On Sat, Jul 30, 2005 at 12:27:43AM -0400, John E. Malmberg wrote: > The address 10439704 was already a part of the structure that > Perl_hv_iternext_flags() had pointed a variable named iter at. > > DBG> exam *iter > *HV\Perl_hv_iternext_flags\iter > xhv_name: 1162633044 > xhv_eiter: 4998486 > xhv_riter: -256 > DBG> eval/addr iter->xhv_riter > 10439704 > > It appears to me that one of these structures was not allocated large > enough for the data that is being put in it. As the xpvhv_aux structure > is a fixed size structure, my suspicion is that the problem is the above > code somewhere since this is where the HEK struct is allocated just > before *iter got corrupted.
However the xpvhv_aux structure is allocated by extending the HV's array of linked list heads, and using space after it. So there is the possibility that there is a code path where the extending realloc() didn't take place, and the memory is being used out-of-bounds. What is the value of sv_flags in the hash? (struct hv, defined in sv.h, typdef'd to HV) Specifically is bit 0x00200000 set? It should be, where xpvhv_aux is in use (See the comment near SVf_OOK in sv.h) I'm about to set off to the US for OSCON, so I'm unlikely to be in a position to read mail, let alone respond to it, for over 24 hours. (travel + sleep) Nicholas Clark
