From @ntyni

This is a bug report for perl from Niko Tyni <ntyni@​debian.org>,
generated with the help of perlbug 1.36 running under perl 5.10.0.

As seen in <http​://bugs.debian.org/483150>, this one-liner crashes 5.10.0
and blead@​33937 but not 5.8.8​:

# ./miniperl -e 'my $re = qr/x/; $re |= "y"'
miniperl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)->sv_flags & 0xff)) >= SVt_PV' failed.

#0 0x00002b358c697165 in raise () from /lib/libc.so.6
#1 0x00002b358c698610 in abort () from /lib/libc.so.6
#2 0x00002b358c69060f in __assert_fail () from /lib/libc.so.6
#3 0x000000000062bed6 in Perl_do_vop (my_perl=0x987010, optype=93, sv=0x9a9f28, left=0x9a9f28,
  right=0x9a9fa0) at doop.c​:1259
#4 0x000000000059c4bb in Perl_pp_bit_or (my_perl=0x987010) at pp.c​:2385
#5 0x00000000004ada20 in Perl_runops_debug (my_perl=0x987010) at dump.c​:1984
#6 0x00000000004f716e in S_run_body (my_perl=0x987010, oldscope=1) at perl.c​:2392
#7 0x00000000004f64a0 in perl_run (my_perl=0x987010) at perl.c​:2312
#8 0x00000000006b1c4a in main (argc=3, argv=0x7fff1ef33b08, env=0x7fff1ef33b28) at miniperlmain.c​:113

On 5.10.0 without -DDEBUGGING this results in 'double free or corruption'.

Bisecting shows it was broken by change 27859​:

commit a39e44f1b8a997f82f02847b565d62c2cd84111f
Author​: Jarkko Hietaniemi <jhi@​iki.fi>
Date​: Mon Apr 17 13​:19​:37 2006 +0300

  dooop.c​: the strong asserts in Sv* macros could cause memory leakage -- move the macro calls earlier (Coverity CID 84)
  Message-Id​: <20060417071937.C13346CF2D@​aprikoosi.hut.fi>
 
  p4raw-id​: //depot/perl@​27859

Flags​:
  category=core
  severity=medium

Site configuration information for perl 5.10.0​:

Configured by Debian Project at Thu May 8 11​:57​:24 UTC 2008.

Summary of my perl5 (revision 5 version 10 subversion 0) configuration​:
  Platform​:
  osname=linux, osvers=2.6.18-6-xen-amd64, archname=x86_64-linux-gnu-thread-multi
  uname='linux sid 2.6.18-6-xen-amd64 #1 smp thu apr 24 05​:10​:26 utc 2008 x86_64 gnulinux '
  config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.10 -Darchlib=/usr/lib/perl/5.10 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.10.0 -Dsitearch=/usr/local/lib/perl/5.10.0 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -DDEBUGGING=-g -Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.10.0 -Dd_dosuid -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=define, usemultiplicity=define
  useperlio=define, d_sfio=undef, uselargefiles=define, usesocks=undef
  use64bitint=define, use64bitall=define, uselongdouble=undef
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='cc', ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-O2 -g',
  cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include'
  ccversion='', gccversion='4.2.3 (Debian 4.2.3-5)', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16
  ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
  alignbytes=8, prototype=define
  Linker and Libraries​:
  ld='cc', ldflags =' -L/usr/local/lib'
  libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64
  libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt
  perllibs=-ldl -lm -lpthread -lc -lcrypt
  libc=/lib/libc-2.7.so, so=so, useshrplib=true, libperl=libperl.so.5.10.0
  gnulibc_version='2.7'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -O2 -g -L/usr/local/lib'

Locally applied patches​:
 

@​INC for perl 5.10.0​:
  /etc/perl
  /usr/local/lib/perl/5.10.0
  /usr/local/share/perl/5.10.0
  /usr/lib/perl5
  /usr/share/perl5
  /usr/lib/perl/5.10
  /usr/share/perl/5.10
  /usr/local/lib/site_perl
  .

