Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

op.c:8067: SV *Perl_cv_const_sv_or_av(const CV *const): Assertion `SvTYPE(cv) == SVt_PVCV || SvTYPE(cv) == SVt_PVFM' failed. #16040

Open
p5pRT opened this issue Jun 24, 2017 · 3 comments

Comments

@p5pRT
Copy link

p5pRT commented Jun 24, 2017

Migrated from rt.perl.org#131647 (status was 'open')

Searchable as RT131647$

@p5pRT
Copy link
Author

p5pRT commented Jun 24, 2017

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.27.1-37-g4c95ee9f29 built with afl and run
under libdislocator, I found the following program

@​I0​::""my I0"";sub f00}f00

to cause an assertion failure. This is a regression between 5.20 and
5.22, bisect points to​:

commit 0f94cb1
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Thu Nov 27 22​:30​:54 2014 -0800

  [perl #123223] Make PADNAME a separate type

  distinct from SV. This should fix the CPAN modules that were failing
  when the PadnameLVALUE flag was added, because it shared the same
  bit as SVs_OBJECT and pad names were going through code paths not
  designed to handle pad names.

  Unfortunately, it will probably break other CPAN modules, but I think
  this change is for the better, as it makes both pad names and SVs sim-
  pler and makes pad names take less memory.

GDB info about the crash location is​:

(gdb) bt
#0 __GI_raise (sig=sig@​entry=6) at ../sysdeps/unix/sysv/linux/raise.c​:51
#1 0x00007ffff6cf63fa in __GI_abort () at abort.c​:89
#2 0x00007ffff6cede37 in __assert_fail_base (fmt=<optimized out>,
  assertion=assertion@​entry=0x5555558e3158 "SvTYPE(cv) == SVt_PVCV
|| SvTYPE(cv) == SVt_PVFM", file=file@​entry=0x5555558def2e "op.c",
  line=line@​entry=8067, function=function@​entry=0x5555558e61f0
<__PRETTY_FUNCTION__.17680> "Perl_cv_const_sv_or_av") at assert.c​:92
#3 0x00007ffff6cedee2 in __GI___assert_fail (assertion=0x5555558e3158
"SvTYPE(cv) == SVt_PVCV || SvTYPE(cv) == SVt_PVFM",
file=0x5555558def2e "op.c",
  line=8067, function=0x5555558e61f0 <__PRETTY_FUNCTION__.17680>
"Perl_cv_const_sv_or_av") at assert.c​:101
#4 0x00005555555a19d7 in Perl_cv_const_sv_or_av (cv=0x555555c0b530)
at op.c​:8067
#5 0x0000555555627e6b in Perl_yylex () at toke.c​:7406
#6 0x0000555555649164 in Perl_yyparse (gramtype=258) at perly.c​:340
#7 0x00005555555cad4c in S_parse_body (env=0x0, xsinit=0x555555583fe8
<xs_init>) at perl.c​:2401
#8 0x00005555555c90b1 in perl_parse (my_perl=0x555555bed010,
xsinit=0x555555583fe8 <xs_init>, argc=2, argv=0x7fffffffe1c8, env=0x0)
at perl.c​:1719
#9 0x0000555555583f26 in main (argc=2, argv=0x7fffffffe1c8,
env=0x7fffffffe1e0) at perlmain.c​:121
(gdb) f 5
#5 0x0000555555627e6b in Perl_yylex () at toke.c​:7406
7406 if ((sv = cv_const_sv_or_av(cv))) {
(gdb) p sv_dump(cv)
SV = PVHV(0x555555bf6010) at 0x555555c0b530
  REFCNT = 3
  FLAGS = (OOK,SHAREKEYS)
  AUX_FLAGS = 0
  ARRAY = 0x555555c17e00
  KEYS = 0
  FILL = 0
  MAX = 7
  RITER = -1
  EITER = 0x0
  RAND = 0xd63e354b
  NAME = "Iz"
  ENAME = "Iz"
$1 = void

Perl Info

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.27.1:

Configured by root at Sun May 28 01:44:41 MSK 2017.

Summary of my perl5 (revision 5 version 26 subversion 0) configuration:
  Derived from: 4c95ee9f298c2edfc1382d540ff89288790e78b6
  Platform:
    osname=linux
    osvers=4.9.0-3-amd64
    archname=x86_64-linux
    uname='linux dorothy 4.9.0-3-amd64 #1 smp debian 4.9.25-1
(2017-05-02) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3 -fno-omit-frame-pointer'
    hint=previous
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3 -fno-omit-frame-pointer'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -fno-omit-frame-pointer
-L/usr/local/lib -fstack-protector-strong'

Locally applied patches:
    uncommitted-changes


@INC for perl 5.27.1:
    lib
    /usr/local/lib/perl5/site_perl/5.26.0/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.26.0
    /usr/local/lib/perl5/5.26.0/x86_64-linux
    /usr/local/lib/perl5/5.26.0


Environment for perl 5.27.1:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LC_CTYPE=en_US.UTF-8
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.24.1-dbg/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin
    PERLBREW_PERL=perl-5.24.1-dbg
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zshpe

@p5pRT
Copy link
Author

p5pRT commented Jun 27, 2017

From @tonycoz

On Sat, 24 Jun 2017 07​:01​:54 -0700, randir wrote​:

While fuzzing perl v5.27.1-37-g4c95ee9f29 built with afl and run
under libdislocator, I found the following program

@​I0​::""my I0"";sub f00}f00

to cause an assertion failure. This is a regression between 5.20 and
5.22, bisect points to​:

commit 0f94cb1
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Thu Nov 27 22​:30​:54 2014 -0800

[perl #123223] Make PADNAME a separate type

distinct from SV. This should fix the CPAN modules that were failing
when the PadnameLVALUE flag was added, because it shared the same
bit as SVs_OBJECT and pad names were going through code paths not
designed to handle pad names.

