Skip Menu |
Report information
Id: 123802
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: 5.22.0



Subject: Segfault in Perl_yyparse with minimized test case from #123801
Download (untitled) / with headers
text/plain 2.6k
Built v5.21.9 (v5.21.8-286-g534577b) using the following command line: ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g && AFL_HARDEN=1 make -j6 test-prep Bug found with AFL (http://lcamtuf.coredump.cx/afl). I used afl-tmin to minimize the test case from #123801, which caused this segfault to happen instead of aborting. Program received signal SIGSEGV, Segmentation fault. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x1221d20 --> 0x0 RCX: 0x1205d10 --> 0x1 RDX: 0x4000 ('') RSI: 0x12134af --> 0x3334317473657400 ('') RDI: 0x696d2d3334317473 ('st143-mi') RBP: 0x726f ('or') RSP: 0x7fffffffdfc0 --> 0x640121a020 RIP: 0x668bd8 (<Perl_yyparse+6008>: mov esi,DWORD PTR [rdi+0x8]) R8 : 0x60 ('`') R9 : 0x0 R10: 0x1 R11: 0x1221d20 --> 0x0 R12: 0x0 R13: 0x1222120 ("ntax error at test143-min line 1, near \"/$0{}/\"\n") R14: 0x65 ('e') R15: 0x0 EFLAGS: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x668bc6 <Perl_yyparse+5990>: mov rcx,QWORD PTR [rsp+0x8] 0x668bcb <Perl_yyparse+5995>: mov rax,QWORD PTR [rsp+0x10] 0x668bd0 <Perl_yyparse+6000>: lea rsp,[rsp+0x98] => 0x668bd8 <Perl_yyparse+6008>: mov esi,DWORD PTR [rdi+0x8] 0x668bdb <Perl_yyparse+6011>: cmp esi,0x1 0x668bde <Perl_yyparse+6014>: jbe 0x669050 <Perl_yyparse+7152> 0x668be4 <Perl_yyparse+6020>: nop DWORD PTR [rax+0x0] 0x668be8 <Perl_yyparse+6024>: lea rsp,[rsp-0x98] [------------------------------------stack-------------------------------------] 0000| 0x7fffffffdfc0 --> 0x640121a020 0008| 0x7fffffffdfc8 --> 0x1221d40 --> 0x0 0016| 0x7fffffffdfd0 --> 0x1221d48 --> 0x1222120 ("ntax error at test143-min line 1, near \"/$0{}/\"\n") 0024| 0x7fffffffdfd8 --> 0x3c ('<') 0032| 0x7fffffffdfe0 --> 0x4 0040| 0x7fffffffdfe8 --> 0x633a3424c350f300 0048| 0x7fffffffdff0 --> 0x7fffffffe3c0 --> 0x7fffffffe63d ("test143-min") 0056| 0x7fffffffdff8 --> 0x1 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGSEGV 0x0000000000668bd8 in Perl_yyparse () gdb-peda$ exploit Description: Access violation Short description: AccessViolation (21/22) Hash: d9722ba607412bb0b0027e58bf5e08e2.d9722ba607412bb0b0027e58bf5e08e2 Exploitability Classification: UNKNOWN Explanation: The target crashed due to an access violation but there is not enough additional information available to determine exploitability. Test case hexdump: 0000000 242f 7b30 2f7d 0000006 Debian 7, Kernel 3.2.65-1+deb7u1 x86_64, libc 3.2.65-1+deb7u1 x86_6, gcc 4.9.2
Subject: test143-min
Download test143-min
application/octet-stream 6b

Message body not shown because it is not plain text.