Environment for perl 5.10.0​:
  HOME=/home/niko
  LANG=en_US.UTF-8
  LANGUAGE (unset)
  LC_CTYPE=fi_FI.UTF-8
  LD_LIBRARY_PATH (unset)
  LOGDIR (unset)
  PATH=/home/niko/bin​:/usr/local/bin​:/usr/bin​:/bin​:/usr/bin/X11​:/usr/games​:/sbin​:/usr/sbin
  PERL_BADLANG (unset)
  SHELL=/bin/zsh

From @smpeters

On Tue May 27 23​:17​:19 2008, ntyni@​debian.org wrote​:

This is a bug report for perl from Niko Tyni <ntyni@​debian.org>,
generated with the help of perlbug 1.36 running under perl 5.10.0.

-----------------------------------------------------------------
As seen in <http​://bugs.debian.org/483150>, this one-liner crashes
5.10.0
and blead@​33937 but not 5.8.8​:

# ./miniperl -e 'my $re = qr/x/; $re |= "y"'
miniperl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)-

sv_flags & 0xff)) >= SVt_PV' failed.

#0 0x00002b358c697165 in raise () from /lib/libc.so.6
#1 0x00002b358c698610 in abort () from /lib/libc.so.6
#2 0x00002b358c69060f in __assert_fail () from /lib/libc.so.6
#3 0x000000000062bed6 in Perl_do_vop (my_perl=0x987010, optype=93,
sv=0x9a9f28, left=0x9a9f28,
right=0x9a9fa0) at doop.c​:1259
#4 0x000000000059c4bb in Perl_pp_bit_or (my_perl=0x987010) at
pp.c​:2385
#5 0x00000000004ada20 in Perl_runops_debug (my_perl=0x987010) at
dump.c​:1984
#6 0x00000000004f716e in S_run_body (my_perl=0x987010, oldscope=1) at
perl.c​:2392
#7 0x00000000004f64a0 in perl_run (my_perl=0x987010) at perl.c​:2312
#8 0x00000000006b1c4a in main (argc=3, argv=0x7fff1ef33b08,
env=0x7fff1ef33b28) at miniperlmain.c​:113

On 5.10.0 without -DDEBUGGING this results in 'double free or
corruption'.

Bisecting shows it was broken by change 27859​:

commit a39e44f1b8a997f82f02847b565d62c2cd84111f
Author​: Jarkko Hietaniemi <jhi@​iki.fi>
Date​: Mon Apr 17 13​:19​:37 2006 +0300

dooop\.c​: the strong asserts in Sv\* macros could cause memory

leakage -- move the macro calls earlier (Coverity CID 84)
Message-Id​: <20060417071937.C13346CF2D@​aprikoosi.hut.fi>

p4raw\-id​: //depot/perl@​27859

Yep, running with a debugging Perl gives me...

Assertion ((svtype)((sv)->sv_flags & 0xff)) >= SVt_PV failed​: file
"doop.c", line 1234 at -e line 1.

The RT System itself - Status changed from 'new' to 'open'

From @smpeters

On Wed, May 28, 2008 at 8​:35 AM, Steve Peters via RT
<perlbug-followup@​perl.org> wrote​:

On Tue May 27 23​:17​:19 2008, ntyni@​debian.org wrote​:

This is a bug report for perl from Niko Tyni <ntyni@​debian.org>,
generated with the help of perlbug 1.36 running under perl 5.10.0.

-----------------------------------------------------------------
As seen in <http​://bugs.debian.org/483150>, this one-liner crashes
5.10.0
and blead@​33937 but not 5.8.8​:

# ./miniperl -e 'my $re = qr/x/; $re |= "y"'
miniperl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)-

sv_flags & 0xff)) >= SVt_PV' failed.