Unfortunately, it will probably break other CPAN modules, but I think
this change is for the better, as it makes both pad names and SVs sim-
pler and makes pad names take less memory.

GDB info about the crash location is​:

(gdb) bt
#0 __GI_raise (sig=sig@​entry=6) at
../sysdeps/unix/sysv/linux/raise.c​:51
#1 0x00007ffff6cf63fa in __GI_abort () at abort.c​:89
#2 0x00007ffff6cede37 in __assert_fail_base (fmt=<optimized out>,
assertion=assertion@​entry=0x5555558e3158 "SvTYPE(cv) == SVt_PVCV
|| SvTYPE(cv) == SVt_PVFM", file=file@​entry=0x5555558def2e "op.c",
line=line@​entry=8067, function=function@​entry=0x5555558e61f0
<__PRETTY_FUNCTION__.17680> "Perl_cv_const_sv_or_av") at assert.c​:92
#3 0x00007ffff6cedee2 in __GI___assert_fail (assertion=0x5555558e3158
"SvTYPE(cv) == SVt_PVCV || SvTYPE(cv) == SVt_PVFM",
file=0x5555558def2e "op.c",
line=8067, function=0x5555558e61f0 <__PRETTY_FUNCTION__.17680>
"Perl_cv_const_sv_or_av") at assert.c​:101
#4 0x00005555555a19d7 in Perl_cv_const_sv_or_av (cv=0x555555c0b530)
at op.c​:8067
#5 0x0000555555627e6b in Perl_yylex () at toke.c​:7406
#6 0x0000555555649164 in Perl_yyparse (gramtype=258) at perly.c​:340
#7 0x00005555555cad4c in S_parse_body (env=0x0, xsinit=0x555555583fe8
<xs_init>) at perl.c​:2401
#8 0x00005555555c90b1 in perl_parse (my_perl=0x555555bed010,
xsinit=0x555555583fe8 <xs_init>, argc=2, argv=0x7fffffffe1c8, env=0x0)
at perl.c​:1719
#9 0x0000555555583f26 in main (argc=2, argv=0x7fffffffe1c8,
env=0x7fffffffe1e0) at perlmain.c​:121
(gdb) f 5
#5 0x0000555555627e6b in Perl_yylex () at toke.c​:7406
7406 if ((sv = cv_const_sv_or_av(cv))) {
(gdb) p sv_dump(cv)
SV = PVHV(0x555555bf6010) at 0x555555c0b530
REFCNT = 3
FLAGS = (OOK,SHAREKEYS)
AUX_FLAGS = 0
ARRAY = 0x555555c17e00
KEYS = 0
FILL = 0
MAX = 7
RITER = -1
EITER = 0x0
RAND = 0xd63e354b
NAME = "Iz"
ENAME = "Iz"
$1 = void

The parser appears to be treating the final f00 as the name of a lexical sub, but finding a non-CV in the protocv​:

(gdb)
7077 cv = find_lexical_cv(off);
2​: off = 2
1​: cv = (CV *) 0x0
(gdb) call Perl_sv_dump(PL_compcv)
SV = PVCV(0x621000014100) at 0x62100001bf48
  REFCNT = 6
  FLAGS = (UNIQUE,SLABBED)
  COMP_STASH = 0x0
  SLAB = 0x61500000fa80
  ROOT = 0x0
  GVGV​::GV = 0x0
  FILE = "(null)"
  DEPTH = 0
  FLAGS = 0x900
  OUTSIDE_SEQ = 0
  PADLIST = 0x60300000eb90
  OUTSIDE = 0x0 (null)
(gdb) s
Perl_find_lexical_cv (off=2) at op.c​:11425
11425 PADNAME *name = PAD_COMPNAME(off);
(gdb) n
11426 CV *compcv = PL_compcv;
(gdb) p name
$4 = (PADNAME *) 0x604000009890
(gdb) p *name
$5 = {xpadn_pv = 0x6040000098ba "&f00", xpadn_ourstash = 0x0, xpadn_type_u = {
  xpadn_typestash = 0x6210000127a0, xpadn_protocv = 0x6210000127a0},
  xpadn_low = 4294967246, xpadn_high = 4294967295, xpadn_refcnt = 1,
  xpadn_gen = 0, xpadn_len = 4 '\004', xpadn_flags = 8 '\b'}
(gdb) n
11427 while (PadnameOUTER(name)) {
(gdb)
11433 assert(!PadnameIsOUR(name));
(gdb)
11434 if (!PadnameIsSTATE(name) && PadnamePROTOCV(name)) {
(gdb)
11435 return PadnamePROTOCV(name);
(gdb)
11438 }
(gdb) s
Perl_yylex () at toke.c​:7079
7079 lex = TRUE;
2​: off = 2
1​: cv = (CV *) 0x6210000127a0
(gdb) call Perl_sv_dump(cv)
SV = PVHV(0x6210000195a0) at 0x6210000127a0
  REFCNT = 2
  FLAGS = (OOK,SHAREKEYS)
  AUX_FLAGS = 0
  ARRAY = 0x60c00000a780
  KEYS = 0
  FILL = 0
  MAX = 7
  RITER = -1
  EITER = 0x0
  RAND = 0xd9a94a3f
  NAME = "I0"
  ENAME = "I0"
(gdb) p PL_parser->bufptr
$6 = 0x60300000e5d7 "f00\n"

Tony

@p5pRT
Copy link
Author

p5pRT commented Jun 27, 2017

The RT System itself - Status changed from 'new' to 'open'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants