Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Perl_sv_2pv_flags: Assertion `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed (sv.c:2963) #14569

Closed
p5pRT opened this issue Mar 6, 2015 · 9 comments

Comments

@p5pRT
Copy link

p5pRT commented Mar 6, 2015

Migrated from rt.perl.org#124004 (status was 'resolved')

Searchable as RT124004$

@p5pRT
Copy link
Author

p5pRT commented Mar 6, 2015

From @geeknik

Built v5.21.10 (v5.21.9-43-g2c3f32a) with the following command line​:

./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g && AFL_HARDEN=1 make -j12 test-prep

Bug found with AFL (http​://lcamtuf.coredump.cx/afl)

Valgrind​:
perl​: sv.c​:2963​: Perl_sv_2pv_flags​: Assertion `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed.
==20441==
==20441== Process terminating with default action of signal 6 (SIGABRT)​: dumping core
==20441== at 0x5B55165​: raise (raise.c​:64)
==20441== by 0x5B583DF​: abort (abort.c​:92)
==20441== by 0x5B4E310​: __assert_fail (assert.c​:81)
==20441== by 0x9719C8​: Perl_sv_2pv_flags (sv.c​:2962)
==20441== by 0x9CC399​: Perl_sv_catsv_flags (sv.c​:5538)
==20441== by 0xB255B7​: Perl_pp_substcont (pp_ctl.c​:222)
==20441== by 0x7CB49E​: Perl_runops_debug (dump.c​:2237)
==20441== by 0x53B4C8​: perl_run (perl.c​:2427)
==20441== by 0x42B167​: main (perlmain.c​:116)

GDB​:
gdb-peda$ file ~/perl/perl
gdb-peda$ set args test32-min
gdb-peda$ r
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
perl​: sv.c​:2963​: Perl_sv_2pv_flags​: Assertion `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed.

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX​: 0x0
RBX​: 0x7fffffffe63a --> 0x736574006c726570 ('perl')
RCX​: 0xffffffffffffffff
RDX​: 0x6
RSI​: 0xa28d
RDI​: 0xa28d
RBP​: 0x7ffff6ea9c67 --> 0x257325732500203a ('​: ')
RSP​: 0x7fffffffde58 --> 0x7ffff6d933e0 (<*__GI_abort+384>​: mov rdx,QWORD PTR fs​:0x10)
RIP​: 0x7ffff6d90165 (<*__GI_raise+53>​: cmp rax,0xfffffffffffff000)
R8 : 0x7ffff7fdd700 (0x00007ffff7fdd700)
R9 : 0x5653203d21202929 (')) != SV')
R10​: 0x8
R11​: 0x206
R12​: 0xf37340 ("((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM")
R13​: 0xf4be70 ("Perl_sv_2pv_flags")
R14​: 0x7ffff6ea9c67 --> 0x257325732500203a ('​: ')
R15​: 0xb93
EFLAGS​: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
  0x7ffff6d9015b <*__GI_raise+43>​: movsxd rdi,eax
  0x7ffff6d9015e <*__GI_raise+46>​: mov eax,0xea
  0x7ffff6d90163 <*__GI_raise+51>​: syscall
=> 0x7ffff6d90165 <*__GI_raise+53>​: cmp rax,0xfffffffffffff000
  0x7ffff6d9016b <*__GI_raise+59>​: ja 0x7ffff6d90182 <*__GI_raise+82>
  0x7ffff6d9016d <*__GI_raise+61>​: repz ret
  0x7ffff6d9016f <*__GI_raise+63>​: nop
  0x7ffff6d90170 <*__GI_raise+64>​: test eax,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffde58 --> 0x7ffff6d933e0 (<*__GI_abort+384>​: mov rdx,QWORD PTR fs​:0x10)
0008| 0x7fffffffde60 --> 0xf37340 ("((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM")
0016| 0x7fffffffde68 --> 0x7ffff6eabc21 --> 0x706c6568007325 ('%s')
0024| 0x7fffffffde70 --> 0x7fffffffde90 --> 0x3000000018
0032| 0x7fffffffde78 --> 0xb93
0040| 0x7fffffffde80 --> 0x7fffffffdf80 --> 0x7fffffffe63a --> 0x736574006c726570 ('perl')
0048| 0x7fffffffde88 --> 0x7ffff6dc41b6 (<__fxprintf+310>​: lea rsp,[rbp-0x20])
0056| 0x7fffffffde90 --> 0x3000000018
[------------------------------------------------------------------------------]
Legend​: code, data, rodata, value
Stopped reason​: SIGABRT
0x00007ffff6d90165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c​:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c​: No such file or directory.

