Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion Failure: void S_mro_gather_and_rename (mro_core.c:1059) #15654

Open
p5pRT opened this issue Oct 13, 2016 · 4 comments
Open

Assertion Failure: void S_mro_gather_and_rename (mro_core.c:1059) #15654

p5pRT opened this issue Oct 13, 2016 · 4 comments

Comments

@p5pRT
Copy link

p5pRT commented Oct 13, 2016

Migrated from rt.perl.org#129868 (status was 'open')

Searchable as RT129868$
@p5pRT
Copy link
Author

p5pRT commented Oct 13, 2016

From @geeknik

Triggered in Perl v5.25.6 (v5.25.5-76-g91dca83) with AFL+ASAN.

perl​: mro_core.c​:1059​: void S_mro_gather_and_rename(HV *const, HV *const,
HV *, HV *, SV *)​: Assertion `!oldstash || ((((oldstash)->sv_flags &
0x02000000) && ((struct xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*)
(oldstash)->sv_any)->xhv_max+1]))->xhv_name_u.xhvnameu_name && ((struct
xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*)
(oldstash)->sv_any)->xhv_max+1]))->xhv_name_count != -1) ? (( ((struct
xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*)
(oldstash)->sv_any)->xhv_max+1]))->xhv_name_count > 0 ? ((struct
xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*)
(oldstash)->sv_any)->xhv_max+1]))->xhv_name_u.xhvnameu_names[0] : ((struct
xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*)
(oldstash)->sv_any)->xhv_max+1]))->xhv_name_count < -1 ? ((struct
xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*)
(oldstash)->sv_any)->xhv_max+1]))->xhv_name_u.xhvnameu_names[1] : ((struct
xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*)
(oldstash)->sv_any)->xhv_max+1]))->xhv_name_count == -1 ? ((void*)0) :
((struct xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*)
(oldstash)->sv_any)->xhv_max+1]))->xhv_name_u.xhvnameu_name ))->hek_key :
((void*)0))' failed.
Aborted

With Valgrind and a non-ASAN Perl v5.25.6 (v5.25.5-76-g91dca83) we get a
segfault​:

==10851== Invalid read of size 8
==10851== at 0x4EE82C​: S_mro_gather_and_rename (mro_core.c​:930)
==10851== by 0x4EF08C​: S_mro_gather_and_rename (mro_core.c​:1186)
==10851== by 0x4F0B7D​: Perl_mro_package_moved (mro_core.c​:851)
==10851== by 0x52EDB1​: S_glob_assign_glob (sv.c​:3981)
==10851== by 0x521F77​: Perl_sv_setsv_flags (sv.c​:4462)
==10851== by 0x5001B5​: Perl_pp_sassign (pp_hot.c​:226)
==10851== by 0x4D7131​: Perl_runops_debug (dump.c​:2246)
==10851== by 0x453146​: S_run_body (perl.c​:2526)
==10851== by 0x453146​: perl_run (perl.c​:2449)
==10851== by 0x421944​: main (perlmain.c​:123)
==10851== Address 0x5f82b10 is 32 bytes before a block of size 16 in arena
"client"
==10851==
==10851== Invalid read of size 8
==10851== at 0x4EE844​: S_mro_gather_and_rename (mro_core.c​:932)
==10851== by 0x4EF08C​: S_mro_gather_and_rename (mro_core.c​:1186)
==10851== by 0x4F0B7D​: Perl_mro_package_moved (mro_core.c​:851)
==10851== by 0x52EDB1​: S_glob_assign_glob (sv.c​:3981)
==10851== by 0x521F77​: Perl_sv_setsv_flags (sv.c​:4462)
==10851== by 0x5001B5​: Perl_pp_sassign (pp_hot.c​:226)
==10851== by 0x4D7131​: Perl_runops_debug (dump.c​:2246)
==10851== by 0x453146​: S_run_body (perl.c​:2526)
==10851== by 0x453146​: perl_run (perl.c​:2449)
==10851== by 0x421944​: main (perlmain.c​:123)
==10851== Address 0x78 is not stack'd, malloc'd or (recently) free'd
==10851==
==10851==
==10851== Process terminating with default action of signal 11 (SIGSEGV)
==10851== Access not within mapped region at address 0x78
==10851== at 0x4EE844​: S_mro_gather_and_rename (mro_core.c​:932)
==10851== by 0x4EF08C​: S_mro_gather_and_rename (mro_core.c​:1186)
==10851== by 0x4F0B7D​: Perl_mro_package_moved (mro_core.c​:851)
==10851== by 0x52EDB1​: S_glob_assign_glob (sv.c​:3981)
==10851== by 0x521F77​: Perl_sv_setsv_flags (sv.c​:4462)
==10851== by 0x5001B5​: Perl_pp_sassign (pp_hot.c​:226)
==10851== by 0x4D7131​: Perl_runops_debug (dump.c​:2246)
==10851== by 0x453146​: S_run_body (perl.c​:2526)
==10851== by 0x453146​: perl_run (perl.c​:2449)
==10851== by 0x421944​: main (perlmain.c​:123)
==10851== If you believe this happened as a result of a stack
==10851== overflow in your program's main thread (unlikely but
==10851== possible), you can try to increase the size of the
==10851== main thread stack using the --main-stacksize= flag.
==10851== The main thread stack size used in this run was 8388608.
Segmentation fault

