From @dur-randir

Created by @dur-randir

While fuzzing perl v5.25.8-216-gfbceb79751 built with afl and run
under libdislocator, I found the following program

}my;0=sort{i d&0}0

to cause an assertion failure, even when run under -c for a syntax
check. This is a regression between v5.18.4 and v5.20.0, bisect points to

932bca2 is the first bad commit
commit 932bca2
Author​: David Mitchell <davem@​iabyn.com>
Date​: Wed Mar 5 14​:44​:41 2014 +0000

  OP_SORT​: store start of block in null->op_next

  When a sort with a code block, like sort { BLOCK } arg, ...
  is compiled, it comes out like

  sort
  pushmark
  null
  scope
  BLOCK
  arg
  ...

  (The 'scope' may be instead be 'ex-leave' depending on circumstances).

  At run time, pp_sort() navigates its way down from the sort op to find the
  start op of the BLOCK. We can shorten this process slightly by storing the
  start of BLOCK in the otherwise unused op_next field of the OP_NULL.
  Effectively we are using the null->op_next field as a surrogate op_other
  field for the op_sort (which doesn't have a spare field we could store
  the pointer in).

  The main point of this commit however is not the slight speed up from
  skipping a couple of pointer follows at run-time; rather that it will
  shortly allow us to trim any null ops from the beginning of the BLOCK. We
  can't do this directly, as that would involve changing the scope->op_first
  pointer, which might confuse B​:: type modules.

GDB info about the crash location​:

(gdb) bt
#0 __GI_raise (sig=sig@​entry=6) at ../sysdeps/unix/sysv/linux/raise.c​:58
#1 0x00007fc95d34140a in __GI_abort () at abort.c​:89
#2 0x00007fc95d338e47 in __assert_fail_base (fmt=<optimized out>,
  assertion=assertion@​entry=0x7fc95e9cf1e0 "(kid->op_type == OP_NULL
&& ( kid->op_targ == OP_NEXTSTATE || kid->op_targ == OP_DBSTATE )) ||
kid->op_type == OP_STUB || kid->op_type == OP_ENTER",
file=file@​entry=0x7fc95e9c952e "op.c", line=line@​entry=14389,
  function=function@​entry=0x7fc95e9d06d8 <__PRETTY_FUNCTION__.19609>
"Perl_rpeep") at assert.c​:92
#3 0x00007fc95d338ef2 in __GI___assert_fail (
  assertion=0x7fc95e9cf1e0 "(kid->op_type == OP_NULL && (
kid->op_targ == OP_NEXTSTATE || kid->op_targ == OP_DBSTATE )) ||
kid->op_type == OP_STUB || kid->op_type == OP_ENTER",
file=0x7fc95e9c952e "op.c", line=14389, function=0x7fc95e9d06d8
<__PRETTY_FUNCTION__.19609> "Perl_rpeep") at assert.c​:101
#4 0x00007fc95e6b3266 in Perl_rpeep (o=0x7fc95ee00080) at op.c​:14384
#5 0x00007fc95e6b3fa0 in Perl_peep (o=0x7fc95edfe168) at op.c​:14718
#6 0x00007fc95e68647b in Perl_newPROG (o=0x7fc95edfe1a0) at op.c​:4273
#7 0x00007fc95e7386f6 in Perl_yyparse (gramtype=258) at perly.y​:123
#8 0x00007fc95e6bc33a in S_parse_body (env=0x0, xsinit=0x7fc95e677de8
<xs_init>) at perl.c​:2376
#9 0x00007fc95e6ba69f in perl_parse (my_perl=0x7fc95eddd010,
xsinit=0x7fc95e677de8 <xs_init>, argc=2, argv=0x7ffd7a071f08, env=0x0)
at perl.c​:1691
#10 0x00007fc95e677d26 in main (argc=2, argv=0x7ffd7a071f08,
env=0x7ffd7a071f20) at perlmain.c​:121
(gdb) f 4
#4 0x00007fc95e6b3266 in Perl_rpeep (o=0x7fc95ee00080) at op.c​:14384
(gdb) p PL_op_name[kid->op_type]
$3 = 0x7fc95ea81aa2 "lineseq"

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.25.9:

Configured by root at Sat Jan 14 02:25:05 MSK 2017.

Summary of my perl5 (revision 5 version 25 subversion 9) configuration:
  Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0
  Platform:
    osname=linux
    osvers=3.16.0-4-amd64
    archname=x86_64-linux
    uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.25.9:
    lib
    /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.25.9
    /usr/local/lib/perl5/5.25.9/x86_64-linux
    /usr/local/lib/perl5/5.25.9


Environment for perl 5.25.9:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

From @iabyn

On Sun, Jan 22, 2017 at 04​:18​:13AM -0800, Sergey Aleynikov wrote​:

While fuzzing perl v5.25.8-216-gfbceb79751 built with afl and run
under libdislocator, I found the following program

}my;0=sort{i d&0}0

to cause an assertion failure, even when run under -c for a syntax
check. This is a regression between v5.18.4 and v5.20.0, bisect points to

Fixed with the following commit. It's yet another example of the
difficulty of attempting to continue parsing after an error has been
encountered.

commit 03fedef
Author​: David Mitchell <davem@​iabyn.com>
AuthorDate​: Mon Jan 23 12​:27​:20 2017 +0000
Commit​: David Mitchell <davem@​iabyn.com>
CommitDate​: Mon Jan 23 12​:27​:20 2017 +0000

  avoid sort assert failure after compile fail
 
  RT #130617
 
  in rpeep(), there's an assert that the optree is sane for the sort's
  codeblock. After compile errors, it isn;t necessary sane, so skip the
  assert in that case.
 
  I've also changed a kLISTOP->op_next into the equivalent but less
  obfuscated kid->op_next.

--
Technology is dominated by two types of people​: those who understand what
they do not manage, and those who manage what they do not understand.

The RT System itself - Status changed from 'new' to 'open'

@iabyn - Status changed from 'open' to 'pending release'

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

@khwilliamson - Status changed from 'pending release' to 'resolved'