Bug#900739: crashing in toke.c, keyword plugin pointer is left pointing to an XS module that's been unloaded
Thanks. The fix hasn't been integrated into the 5.24 maint branch so any data we can have about it being battle tested is valuable. Dominic. On Thu, Jul 02, 2020 at 05:04:10PM -0700, Dean Hamstead wrote: > We have been running it in prod since before the ticket was raised in > debian. We were hoping to pull compiling perl out of our pipeline. > > I would add again, that this is a fix from upstream and is included in all > newer versions of perl. > > > Dean > > On 2020-07-02 15:05, Dominic Hargreaves wrote: > > On Wed, Jul 01, 2020 at 05:07:33PM -0700, Dean Hamstead wrote: > > > My preference would be to apply the patch as its a genuine bug fix > > > from > > > upstream. > > > > Hi Dean > > > > Thanks for the reply. We do just have a chance to get it into the final > > stretch point release and we do have other changes queued for perl now. > > You implied in an earlier message that you'd been running a patched > > Debian package with https://github.com/Perl/perl5/issues/16086 - can > > I check this is (still) the case? It'd give us a lot more confidence to > > know that the combination we'd plan to release has been battle tested. > > > > It's up to the stable release managers of course - I will email now. > > > > Cheers > > Dominic >
Bug#900739: crashing in toke.c, keyword plugin pointer is left pointing to an XS module that's been unloaded
On Wed, Jul 01, 2020 at 05:07:33PM -0700, Dean Hamstead wrote: > My preference would be to apply the patch as its a genuine bug fix from > upstream. Hi Dean Thanks for the reply. We do just have a chance to get it into the final stretch point release and we do have other changes queued for perl now. You implied in an earlier message that you'd been running a patched Debian package with https://github.com/Perl/perl5/issues/16086 - can I check this is (still) the case? It'd give us a lot more confidence to know that the combination we'd plan to release has been battle tested. It's up to the stable release managers of course - I will email now. Cheers Dominic
Bug#900739: crashing in toke.c, keyword plugin pointer is left pointing to an XS module that's been unloaded
My preference would be to apply the patch as its a genuine bug fix from upstream.
Bug#900739: crashing in toke.c, keyword plugin pointer is left pointing to an XS module that's been unloaded
On Wed, Jun 06, 2018 at 01:22:26PM +1000, Dean Hamstead wrote: > Rolling it in to the official release would be much appreciated as it > will spare us maintaining our own patched version, plus might help a > few lonely travelers who are stumped on a segfault. I'm sorry that we weren't able to get to this in a timely fashion. Given that this is now fixed in current stable (and anyone affected must surely have worked around it by now), I think it's unlikely that applying this fix now will be that helpful (even if an oldstable update is going to happen at this stage). Therefore, I'm inclined to close this bug now. Let me know if you disagree. Best Dominic
Bug#900739: crashing in toke.c, keyword plugin pointer is left pointing to an XS module that's been unloaded
Rolling it in to the official release would be much appreciated as it will spare us maintaining our own patched version, plus might help a few lonely travelers who are stumped on a segfault.
Bug#900739: crashing in toke.c, keyword plugin pointer is left pointing to an XS module that's been unloaded
On Tue, Jun 05, 2018 at 01:19:13PM +1000, Tony Cook wrote: > On Mon, Jun 04, 2018 at 09:31:06PM +0100, Dominic Hargreaves wrote: > > Thanks for the detailed analysis both! Given that the fix is accidental, > > and not in a released version of perl yet, I'm not sure whether this > > belongs in a stable update. That said, maybe there is no more correct > > place for a fix for this issue to live? > > 5.26.2 has the fix as v5.26.1-61-g1e4ebce09b > > maint-5.24 received only a very small set of changed outside of > Module::CoreList changes and the security fixes for the last release. Ah, great, I missed that it had already been applied in 5.26. We (Debian) could consider applying it to our 5.24 if we think it's a valid fix. The patch appears to apply cleanly. Cheers, Dominic.
