Memory leak for signature with unnamed parameter and empty default

[tonycoz]

New UI bit me.

Module:

Description

Parsing a signature with an unnamed scalar parameter with an empty default leaks memory.

Steps to Reproduce

$ PERL_DESTRUCT_LEVEL=2 valgrind -q --leak-check=full --show-leak-kinds=all ./perl -e 'use v5.40; sub t027 ($ = ) {  }'
==3732174== 56 bytes in 1 blocks are indirectly lost in loss record 1 of 3
==3732174==    at 0x48465EF: calloc (vg_replace_malloc.c:1328)
==3732174==    by 0x15652B: S_link_freed_op (op.c:303)
==3732174==    by 0x156FB7: Perl_Slab_Free (op.c:526)
==3732174==    by 0x1585DF: Perl_op_free (op.c:1020)
==3732174==    by 0x256579: Perl_cv_undef_flags (pad.c:342)
==3732174==    by 0x255F28: Perl_cv_undef (pad.c:300)
==3732174==    by 0x475F50: Perl_sv_clear (sv.c:6838)
==3732174==    by 0x478F5D: Perl_sv_free2 (sv.c:7359)
==3732174==    by 0x43E0B3: Perl_SvREFCNT_dec_NN (sv_inline.h:719)
==3732174==    by 0x44142B: do_clean_all (sv.c:577)
==3732174==    by 0x43FA18: S_visit (sv.c:394)
==3732174==    by 0x44145C: Perl_sv_clean_all (sv.c:595)
==3732174== 
==3732174== 608 (552 direct, 56 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 3
==3732174==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==3732174==    by 0x156323: S_new_slab (op.c:273)
==3732174==    by 0x15674C: Perl_Slab_Alloc (op.c:365)
==3732174==    by 0x167D48: Perl_newOP (op.c:5818)
==3732174==    by 0x27B7AB: Perl_yyparse (perly.y:862)
==3732174==    by 0x19CC41: S_parse_body (perl.c:2690)
==3732174==    by 0x19A945: perl_parse (perl.c:1932)
==3732174==    by 0x15110D: main (perlmain.c:106)

First detected by smoke testing, report, extraction from log:

=================================================================
==3710777==ERROR: LeakSanitizer: detected memory leaks

Indirect leak of 1064 byte(s) in 1 object(s) allocated from:
    #0 0x0000004a1a53 in ___interceptor_malloc ??:?
    #1 0x0000004a1a53 in ?? ??:0
    #2 0x0000004e40fd in S_new_slab /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/op.c:273
    #3 0x0000004e40fd in ?? ??:0
    #4 0x0000004e3a5a in Perl_Slab_Alloc /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/op.c:422
    #5 0x0000004e3a5a in ?? ??:0
    #6 0x000000507360 in Perl_newSTATEOP /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/op.c:8911
    #7 0x000000507360 in ?? ??:0
    #8 0x00000054e07d in Perl_subsignature_finish /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/op.c:16666
    #9 0x00000054e07d in ?? ??:0
    #10 0x0000006983ae in Perl_yyparse /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/perly.y:918
    #11 0x0000006983ae in ?? ??:0
    #12 0x0000007510f2 in S_try_yyparse /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/pp_ctl.c:3968
    #13 0x0000007510f2 in ?? ??:0
    #14 0x00000073db11 in S_doeval_compile /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/pp_ctl.c:4205
    #15 0x00000073db11 in ?? ??:0
    #16 0x00000073b67f in Perl_pp_entereval /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/pp_ctl.c:5482
    #17 0x00000073b67f in ?? ??:0
    #18 0x0000005bd687 in Perl_runops_debug /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/dump.c:3003
    #19 0x0000005bd687 in ?? ??:0
    #20 0x000000564eb5 in S_run_body /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/perl.c:?
    #21 0x000000564eb5 in ?? ??:0
    #22 0x00000056495b in perl_run /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/perl.c:2798
    #23 0x00000056495b in ?? ??:0
    #24 0x0000004e339e in main /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/perlmain.c:127
    #25 0x0000004e339e in ?? ??:0
    #26 0x7f0571b65247 in __libc_start_call_main ??:?
    #27 0x7f0571b65247 in ?? ??:0
    #28 0x7f0571b6530a in __libc_start_main_alias_2 :?
    #29 0x7f0571b6530a in ?? ??:0
    #30 0x000000401c24 in _start ??:?
    #31 0x000000401c24 in ?? ??:0