Hexdump of the 42-byte test case​:
0000000 5f24 223d 3030 3b22 7665 6c61 7322 242f
0000010 2f31 3c24 6f66 4072 3000 652f 7722 6968
0000020 656c 7320 2e28 2f29 2f30
000002a

System Info​: Debian 7, Kernel 3.2.65-1+deb7u1 x86_64, GCC 4.9.2, libc 2.13-38+deb7u8

@p5pRT
Copy link
Author

p5pRT commented Mar 6, 2015

From @geeknik

test32-min

@p5pRT
Copy link
Author

p5pRT commented Mar 7, 2015

From @hvds

Interestingly, the nul byte in the string eval serves to stop the @​0 from being interpolated, so the test case is equivalent to this​:

% ./miniperl -e '$_ = "xx"; eval q{s/./1 for @​x/e} while s/./0/'
miniperl​: sv.c​:2964​: Perl_sv_2pv_flags​: Assertion `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed.
Aborted (core dumped)
%

I'm not sure whether the non-interpolation is an additional bug.

Hacking bisect-runner to treat timeout as success and running with​:

  bisect.pl --target=miniperl -DDEBUGGING --crash --timeout=1 -- ./miniperl -e '$_ = "xx"; eval q{s/./1 for @​x/e} while s/./0/'

finds this change first introduced in perl-5.16​:

commit 815dd40
Author​: Nicholas Clark <nick@​ccl4.org>
Date​: Fri Jun 17 15​:19​:07 2011 +0200

  In pp_subst, use a mortal scalar for dstr, instead of SAVEFREESV().
  [...]

.. but I don't think I believe it - running with -Ds perturbs things a bit, but shows a stack underflow which I assume is real; reverting 815dd40 appears to allow the plain run to go successfully round its endless loop, but -Ds still shows the same stack underflow.

I'm unlikely to have time to look further at this any time soon.

Hugo

@p5pRT
Copy link
Author

p5pRT commented Mar 7, 2015

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Mar 17, 2015

From @cpansprout

On Sat Mar 07 02​:42​:18 2015, hv wrote​:

Interestingly, the nul byte in the string eval serves to stop the @​0
from being interpolated, so the test case is equivalent to this​:

% ./miniperl -e '$_ = "xx"; eval q{s/./1 for @​x/e} while s/./0/'
miniperl​: sv.c​:2964​: Perl_sv_2pv_flags​: Assertion `((svtype)((sv)-

sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) !=
SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed.
Aborted (core dumped)
%

I'm not sure whether the non-interpolation is an additional bug.

Hacking bisect-runner to treat timeout as success and running with​:

bisect.pl --target=miniperl -DDEBUGGING --crash --timeout=1 --
./miniperl -e '$_ = "xx"; eval q{s/./1 for @​x/e} while s/./0/'

finds this change first introduced in perl-5.16​:

commit 815dd40
Author​: Nicholas Clark <nick@​ccl4.org>
Date​: Fri Jun 17 15​:19​:07 2011 +0200

In pp_subst, use a mortal scalar for dstr, instead of SAVEFREESV().
[...]

.. but I don't think I believe it - running with -Ds perturbs things a
bit, but shows a stack underflow which I assume is real; reverting
815dd40 appears to allow the plain run to go successfully round its
endless loop, but -Ds still shows the same stack underflow.

I'm unlikely to have time to look further at this any time soon.

$ ./miniperl -le 'print 1, 2, 3, scalar do { 1 for @​x } + 1, 4, 5, 6'
124456

$ /opt/testing/bin/perl5.8.7 -le 'print 1, 2, 3, scalar do { 1 for @​x } + 1, 4, 5, 6'
456

$ /opt/bin/perl5.8.8 -le 'print 1, 2, 3, scalar do { 1 for @​x } + 1, 4, 5, 6'
124456

With this variation, I get ‘1 2 4 4 5 6’ as far back as 5.002​:

push @​_, 1, 2, 3, scalar do { for(@​x){} } + 1, 4, 5, 6; die "@​_" unless @​_ == 7

Can't find a suitable start revision to default to.
Tried perl-5.002 perl-5.003 perl-5.004 perl-5.005 perl-5.6.0 perl-5.8.0 v5.10.0 at ../perl.git/Porting/bisect.pl line 214.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Mar 18, 2015

From @cpansprout

Fixed in c5f78d0.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Mar 18, 2015

@cpansprout - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented Jun 2, 2015

From @khwilliamson

Thank you for submitting this ticket.

The issue should now be resolved with the release today of Perl v5.22, which is available at http​://www.perl.org/get.html
--
Karl Williamson for the Perl 5 team

@p5pRT
Copy link
Author

p5pRT commented Jun 2, 2015

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant