[rt.cpan.org #55543] Inline::C can crash the perl interpreter if function uses PUSHMARK
Sisyphus via RT
On Sat Mar 13 23:27:29 2010, asuf...@suffields.me.uk wrote:
> Inline::C uses this hack in an attempt to detect the difference
> between void returns and XSUB list returns:
>
> temp = PL_markstack_ptr++;
> $function($arg_name_list);
> if (PL_markstack_ptr != temp) {
> /* truly void, because dXSARGS not invoked */
> PL_markstack_ptr = temp;
> XSRETURN_EMPTY; /* return empty stack */
> }
> /* must have used dXSARGS; list context implied */
> return; /* assume stack size is correct */
>
> Sadly, this does not work. If the mark stack is reallocated (due to
> use of PUSHMARK in any function called), then PL_markstack_ptr can
> have a completely different value. This code then scribbles over it
> with the old value, pointing to freed memory; the interpreter will
> crash shortly after this.
>
> I haven't checked carefully, but I think this should have been
> examining the value of (PL_markstack_ptr - PL_markstack) instead -
> that's the current height of the stack, rather than its current
> address.
(cc'ing the Inline mailing list in case anyone there is interested.)
Wow ... that code has been around for ages.
I think I get the picture, though I'm currently having trouble
reproducing the bug from the description. (Dimness on my part, one
suspects :-)
Do you have a simple demo script ? It doesn't have to do anything
meaningful - just something that demonstrates the problem.
Thanks for the report !
Cheers,
Rob
Sisyphus via RT
Transaction: Correspondence added by SISYPHUS
Queue: Inline
Subject: Inline::C can crash the perl interpreter if function uses PUSHMARK
Broken in: (no value)
Severity: (no value)
Owner: Nobody
Requestors: asuf...@suffields.me.uk
Status: open
Ticket <URL: https://rt.cpan.org/Ticket/Display.html?id=55543 >
Lack of follow-up