Indirect leak of 552 byte(s) in 1 object(s) allocated from:
    #0 0x0000004a1a53 in ___interceptor_malloc ??:?
    #1 0x0000004a1a53 in ?? ??:0
    #2 0x0000004e40fd in S_new_slab /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/op.c:273
    #3 0x0000004e40fd in ?? ??:0
    #4 0x0000004e37cd in Perl_Slab_Alloc /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/op.c:365
    #5 0x0000004e37cd in ?? ??:0
    #6 0x00000050ccbf in Perl_newUNOP_AUX /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/op.c:5905
    #7 0x00000050ccbf in ?? ??:0
    #8 0x0000009caec6 in Perl_yylex /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/toke.c:9990
    #9 0x0000009caec6 in ?? ??:0
    #10 0x000000692907 in Perl_yyparse /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/perly.c:357
    #11 0x000000692907 in ?? ??:0
    #12 0x0000007510f2 in S_try_yyparse /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/pp_ctl.c:3968
    #13 0x0000007510f2 in ?? ??:0
    #14 0x00000073db11 in S_doeval_compile /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/pp_ctl.c:4205
    #15 0x00000073db11 in ?? ??:0
    #16 0x00000073b67f in Perl_pp_entereval /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/pp_ctl.c:5482
    #17 0x00000073b67f in ?? ??:0
    #18 0x0000005bd687 in Perl_runops_debug /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/dump.c:3003
    #19 0x0000005bd687 in ?? ??:0
    #20 0x000000564eb5 in S_run_body /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/perl.c:?
    #21 0x000000564eb5 in ?? ??:0
    #22 0x00000056495b in perl_run /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/perl.c:2798
    #23 0x00000056495b in ?? ??:0
    #24 0x0000004e339e in main /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/perlmain.c:127
    #25 0x0000004e339e in ?? ??:0
    #26 0x7f0571b65247 in __libc_start_call_main ??:?
    #27 0x7f0571b65247 in ?? ??:0
    #28 0x7f0571b6530a in __libc_start_main_alias_2 :?
    #29 0x7f0571b6530a in ?? ??:0
    #30 0x000000401c24 in _start ??:?
    #31 0x000000401c24 in ?? ??:0

Indirect leak of 56 byte(s) in 1 object(s) allocated from:
    #0 0x0000004a1e70 in ___interceptor_realloc ??:?
    #1 0x0000004a1e70 in ?? ??:0
    #2 0x0000004e46cd in S_link_freed_op /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/op.c:314
    #3 0x0000004e46cd in ?? ??:0
    #4 0x0000004e4a00 in Perl_Slab_Free /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/op.c:526
    #5 0x0000004e4a00 in ?? ??:0
    #6 0x0000004e5d9f in Perl_op_free /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/op.c:1020
    #7 0x0000004e5d9f in ?? ??:0
    #8 0x00000064f26d in Perl_cv_undef_flags /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/pad.c:342
    #9 0x00000064f26d in ?? ??:0
    #10 0x000000979442 in Perl_sv_clear /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/sv.c:6838
    #11 0x000000979442 in ?? ??:0
    #12 0x00000097e0c1 in Perl_sv_free2 /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/sv.c:7359
    #13 0x00000097e0c1 in ?? ??:0
    #14 0x00000064f8dc in Perl_cv_undef_flags /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/./sv_inline.h:719
    #15 0x00000064f8dc in ?? ??:0
    #16 0x000000979442 in Perl_sv_clear /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/sv.c:6838
    #17 0x000000979442 in ?? ??:0
    #18 0x00000097e0c1 in Perl_sv_free2 /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/sv.c:7359
    #19 0x00000097e0c1 in ?? ??:0
    #20 0x00000092a80a in Perl_leave_scope /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/scope.c:1448
    #21 0x00000092a80a in ?? ??:0
    #22 0x000000757c8f in Perl_pp_unstack /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/pp_hot.c:530
    #23 0x000000757c8f in ?? ??:0
    #24 0x0000005bd687 in Perl_runops_debug /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/dump.c:3003
    #25 0x0000005bd687 in ?? ??:0
    #26 0x000000564eb5 in S_run_body /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/perl.c:?
    #27 0x000000564eb5 in ?? ??:0
    #28 0x00000056495b in perl_run /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/perl.c:2798
    #29 0x00000056495b in ?? ??:0
    #30 0x0000004e339e in main /home/perl/smoke/perl/blead_clang_quick_sanitize=address/build/perlmain.c:127
    #31 0x0000004e339e in ?? ??:0
    #32 0x7f0571b65247 in __libc_start_call_main ??:?
    #33 0x7f0571b65247 in ?? ??:0
    #34 0x7f0571b6530a in __libc_start_main_alias_2 :?
    #35 0x7f0571b6530a in ?? ??:0
    #36 0x000000401c24 in _start ??:?
    #37 0x000000401c24 in ?? ??:0