Bug#900739: crashing in toke.c, keyword plugin pointer is left pointing to an XS module that's been unloaded
On Mon, Jun 04, 2018 at 09:31:06PM +0100, Dominic Hargreaves wrote: > Thanks for the detailed analysis both! Given that the fix is accidental, > and not in a released version of perl yet, I'm not sure whether this > belongs in a stable update. That said, maybe there is no more correct > place for a fix for this issue to live? 5.26.2 has the fix as v5.26.1-61-g1e4ebce09b maint-5.24 received only a very small set of changed outside of Module::CoreList changes and the security fixes for the last release. Tony
Bug#900739: crashing in toke.c, keyword plugin pointer is left pointing to an XS module that's been unloaded
On Mon, Jun 04, 2018 at 03:08:19PM +1000, Tony Cook wrote: > The underlying cause appears to be that libm is referencing > _LIB_VERSION in libperl. > > I suspect the Oracle client libraries have dlopen()ed a library that > depends on libm, and that isn't dlclosed() when mod_perl unloads > DBD::Oracle. > > So the process that leads to the crash: > > 1) Apache starts it configuration check[1], loads mod_perl, which > implicitly loads libperl (with PL_keyword_plugin set to its default) > > 2) mod_perl runs the startup script, loading Syntax::Keyword::Try > (which points PL_keyword_plugin at its keyword handler) and > DBD::Oracle (which presumably dlopen()s a shared object that depends > on libm). > > 3) Apache unloads mod_perl, which unloads the shared objects for > Syntax::Keyword::Try and DBD::Oracle. > > Since something still loaded depends on libm, and that depends on the > _LIB_VERSION symbol defined by libperl, libperl remains loaded. > > PL_keyword_plugin now points to where the Syntax::Keyword::Try keyword > handler *used* to be. > > 4) Apache loads mod_perl again, and attempts to parse the perl startup > script. Since PL_keyword_plugin points to unmapped memory, libperl > segfaults. > > Without something else depending on libm, libperl would normally be > unloaded at step 3), and step 4) would reload libperl, with > PL_keyword_plugin pointing at the default keyword plugin function. > > The patch incidentally prevents libm depending on the _LIB_VERSION > symbol in libperl, so libperl can unload when mod_perl unloads. Thanks for the detailed analysis both! Given that the fix is accidental, and not in a released version of perl yet, I'm not sure whether this belongs in a stable update. That said, maybe there is no more correct place for a fix for this issue to live? Cheers, Dominic.
Bug#900739: crashing in toke.c, keyword plugin pointer is left pointing to an XS module that's been unloaded
The underlying cause appears to be that libm is referencing _LIB_VERSION in libperl. I suspect the Oracle client libraries have dlopen()ed a library that depends on libm, and that isn't dlclosed() when mod_perl unloads DBD::Oracle. So the process that leads to the crash: 1) Apache starts it configuration check[1], loads mod_perl, which implicitly loads libperl (with PL_keyword_plugin set to its default) 2) mod_perl runs the startup script, loading Syntax::Keyword::Try (which points PL_keyword_plugin at its keyword handler) and DBD::Oracle (which presumably dlopen()s a shared object that depends on libm). 3) Apache unloads mod_perl, which unloads the shared objects for Syntax::Keyword::Try and DBD::Oracle. Since something still loaded depends on libm, and that depends on the _LIB_VERSION symbol defined by libperl, libperl remains loaded. PL_keyword_plugin now points to where the Syntax::Keyword::Try keyword handler *used* to be. 4) Apache loads mod_perl again, and attempts to parse the perl startup script. Since PL_keyword_plugin points to unmapped memory, libperl segfaults. Without something else depending on libm, libperl would normally be unloaded at step 3), and step 4) would reload libperl, with PL_keyword_plugin pointing at the default keyword plugin function. The patch incidentally prevents libm depending on the _LIB_VERSION symbol in libperl, so libperl can unload when mod_perl unloads. Tony [1] https://wiki.apache.org/httpd/ModuleLife