@p5pRT
Copy link
Author

p5pRT commented Oct 13, 2016

From @geeknik

test120.gz

@p5pRT
Copy link
Author

p5pRT commented Nov 14, 2016

From @hvds

Reduces to​:

% ./miniperl -e '%​: = *​: = *​::​::​:: = *x; *​::​:: = *​::'
miniperl​: mro_core.c​:1059​: S_mro_gather_and_rename​: Assertion `!oldstash || ((((oldstash)->sv_flags & 0x02000000) && ((struct xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*) (oldstash)->sv_any)->xhv_max+1]))->xhv_name_u.xhvnameu_name && ((struct xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*) (oldstash)->sv_any)->xhv_max+1]))->xhv_name_count != -1) ? (( ((struct xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*) (oldstash)->sv_any)->xhv_max+1]))->xhv_name_count > 0 ? ((struct xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*) (oldstash)->sv_any)->xhv_max+1]))->xhv_name_u.xhvnameu_names[0] : ((struct xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*) (oldstash)->sv_any)->xhv_max+1]))->xhv_name_count < -1 ? ((struct xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*) (oldstash)->sv_any)->xhv_max+1]))->xhv_name_u.xhvnameu_names[1] : ((struct xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*) (oldstash)->sv_any)->xhv_max+1]))->xhv_name_count == -1 ? ((void *)0) : ((struct xpvhv_aux*)&(((oldstash)->sv_u.svu_hash)[((XPVHV*) (oldstash)->sv_any)->xhv_max+1]))->xhv_name_u.xhvnameu_name ))->hek_key : ((void *)0))' failed.
Aborted (core dumped)
%

Using a simpler glob than *​: gives a different segv, still in S_mro_gather_and_rename​:
% ./miniperl -e '%y = *y = *​::​::​:: = *x; *​::​:: = *​::'
Segmentation fault (core dumped)
% gdb ./miniperl core
(gdb) where
#0 0x000000000056640b in S_mro_gather_and_rename (stashes=0x1340178,
  seen_stashes=0x13402e0, stash=0x133fff8, oldstash=0x13541e8,
  namesv=0x13536d8) at mro_core.c​:932
#1 0x0000000000568092 in S_mro_gather_and_rename (stashes=0x1340178,
  seen_stashes=0x13402e0, stash=0x133fff8, oldstash=0x135f820,
  namesv=0x135f850) at mro_core.c​:1186
#2 0x0000000000565ded in Perl_mro_package_moved (stash=0x133fff8,
  oldstash=0x135f820, gv=0x135f808, flags=0) at mro_core.c​:851
#3 0x00000000005b9795 in S_glob_assign_glob (dstr=0x135f808, sstr=0x1340028,
  dtype=9) at sv.c​:3977
#4 0x00000000005bee6d in Perl_sv_setsv_flags (dstr=0x135f808, sstr=0x1340028,
  flags=1538) at sv.c​:4458
#5 0x0000000000582cc6 in Perl_pp_sassign () at pp_hot.c​:226
#6 0x00000000005394f4 in Perl_runops_debug () at dump.c​:2235
#7 0x0000000000445cb6 in S_run_body (oldscope=1) at perl.c​:2526
#8 0x00000000004452a7 in perl_run (my_perl=0x133e010) at perl.c​:2449
#9 0x000000000071e64a in main (argc=3, argv=0x7ffe724ffcb8,
  env=0x7ffe724ffcd8) at miniperlmain.c​:129
(gdb)

While I'm sure the primary issue here is the same as all the similar previous ones, with multiple assignments into the same glob falling foul of the unrefcounted stack, I'm not sure why we need to refer to *​:: in three different ways to trigger this particular case - that it makes a difference how many colon-pairs we supply seems like it may point to an additional problem.

Hugo

@p5pRT
Copy link
Author

p5pRT commented Nov 14, 2016

The RT System itself - Status changed from 'new' to 'open'

@xenu xenu removed the Severity Low label Dec 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xenu @p5pRT