SUMMARY: AddressSanitizer: 1672 byte(s) leaked in 3 allocation(s).

Long term log link https://perl.develop-help.com/dblog/5512055

Expected behavior
No leak.

Perl configuration

Summary of my perl5 (revision 5 version 41 subversion 11) configuration:
  Derived from: 3862d0fe942275854fcb426fb7d8471bd72af1e4
  Platform:
    osname=linux
    osvers=6.1.0-31-amd64
    archname=x86_64-linux
    uname='linux venus 6.1.0-31-amd64 #1 smp preempt_dynamic debian 6.1.128-1 (2025-02-07) x86_64 gnulinux '
    config_args='-des -Dusedevel -Accflags=-fno-omit-frame-pointer -fno-common -Doptimize=-O0 -g -DDEBUGGING'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
  Compiler:
    cc='cc'
    ccflags ='-fno-omit-frame-pointer -fno-common -fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g'
    cppflags='-fno-omit-frame-pointer -fno-common -fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='12.2.0'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/x86_64-linux-gnu /usr/lib /usr/lib64
    libs=-lpthread -lgdbm -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
    perllibs=-lpthread -ldl -lm -lcrypt -lutil -lc
    libc=/lib/x86_64-linux-gnu/libc.so.6
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.36'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -L/usr/local/lib -fstack-protector-strong'


Characteristics of this binary (from libperl): 
  Compile-time options:
    DEBUGGING
    HAS_LONG_DOUBLE
    HAS_STRTOLD
    HAS_TIMES
    PERLIO_LAYERS
    PERL_COPY_ON_WRITE
    PERL_DONT_CREATE_GVSV
    PERL_HASH_FUNC_SIPHASH13
    PERL_HASH_USE_SBOX32
    PERL_MALLOC_WRAP
    PERL_OP_PARENT
    PERL_PRESERVE_IVUV
    PERL_USE_DEVEL
    PERL_USE_SAFE_PUTENV
    USE_64_BIT_ALL
    USE_64_BIT_INT
    USE_LARGE_FILES
    USE_LOCALE
    USE_LOCALE_COLLATE
    USE_LOCALE_CTYPE
    USE_LOCALE_NUMERIC
    USE_LOCALE_TIME
    USE_PERLIO
    USE_PERL_ATOF
  Locally applied patches:
    uncommitted-changes
  Built under linux
  Compiled at Apr 10 2025 11:21:18
  %ENV:
    PERLBREW_BASHRC_VERSION="0.43"
    PERLBREW_HOME="/home/tony/.perlbrew"
    PERLBREW_MANPATH=""
    PERLBREW_PATH="/home/tony/perl5/perlbrew/bin"
    PERLBREW_ROOT="/home/tony/perl5/perlbrew"
    PERLBREW_VERSION="0.67"
  @INC:
    lib
    /usr/local/lib/perl5/site_perl/5.41.11/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.41.11
    /usr/local/lib/perl5/5.41.11/x86_64-linux
    /usr/local/lib/perl5/5.41.11

[tonycoz]

From what I tell it's the OP from:

perl5/perly.y

Lines 860 to 864 in 3862d0f

	| PERLY_DOLLAR sigvarname ASSIGNOP
	{
	subsignature_append_positional($sigvarname, $ASSIGNOP, newOP(OP_NULL, 0));
	$$ = NULL;
	}

[jkeenan]

The last leakage reported above goes back a long ways.

