Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assertion `SvTYPE(sv) != (svtype)SVTYPEMASK' failed #16443

Open
p5pRT opened this issue Feb 28, 2018 · 3 comments
Open

Assertion `SvTYPE(sv) != (svtype)SVTYPEMASK' failed #16443

p5pRT opened this issue Feb 28, 2018 · 3 comments
Labels
segfault

Comments

@p5pRT
Copy link

p5pRT commented Feb 28, 2018

Migrated from rt.perl.org#132920 (status was 'open')

Searchable as RT132920$
@p5pRT
Copy link
Author

p5pRT commented Feb 28, 2018

From @geeknik

This assertion failure is triggered in Perl v5.27.9 (v5.27.8-408-ga0da1e1.

./perl -e '($a)=map[split//],G0;$0=map abs($0[$a++]),@​$a'

perl​: sv.c​:6508​: void Perl_sv_clear(SV *const)​: Assertion `SvTYPE(sv) !=
(svtype)SVTYPEMASK' failed.

Testing against the installed v5.22.1 on Ubuntu with valgrind, I see this​:

==26560== Invalid read of size 1
==26560== at 0x4C3008​: ??? (in /usr/bin/perl)
==26560== by 0x4C31AD​: Perl_sv_unmagic (in /usr/bin/perl)
==26560== by 0x4C216A​: Perl_sv_clear (in /usr/bin/perl)
==26560== by 0x4C2ABC​: Perl_sv_free2 (in /usr/bin/perl)
==26560== by 0x4F17CF​: Perl_leave_scope (in /usr/bin/perl)
==26560== by 0x4F934F​: Perl_pp_mapwhile (in /usr/bin/perl)
==26560== by 0x4B62C5​: Perl_runops_standard (in /usr/bin/perl)
==26560== by 0x443BC8​: perl_run (in /usr/bin/perl)
==26560== by 0x41CB2A​: main (in /usr/bin/perl)
==26560== Address 0xff00000012 is not stack'd, malloc'd or (recently)
free'd
==26560==
==26560==
==26560== Process terminating with default action of signal 11 (SIGSEGV)
==26560== Access not within mapped region at address 0xFF00000012
==26560== at 0x4C3008​: ??? (in /usr/bin/perl)
==26560== by 0x4C31AD​: Perl_sv_unmagic (in /usr/bin/perl)
==26560== by 0x4C216A​: Perl_sv_clear (in /usr/bin/perl)
==26560== by 0x4C2ABC​: Perl_sv_free2 (in /usr/bin/perl)
==26560== by 0x4F17CF​: Perl_leave_scope (in /usr/bin/perl)
==26560== by 0x4F934F​: Perl_pp_mapwhile (in /usr/bin/perl)
==26560== by 0x4B62C5​: Perl_runops_standard (in /usr/bin/perl)
==26560== by 0x443BC8​: perl_run (in /usr/bin/perl)
==26560== by 0x41CB2A​: main (in /usr/bin/perl)
==26560== If you believe this happened as a result of a stack
==26560== overflow in your program's main thread (unlikely but
==26560== possible), you can try to increase the size of the
==26560== main thread stack using the --main-stacksize= flag.
==26560== The main thread stack size used in this run was 8388608.
Segmentation fault

@p5pRT
Copy link
Author

p5pRT commented Feb 28, 2018

From @tonycoz

On Tue, 27 Feb 2018 18​:03​:54 -0800, brian.carpenter@​gmail.com wrote​:

This assertion failure is triggered in Perl v5.27.9 (v5.27.8-408-ga0da1e1.

./perl -e '($a)=map[split//],G0;$0=map abs($0[$a++]),@​$a'

perl​: sv.c​:6508​: void Perl_sv_clear(SV *const)​: Assertion `SvTYPE(sv) !=
(svtype)SVTYPEMASK' failed.

This looks like another stack-not-refcunted issue.

$a ends up as [ "G", "0" ], and the "G" and "0" scalars are pushed onto the stack.

The $a++ converts $a from a reference to a large integer, freeing both the array and it's contents, leaving an unreferenced SV on the stack.

Tony

@p5pRT
Copy link
Author

p5pRT commented Feb 28, 2018

The RT System itself - Status changed from 'new' to 'open'

@xenu xenu removed the Severity Low label Dec 29, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
segfault
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@khwilliamson @xenu @p5pRT