[perl #93320] localising @DB::args leads to coredump

This script, from the RT ticket, crashes:

#!/usr/bin/perl
sub cl{
    package DB;
    @DB::args = ();
    return caller(shift);
}

sub f{
    local @DB::args;
    my @z = cl($_) for (1..3);
}

f(1,2,3); f(1,2,3);
__END__

PL_dbargs is not refcounted, and it’s not set until pp_caller first
tries to write to it.  If that happens when @DB::args is localised,
then the array will be freed on scope exit, leaving PL_dbargs pointing
to a freed SV.

This crash can be reproduced more simply this way:

sub {
  package DB;
  ()=caller(0);
  undef *DB::args;
  ()=caller(0);
}->();

So, basically, pp_caller has to re-fetch PL_dbargs from the %DB::
stash each time it sets it.  It cannot rely on the cached value.

(So now I’m wondering whether we even need PL_dbargs.)

1 files changed, 10 insertions, 1 deletions

diff --git a/t/op/caller.t b/t/op/caller.t
index d77088e611..4fcc8513f7 100644
--- a/t/op/caller.t
+++ b/t/op/caller.t
@@ -5,7 +5,7 @@ BEGIN {
     chdir 't' if -d 't';
     @INC = '../lib';
     require './test.pl';
-    plan( tests => 82 );
+    plan( tests => 83 );
 }
 
 my @c;
@@ -225,6 +225,15 @@ EOP
     ::is $gone, 1, 'caller does not leak @DB::args elems when AvREAL';
 }
 
+# And this crashed [perl #93320]:
+sub {
+  package DB;
+  ()=caller(0);
+  undef *DB::args;
+  ()=caller(0);
+}->();
+pass 'No crash when @DB::args is freed between caller calls';
+
 $::testing_caller = 1;
 
 do './op/caller.pl' or die $@;