$ PERL_DESTRUCT_LEVEL=2 valgrind -q --leak-check=full --show-leak-kinds=all ./perl -e 'use v5.10.0; sub t027 ($ = ) {  }'
==258102== 5,816 bytes in 1 blocks are still reachable in loss record 1 of 1
==258102==    at 0x4846828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==258102==    by 0x178891: perl_parse (in /home/jkeenan/gitwork/perl2/perl)
==258102==    by 0x14D5BF: main (in /home/jkeenan/gitwork/perl2/perl)
==258102== 
...
$ PERL_DESTRUCT_LEVEL=2 valgrind -q --leak-check=full --show-leak-kinds=all ./perl -e 'use v5.34; sub t027 ($ = ) {  }'
==258064== 5,816 bytes in 1 blocks are still reachable in loss record 1 of 1
==258064==    at 0x4846828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==258064==    by 0x178891: perl_parse (in /home/jkeenan/gitwork/perl2/perl)
==258064==    by 0x14D5BF: main (in /home/jkeenan/gitwork/perl2/perl)
==258064== 

It's with 5.36 that a lot more leakage appears:

$ PERL_DESTRUCT_LEVEL=2 valgrind -q --leak-check=full --show-leak-kinds=all ./perl -e 'use v5.36; sub t027 ($ = ) {  }'
==258066== 56 bytes in 1 blocks are indirectly lost in loss record 1 of 3
==258066==    at 0x484D953: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==258066==    by 0x14ECDB: S_link_freed_op.isra.0 (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x14FA42: Perl_Slab_Free (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x15084F: Perl_op_free.part.0 (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x1C2336: Perl_cv_undef_flags (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x293769: Perl_sv_clear (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x292103: Perl_sv_free2 (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x2922C7: Perl_sv_clean_all (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x175129: perl_destruct (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x14D64B: main (in /home/jkeenan/gitwork/perl2/perl)
==258066== 
==258066== 608 (552 direct, 56 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 3
==258066==    at 0x484D953: calloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==258066==    by 0x14F961: Perl_Slab_Alloc (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x155D9F: Perl_newOP (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x1D2BE2: Perl_yyparse (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x1783C6: perl_parse (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x14D5BF: main (in /home/jkeenan/gitwork/perl2/perl)
==258066== 
==258066== 5,816 bytes in 1 blocks are still reachable in loss record 3 of 3
==258066==    at 0x4846828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==258066==    by 0x178891: perl_parse (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x14D5BF: main (in /home/jkeenan/gitwork/perl2/perl)
==258066== 

[tonycoz]

==258066== 5,816 bytes in 1 blocks are still reachable in loss record 3 of 3
==258066==    at 0x4846828: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==258066==    by 0x178891: perl_parse (in /home/jkeenan/gitwork/perl2/perl)
==258066==    by 0x14D5BF: main (in /home/jkeenan/gitwork/perl2/perl)

Without symbols it's difficult to tell, with symbols:

$ PERL_DESTRUCT_LEVEL=2 valgrind -q --leak-check=full --show-leak-kinds=all ./perl -e0
==3979405== 1,798 bytes in 1 blocks are still reachable in loss record 1 of 1
==3979405==    at 0x48417B4: malloc (vg_replace_malloc.c:381)
==3979405==    by 0x199F54: dup_environ (perl.c:1690)
==3979405==    by 0x19A4B3: perl_parse (perl.c:1878)
==3979405==    by 0x15110D: main (perlmain.c:106)
==3979405== 

It's from a call to dup_environ() added in b95d233 and unrelated to this issue.