Download (untitled) / with headers
text/plain 9.7k
Valgrind output: Valgrind output ==24607== Invalid read of size 4 ==24607== at 0x668818: Perl_yyparse (perly.c:523) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== Address 0x5ed8c1c is 172 bytes inside a block of size 6,400 free'd ==24607== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==24607== by 0xB23A55: Perl_leave_scope (scope.c:1241) ==24607== by 0x65EC04: S_sublex_done (toke.c:2481) ==24607== by 0x603C30: Perl_yylex (toke.c:4547) ==24607== by 0x669684: Perl_yyparse (perly.c:322) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== ==24607== Invalid read of size 2 ==24607== at 0x668898: Perl_yyparse (perly.c:524) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== Address 0x5ed8c18 is 168 bytes inside a block of size 6,400 free'd ==24607== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==24607== by 0xB23A55: Perl_leave_scope (scope.c:1241) ==24607== by 0x65EC04: S_sublex_done (toke.c:2481) ==24607== by 0x603C30: Perl_yylex (toke.c:4547) ==24607== by 0x669684: Perl_yyparse (perly.c:322) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== ==24607== Invalid read of size 8 ==24607== at 0x6688F0: Perl_yyparse (perly.c:524) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== Address 0x5ed8c10 is 160 bytes inside a block of size 6,400 free'd ==24607== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==24607== by 0xB23A55: Perl_leave_scope (scope.c:1241) ==24607== by 0x65EC04: S_sublex_done (toke.c:2481) ==24607== by 0x603C30: Perl_yylex (toke.c:4547) ==24607== by 0x669684: Perl_yyparse (perly.c:322) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== ==24607== Invalid read of size 8 ==24607== at 0x668B90: Perl_yyparse (perly.c:532) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== Address 0x5ed8c20 is 176 bytes inside a block of size 6,400 free'd ==24607== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==24607== by 0xB23A55: Perl_leave_scope (scope.c:1241) ==24607== by 0x65EC04: S_sublex_done (toke.c:2481) ==24607== by 0x603C30: Perl_yylex (toke.c:4547) ==24607== by 0x669684: Perl_yyparse (perly.c:322) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== ==24607== Invalid read of size 2 ==24607== at 0x668C6E: Perl_yyparse (perly.c:534) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== Address 0x5ed8bf8 is 136 bytes inside a block of size 6,400 free'd ==24607== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==24607== by 0xB23A55: Perl_leave_scope (scope.c:1241) ==24607== by 0x65EC04: S_sublex_done (toke.c:2481) ==24607== by 0x603C30: Perl_yylex (toke.c:4547) ==24607== by 0x669684: Perl_yyparse (perly.c:322) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== ==24607== Invalid write of size 2 ==24607== at 0x668F97: Perl_yyparse (perly.c:545) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== Address 0x5ed8c18 is 168 bytes inside a block of size 6,400 free'd ==24607== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==24607== by 0xB23A55: Perl_leave_scope (scope.c:1241) ==24607== by 0x65EC04: S_sublex_done (toke.c:2481) ==24607== by 0x603C30: Perl_yylex (toke.c:4547) ==24607== by 0x669684: Perl_yyparse (perly.c:322) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== ==24607== Invalid write of size 8 ==24607== at 0x668FA3: Perl_yyparse (perly.c:546) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== Address 0x5ed8c10 is 160 bytes inside a block of size 6,400 free'd ==24607== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==24607== by 0xB23A55: Perl_leave_scope (scope.c:1241) ==24607== by 0x65EC04: S_sublex_done (toke.c:2481) ==24607== by 0x603C30: Perl_yylex (toke.c:4547) ==24607== by 0x669684: Perl_yyparse (perly.c:322) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== ==24607== Invalid read of size 2 ==24607== at 0x668FEE: Perl_yyparse (inline.h:143) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== Address 0x5ed8c18 is 168 bytes inside a block of size 6,400 free'd ==24607== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==24607== by 0xB23A55: Perl_leave_scope (scope.c:1241) ==24607== by 0x65EC04: S_sublex_done (toke.c:2481) ==24607== by 0x603C30: Perl_yylex (toke.c:4547) ==24607== by 0x669684: Perl_yyparse (perly.c:322) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== ==24607== Invalid write of size 8 ==24607== at 0x669036: Perl_yyparse (perly.c:547) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== Address 0x5ed8c20 is 176 bytes inside a block of size 6,400 free'd ==24607== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==24607== by 0xB23A55: Perl_leave_scope (scope.c:1241) ==24607== by 0x65EC04: S_sublex_done (toke.c:2481) ==24607== by 0x603C30: Perl_yylex (toke.c:4547) ==24607== by 0x669684: Perl_yyparse (perly.c:322) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== ==24607== Invalid write of size 8 ==24607== at 0x66903A: Perl_yyparse (perly.c:550) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== Address 0x5ed8c28 is 184 bytes inside a block of size 6,400 free'd ==24607== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==24607== by 0xB23A55: Perl_leave_scope (scope.c:1241) ==24607== by 0x65EC04: S_sublex_done (toke.c:2481) ==24607== by 0x603C30: Perl_yylex (toke.c:4547) ==24607== by 0x669684: Perl_yyparse (perly.c:322) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== ==24607== Invalid