Intro to debugging: segfault in newSVpv!

Greetings! I appear to have a challenging detective task at hand. Interested 
parties can try out the gdb/perl -d trick to help me out.

My Text::Scan module has, after working flawlessly for over a month, 
manifested a segmentation fault that appears to come out of nowhere. It 
happens during a newSVpv operation to create one of the return values out of 
a C string.

The baffling thing about it is that the string it is copying is simply the 
same string it copied several times before, it being in the same memory 
location. What the module does is locate all the occurrences in a text (perl 
string) of any of the keys that have been entered. Thus it will return 
either a hash of unique keys found or a list of every one found (possibly 
including duplicates).

The data structure is based on Bentley + Sedgewick's ternary tree code. As 
the keys are found in the text, an array of pointers to them is incremented, 
after which all the pointers are used to provide return values via the 
stack, after creation of a perl scalar for each of them. Thus many keys are 
often converted more than once, as the pointers may point to the same memory 
location. (I know what you're thinking. Not so fast! free() is not called 
anytime before the function exits!)

I've spent a full day on this. With the hope of getting you interested, I've 
made a special debugging version of Text::Scan available on CPAN at 
http://www.cpan.org/modules/by-module/Text/IWOODHEAD/Text-Scan-0.04debug.tar.gz

After running make test you can observe the last test in t/57_breakme.t 
segfault, and if you're into it you can try the debugging trick of using gdb 
to run perl, like this: (first cp _Inline/build/Text/Scan/Scan.xs .)

gdb perl
(no debugging symbols found)...
(gdb) run -Iblib/arch -Iblib/lib -I/usr/lib/perl5/5.6.0/i386-linux 
-I/usr/lib/perl5/5.6.0 -d t/57_breakme.t

Starting program: /usr/local/bin/perl -Iblib/arch -Iblib/lib 
-I/usr/lib/perl5/5.6.0/i386-linux -I/usr/lib/perl5/5.6.0 -d t/57_breakme.t
Default die handler restored.

Loading DB routines from perl5db.pl version 1.07
Editor support available.

Enter h or `h h' for help, or `man perldebug' for more help.

1..1
Inline::CODE(0x83bc59c)((eval 
2)[/usr/lib/perl5/site_perl/5.6.0/Inline.pm:180]:4):
4:          $INIT++;
  DB<1> n
Inline::CODE(0x83bc59c)((eval 
2)[/usr/lib/perl5/site_perl/5.6.0/Inline.pm:180]:5):
5:          &init;
  DB<1> n
main::(t/57_breakme.t:9):       $ref = new Text::Scan;
  DB<1> (CTRL-C)

Program received signal SIGINT, Interrupt.
0x40091801 in __kill () from /lib/i686/libc.so.6
(gdb) break scan
Breakpoint 1 at 0x40201a17: file Scan.xs, line 309.
(gdb) c
Continuing.
  DB<1> c
c

Breakpoint 1, scan (obj=0x83a6e84,
    s=0x854cd18 "doc      fbis3 20900         jpest005___94017         jprs 
est
94 005   document type jprs   document title science  amp  technology       
europe international economic competitiveness      3 march 19"...) at 
Scan.xs:309
warning: Source file is more recent than executable.

309             Tobj* pTernary = (Tobj*)SvIV(SvRV(obj));
(gdb)




...you get the idea. It's fun!

Additionally here is a stack backtrace:
(gdb) backtrace
#0  chunk_alloc (ar_ptr=0x4018cf00, nb=1016) at malloc.c:2979
#1  0x400e313a in __libc_malloc (bytes=1008) at malloc.c:2714
#2  0x0808c408 in Perl_safemalloc () at eval.c:41
#3  0x0809e95d in Perl_sv_add_arena () at eval.c:41
#4  0x080a5685 in Perl_newSVpv () at eval.c:41
#5  0x40201ac6 in scan (obj=0x83a6e84,
    s=0x854e498 "doc      fbis3 20900         jpest005___94017         jprs 
est
94 005   document type jprs   document title science  amp  technology       
europe international economic competitiveness      3 march 19"...) at 
Scan.xs:319
#6  0x4020224d in XS_Text__Scan_scan (cv=0x854266c) at Scan.xs:395
#7  0x0809dd2c in Perl_pp_entersub () at eval.c:41
#8  0x08098658 in Perl_runops_standard () at eval.c:41
#9  0x0805bfba in perl_run () at eval.c:41
#10 0x0805bd2b in perl_run () at eval.c:41
#11 0x08059a21 in main () at eval.c:41
#12 0x40080177 in __libc_start_main (main=0x80599b0 <main>, argc=7,
    ubp_av=0xbffff98c, init=0x8058b80 <_init>, fini=0x80df83c <_fini>,
    rtld_fini=0x4000e184 <_dl_fini>, stack_end=0xbffff97c)
    at ../sysdeps/generic/libc-start.c:129


...showing that the segfault occurs during Perl_safemalloc. Wow!
...Any clues appreciated!

Regards,



_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

• Intro to debugging: segfault in newSVpv! by Inline Reader
• Re: Intro to debugging: segfault in newSVpv! by Inline Reader
• Re: Intro to debugging: segfault in newSVpv! by Matthew O. Persico