From @geeknik

Triggered with Perl v5.25.7-98-gdf13534 while fuzzing with AFL. The crash
doesn't happen on every execution, sometimes it just fails with
`Modification of a read-only value attempted at test403 line 1.`

od -tx1 test403
0000000 6d 61 70 24 5f 3d 20 24 24 5f 3d 24 5e 3c 24 30
0000020 2c 25 3a 3a 04 e5 30 30 30 30 30
0000033

./perl test403
ASAN​:SIGSEGV

==14592==ERROR​: AddressSanitizer​: SEGV on unknown address 0x000000000000
(pc 0x00000084485e bp 0x7ffd3c771e90 sp 0x7ffd3c771cc0 T0)
  #0 0x84485d in Perl_magic_set /root/perl/mg.c​:2850​:2
  #1 0x825575 in Perl_mg_set /root/perl/mg.c​:277​:6
  #2 0x8a56b9 in Perl_pp_sassign /root/perl/pp_hot.c​:226​:5
  #3 0x7f81fb in Perl_runops_debug /root/perl/dump.c​:2260​:23
  #4 0x5a0ab3 in S_run_body /root/perl/perl.c​:2526​:2
  #5 0x5a0ab3 in perl_run /root/perl/perl.c​:2449
  #6 0x4de6dd in main /root/perl/perlmain.c​:123​:9
  #7 0x7fe77bb1eb44 in __libc_start_main
/build/glibc-daoqzt/glibc-2.19/csu/libc-start.c​:287
  #8 0x4de34c in _start (/root/perl/perl+0x4de34c)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /root/perl/mg.c​:2850 Perl_magic_set
==14592==ABORTING

From @geeknik

test403.gz

From @hvds

This reduces to​:
% ./miniperl -e '$​::{STDOUT} = $^; ${ $​::{"^"} } = undef'
Segmentation fault (core dumped)
%

At this point GvIOp(PL_defoutgv) is NULL. I've no idea what we should do with that, and various other cases of the same switch statement look to have similar assumptions.

Hugo

The RT System itself - Status changed from 'new' to 'open'

From @iabyn

On Mon, Dec 12, 2016 at 02​:45​:51AM -0800, Hugo van der Sanden via RT wrote​:

This reduces to​:
% ./miniperl -e '$​::{STDOUT} = $^; ${ $​::{"^"} } = undef'
Segmentation fault (core dumped)
%

It reduces even further to

  $​::{'STDOUT'} = 0;
  $^ = 'abc';

At this point GvIOp(PL_defoutgv) is NULL. I've no idea what we should do
with that, and various other cases of the same switch statement look to
have similar assumptions.

I think assigning to the various format vars should just silently
do nothing if there isn't a valid default IO handle.

--
The Enterprise's efficient long-range scanners detect a temporal vortex
distortion in good time, allowing it to be safely avoided via a minor
course correction.
  -- Things That Never Happen in "Star Trek" #21

From @Tux

On Mon, 12 Dec 2016 12​:03​:45 +0000, Dave Mitchell <davem@​iabyn.com>
wrote​:

On Mon, Dec 12, 2016 at 02​:45​:51AM -0800, Hugo van der Sanden via RT wrote​:

This reduces to​:
% ./miniperl -e '$​::{STDOUT} = $^; ${ $​::{"^"} } = undef'
Segmentation fault (core dumped)
%

It reduces even further to

$​::\{'STDOUT'\} = 0;
$^ = 'abc';

At this point GvIOp(PL_defoutgv) is NULL. I've no idea what we should do
with that, and various other cases of the same switch statement look to
have similar assumptions.

I think assigning to the various format vars should just silently
do nothing if there isn't a valid default IO handle.

Agree, but

default → current

select $fh;

would make $^, $=, $- work on $fh

The only way out is a lot of work​: currently most of the format-related
globals are what it says​: global. They ideally should be scoped to
a/the file-handle they belong to.

$= and $- are the worst of these. It is very easy to make $- report
wrong values.

--
H.Merijn Brand http​://tux.nl Perl Monger http​://amsterdam.pm.org/
using perl5.00307 .. 5.25 porting perl5 on HP-UX, AIX, and openSUSE
http​://mirrors.develooper.com/hpux/ http​://www.test-smoke.org/
http​://qa.perl.org http​://www.goldmark.org/jeff/stupid-disclaimers/