#0 0x00002b358c697165 in raise () from /lib/libc.so.6
#1 0x00002b358c698610 in abort () from /lib/libc.so.6
#2 0x00002b358c69060f in __assert_fail () from /lib/libc.so.6
#3 0x000000000062bed6 in Perl_do_vop (my_perl=0x987010, optype=93,
sv=0x9a9f28, left=0x9a9f28,
right=0x9a9fa0) at doop.c​:1259
#4 0x000000000059c4bb in Perl_pp_bit_or (my_perl=0x987010) at
pp.c​:2385
#5 0x00000000004ada20 in Perl_runops_debug (my_perl=0x987010) at
dump.c​:1984
#6 0x00000000004f716e in S_run_body (my_perl=0x987010, oldscope=1) at
perl.c​:2392
#7 0x00000000004f64a0 in perl_run (my_perl=0x987010) at perl.c​:2312
#8 0x00000000006b1c4a in main (argc=3, argv=0x7fff1ef33b08,
env=0x7fff1ef33b28) at miniperlmain.c​:113

On 5.10.0 without -DDEBUGGING this results in 'double free or
corruption'.

Bisecting shows it was broken by change 27859​:

commit a39e44f1b8a997f82f02847b565d62c2cd84111f
Author​: Jarkko Hietaniemi <jhi@​iki.fi>
Date​: Mon Apr 17 13​:19​:37 2006 +0300

dooop\.c​: the strong asserts in Sv\* macros could cause memory

leakage -- move the macro calls earlier (Coverity CID 84)
Message-Id​: <20060417071937.C13346CF2D@​aprikoosi.hut.fi>

p4raw\-id​: //depot/perl@​27859

Yep, running with a debugging Perl gives me...

Assertion ((svtype)((sv)->sv_flags & 0xff)) >= SVt_PV failed​: file
"doop.c", line 1234 at -e line 1.

OK, after coffee and a think, a couple of things came up. First, &=
fails similarly...

steve@​picard​:~/perl-current$ ./perl -e 'my $re = qr/x/; $re &= "y"'
perl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)->sv_flags &
0xff)) >= SVt_PV' failed.
Aborted

Second, the failures only occur with debugging Perls. Without debugging...

[steve@​kirk perl-current]$ ./perl -Ilib -E'my $re = qr/x/; $re |= "y"; say $re'
y?-xism​:x)

is same as what I get under Perl 5.8.8.

Finally, the problem isn't qr//. Its references in general. For example...

steve@​picard​:~/perl-current$ ./perl -e ' my $sploosh = "aiieee";
$powie = \$sploosh; $powie &= "spla_a_t"'
perl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)->sv_flags &
0xff)) >= SVt_PV' failed.

steve@​picard​:~/perl-current$ ./perl -e ' my $sploosh = bless {},
"Aiieee"; $sploosh &= "spla_a_t"'
perl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)->sv_flags &
0xff)) >= SVt_PV' failed.

steve@​picard​:~/perl-current$ ./perl -e ' my $sploosh = 1; $powie =
\$sploosh; $powie &= "spla_a_t"'
perl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)->sv_flags &
0xff)) >= SVt_PV' failed.

...although, if we have a reference to a number and a number on the
other side...

steve@​picard​:~/perl-current$ ./perl -e ' my $sploosh = 1; $powie =
\$sploosh; $powie &= 2'

it works. Obviously, then, we don't have test cases for bitwise & and
| with references that are not numeric. I also don't think I can add
them at the moment since the asserts would kill the tests. I'll try
digging into a fix unless someone else wants to take a stab at it
first.

Steve Peters
steve@​fisharerojo.org

From module@renee-baecker.de

fixed with
http​://perl5.git.perl.org/perl.git/commit/8c8eee8276dbc780932b841fe5183943a7117a3d

module@renee-baecker.de - Status changed from 'open' to 'resolved'