>:   mov    %r14,%rdi
=> 0x00007ffff1f46165 <+325>:   addl   $0x1,(%r12)
   0x00007ffff1f4616a <+330>:   callq  0x7ffff1f44138 <Perl_Isig_pending_ptr@plt>

%r12 has value 0x28, thus the code tries to increment value on address 0x28 that has been obtained by dereferencing %rax that is return value of Perl_Ipsig_pend_ptr@plt function. The function is hidden by PL_psig_pend macro probably.

--- Additional comment from ppisar on 2010-08-17 19:21:13 CEST ---

There is something wrong with `make install' phase of threads module. When running the test case against built but installed module, there is no segfault:

$ perl -I blib/arch -I blib/lib /tmp/perl_thread_kill 
Signal SIGTERM received, but no signal handler set.

After installing (just `make install DESTDIR=/somewhere'), run against files from DESTDIR causes segfault:

$ make install DESTDIR=/tmp/threads-1.77-build 
Files found in blib/arch: installing files in blib/lib into architecture dependent library tree
Installing /tmp/threads-1.77-build/usr/lib64/perl5/auto/threads/threads.bs
Installing /tmp/threads-1.77-build/usr/lib64/perl5/auto/threads/threads.so
Installing /tmp/threads-1.77-build/usr/lib64/perl5/threads.pm
Installing /tmp/threads-1.77-build/usr/share/man/man3/threads.3pm
Appending installation info to /tmp/threads-1.77-build/usr/lib64/perl5/perllocal.pod
$ perl -I /tmp/threads-1.77-build/usr/lib64/perl5/ /tmp/perl_thread_kill 
Segmentation fault

I verified with strace that module is loaded from desired directory only.

--- Additional comment from ppisar on 2010-08-18 11:03:13 CEST ---

So, it's not in the `make install'. The problem is with perl include paths:

petr@dhcp-0-146:/tmp/threads-1.77-build/usr/lib64/perl5 $ find
.
./threads.pm
./auto
./auto/threads
./auto/threads/.packlist
./auto/threads/threads.bs
./auto/threads/threads.so
./perllocal.pod
petr@dhcp-0-146:/tmp/threads-1.77-build/usr/lib64/perl5 $ perl -I . /tmp/perl_thread_kill 
Perl exited with active threads:
        1 running and unjoined
        0 finished and unjoined
        0 running and detached
petr@dhcp-0-146:/tmp/threads-1.77-build/usr/lib64/perl5 $ perl -I $PWD /tmp/perl_thread_kill 
Segmentation fault

Comment 2 Marcela Mašláňová 2010-10-06 17:06:23 UTC


*** This bug has been marked as a duplicate of bug 626330 ***

Note You need to log in before you can comment on or make changes to this bug.