Avoid a double free with CORE->lc

The code for autovivifying coresubs for method calls ended up calling
hv_store(stash,name,len,(SV *)gv,0) where gv is already in the stash
under that entry.  Since hv_store takes ownership of one reference
count and decrements that of what it overwrites (which is the same gv
in this case), it ends up freeing the gv prematurely.

It ended up making that call because S_maybe_add_coresub needs the
stash to get its ENAME (which happens when called by gv_fetchmeth),
but it also assumed that the presence of the stash meant the gv
needed to be stored in it (as is the case with the other caller,
gv_fetchpvn_flags).

This patch reuses the fullen (full length) parameter as a flag to
indicate that that hv_store call should be skipped.

These workarounds for the assumptions that newATTRSUB makes are start-
ing to make inlining look very attractive....

diff --git a/gv.c b/gv.c
index 4ba2c79..19059bc 100644 (file)
--- a/gv.c
+++ b/gv.c
@@ -458,7 +458,8 @@ S_maybe_add_coresub(pTHX_ HV * const stash, GV *gv,
            it this order as we need an op number before calling
            new ATTRSUB. */
     (void)core_prototype((SV *)cv, name, code, &opnum);
-    if (stash) (void)hv_store(stash,name,len,(SV *)gv,0);
+    if (stash && (fullname || !fullen))
+       (void)hv_store(stash,name,len,(SV *)gv,0);
     if (ampable) {
        SV *tmpstr;
        CvLVALUE_on(cv);
@@ -584,7 +585,7 @@ Perl_gv_fetchmeth(pTHX_ HV *stash, const char *name, STRLEN len, I32 level)
         }
        else if (len > 1 /* shortest is uc */ && HvNAMELEN_get(stash) == 4
               && strnEQ(hvname, "CORE", 4)
-              && S_maybe_add_coresub(aTHX_ stash,topgv,name,len,0,0))
+              && S_maybe_add_coresub(aTHX_ stash,topgv,name,len,0,1))
            goto have_gv;
     }