From @dur-randir

Created by @dur-randir

While fuzzing perl v5.25.9-35-g32207c637b built with afl and run
under libdislocator, I found the following 5-bytes program

hexdump -C 0051
00000000 73 75 62 28 ec |sub(.|
00000005

to cause an assertion failure when run with -Mexperimental=signatures.
This is a regression in blead, bisect points to

0f8490d is the first bad commit
commit 0f8490d
Author​: David Mitchell <davem@​iabyn.com>
Date​: Sun Dec 4 08​:10​:27 2016 +0000

  yyparse​: only calculate yytoken on yychar change

  yytoken is a translated (via lookup table) version of parser->yychar.
  So we only need to recalculate it when yychar changes (usually by
  assigning the result of yylex() to it). This means when multiple
  reductions are done without shifting another token, we skip the extra
  overhead each time.

GDB info about the crash location​:

(gdb) bt
#0 __GI_raise (sig=sig@​entry=6) at ../sysdeps/unix/sysv/linux/raise.c​:58
#1 0x00007fcb40e4c40a in __GI_abort () at abort.c​:89
#2 0x00007fcb40e43e47 in __assert_fail_base (fmt=<optimized out>,
assertion=assertion@​entry=0x7fcb42cf9906 "parser->yychar >= 0",
  file=file@​entry=0x7fcb42cf987a "perly.c", line=line@​entry=341,
function=function@​entry=0x7fcb42cfa320 <__PRETTY_FUNCTION__.15814>
"Perl_yyparse")
  at assert.c​:92
#3 0x00007fcb40e43ef2 in __GI___assert_fail
(assertion=assertion@​entry=0x7fcb42cf9906 "parser->yychar >= 0",
file=file@​entry=0x7fcb42cf987a "perly.c",
  line=line@​entry=341, function=function@​entry=0x7fcb42cfa320
<__PRETTY_FUNCTION__.15814> "Perl_yyparse") at assert.c​:101
#4 0x00007fcb423ea803 in Perl_yyparse (gramtype=gramtype@​entry=258)
at perly.c​:341
#5 0x00007fcb4229a131 in S_parse_body (env=env@​entry=0x0,
xsinit=xsinit@​entry=0x7fcb4218f990 <xs_init>) at perl.c​:2376
#6 0x00007fcb422a0deb in perl_parse (my_perl=<optimized out>,
xsinit=0x7fcb4218f990 <xs_init>, argc=<optimized out>, argv=<optimized
out>, env=0x0)
  at perl.c​:1691
#7 0x00007fcb4218f56e in main (argc=<optimized out>, argv=<optimized
out>, env=<optimized out>) at perlmain.c​:121
(gdb) f 4
#4 0x00007fcb423ea803 in Perl_yyparse (gramtype=gramtype@​entry=258)
at perly.c​:341
341 assert(parser->yychar >= 0);
(gdb) p parser->yychar
$1 = -20

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.25.9:

Configured by root at Sat Jan 14 02:25:05 MSK 2017.

Summary of my perl5 (revision 5 version 25 subversion 9) configuration:
  Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0
  Platform:
    osname=linux
    osvers=3.16.0-4-amd64
    archname=x86_64-linux
    uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.25.9:
    lib
    /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.25.9
    /usr/local/lib/perl5/5.25.9/x86_64-linux
    /usr/local/lib/perl5/5.25.9


Environment for perl 5.25.9:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

From @dur-randir

0051

From @iabyn

On Sat, Jan 28, 2017 at 09​:21​:30AM -0800, Sergey Aleynikov wrote​:

While fuzzing perl v5.25.9-35-g32207c637b built with afl and run
under libdislocator, I found the following 5-bytes program

hexdump -C 0051
00000000 73 75 62 28 ec |sub(.|
00000005

to cause an assertion failure when run with -Mexperimental=signatures.
This is a regression in blead, bisect points to

Now fixed with v5.25.9-66-gcbf40e7​:

commit cbf40e7
Author​: David Mitchell <davem@​iabyn.com>
AuthorDate​: Mon Jan 30 12​:25​:55 2017 +0000
Commit​: David Mitchell <davem@​iabyn.com>
CommitDate​: Mon Jan 30 12​:30​:30 2017 +0000

  signature sub (\x80 triggered an assertion
 
  RT #130661
 
  In the presence of 'use feature "signatures"', a char >= 0x80 where a sigil
  was expected triggered an assert failure, because the (signed) character
  was being was being promoted to int and ended up getting returned from
  yylex() as a negative value.

--
"There's something wrong with our bloody ships today, Chatfield."
  -- Admiral Beatty at the Battle of Jutland, 31st May 1916.

The RT System itself - Status changed from 'new' to 'open'

From @tonycoz

On Mon, 30 Jan 2017 04​:39​:28 -0800, davem wrote​:

Now fixed with v5.25.9-66-gcbf40e7​:

and closing.

Tony

@tonycoz - Status changed from 'open' to 'pending release'

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

@khwilliamson - Status changed from 'pending release' to 'resolved'