write of size 4 ==24607== at 0x669042: Perl_yyparse (perly.c:548) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== Address 0x5ed8c1c is 172 bytes inside a block of size 6,400 free'd ==24607== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==24607== by 0xB23A55: Perl_leave_scope (scope.c:1241) ==24607== by 0x65EC04: S_sublex_done (toke.c:2481) ==24607== by 0x603C30: Perl_yylex (toke.c:4547) ==24607== by 0x669684: Perl_yyparse (perly.c:322) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== ==24607== Invalid read of size 8 ==24607== at 0x667C7A: Perl_yyparse (perly.c:408) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== Address 0x5ed8c10 is 160 bytes inside a block of size 6,400 free'd ==24607== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==24607== by 0xB23A55: Perl_leave_scope (scope.c:1241) ==24607== by 0x65EC04: S_sublex_done (toke.c:2481) ==24607== by 0x603C30: Perl_yylex (toke.c:4547) ==24607== by 0x669684: Perl_yyparse (perly.c:322) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== ==24607== Invalid read of size 8 ==24607== at 0x668113: Perl_yyparse (perly.c:423) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== Address 0x5ed8c20 is 176 bytes inside a block of size 6,400 free'd ==24607== at 0x4C27D4E: free (vg_replace_malloc.c:427) ==24607== by 0xB23A55: Perl_leave_scope (scope.c:1241) ==24607== by 0x65EC04: S_sublex_done (toke.c:2481) ==24607== by 0x603C30: Perl_yylex (toke.c:4547) ==24607== by 0x669684: Perl_yyparse (perly.c:322) ==24607== by 0x5399A4: S_parse_body (perl.c:2273) ==24607== by 0x541536: perl_parse (perl.c:1607) ==24607== by 0x42B63B: main (perlmain.c:114) ==24607== perl: sv.c:6536: Perl_sv_clear: Assertion `((svtype)((sv)->sv_flags & 0xff)) != (svtype)0xff' failed. Aborted
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 859b
I'm getting the [perl #123801] assert failure, using the minimized testcase in this ticket: ./miniperl -e '/$0{}/' The assertion is happening inside SvIVX around toke.c:4550 in blead: /* m'foo' still needs to be parsed for possible (?{...}) */ if (SvIVX(PL_linestr) == '\'' && !PL_lex_inpat) { .. where PL_linestr looks like: (gdb) p /x *PL_parser->linestr $3 = {sv_any = 0xa42ef0, sv_refcnt = 0x1, sv_flags = 0x4403, sv_u = { svu_pv = 0xa5f820, svu_iv = 0xa5f820, svu_uv = 0xa5f820, svu_nv = 0x0, svu_rv = 0xa5f820, svu_rx = 0xa5f820, svu_array = 0xa5f820, svu_hash = 0xa5f820, svu_gp = 0xa5f820, svu_fp = 0xa5f820}} The assert is complaining that sv is of type PV, so it isn't valid to call SvIVX on it. I've managed to establish that sv isn't coming from a newSV_type() call, but that's as far as I've got so far. Hugo
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.2k
On Fri Feb 13 16:57:12 2015, hv wrote: Show quoted text
> I'm getting the [perl #123801] assert failure, using the minimized > testcase in this ticket: > > ./miniperl -e '/$0{}/' > > The assertion is happening inside SvIVX around toke.c:4550 in blead: > > /* m'foo' still needs to be parsed for possible (?{...}) */ > if (SvIVX(PL_linestr) == '\'' && !PL_lex_inpat) { > > .. where PL_linestr looks like: > > (gdb) p /x *PL_parser->linestr > $3 = {sv_any = 0xa42ef0, sv_refcnt = 0x1, sv_flags = 0x4403, sv_u = { > svu_pv = 0xa5f820, svu_iv = 0xa5f820, svu_uv = 0xa5f820, svu_nv = > 0x0, > svu_rv = 0xa5f820, svu_rx = 0xa5f820, svu_array = 0xa5f820, > svu_hash = 0xa5f820, svu_gp = 0xa5f820, svu_fp = 0xa5f820}} > > The assert is complaining that sv is of type PV, so it isn't valid to > call SvIVX on it. > > I've managed to establish that sv isn't coming from a newSV_type() > call, but that's as far as I've got so far.
This assertion failure is fixed in f4460c6f7a, but I get another one now: $ echo -n '/$0{}/' | ./miniperl Assertion failed: (SvTYPE(sv) != (svtype)SVTYPEMASK), function Perl_sv_clear, file sv.c, line 6536. Abort trap: 6 This seems to have to do with perly.c not reference-counting PL_compcv correctly. But I could be wrong. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 876b
On Sun Feb 22 16:43:16 2015, sprout wrote: Show quoted text
> This assertion failure is fixed in f4460c6f7a, but I get another one > now: > > $ echo -n '/$0{}/' | ./miniperl > Assertion failed: (SvTYPE(sv) != (svtype)SVTYPEMASK), function > Perl_sv_clear, file sv.c, line 6536. > Abort trap: 6 > > This seems to have to do with perly.c not reference-counting PL_compcv > correctly. But I could be wrong.
I think so, I'm seeing similar problems when there's a parse error in a double quoted string or glob: % cat t1 "\L\L" % ./miniperl -c t1 Segmentation fault (core dumped) % cat t2 <\U\U> % ./miniperl -c t2 Segmentation fault (core dumped) % The first fails during the SvREFCNT_dec here: #7 0x00000000004b82a6 in Perl_yyparse (gramtype=258) at perly.c:423 .. and the second just after grabbing a compcv here: #0 0x00000000004b8938 in Perl_yyparse (gramtype=258) at perly.c:528 Hugo
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.4k
On Tue Feb 24 11:58:05 2015, hv wrote: Show quoted text
> On Sun Feb 22 16:43:16 2015, sprout wrote:
> > This assertion failure is fixed in f4460c6f7a, but I get another one > > now: > > > > $ echo -n '/$0{}/' | ./miniperl > > Assertion failed: (SvTYPE(sv) != (svtype)SVTYPEMASK), function > > Perl_sv_clear, file sv.c, line 6536. > > Abort trap: 6 > > > > This seems to have to do with perly.c not reference-counting > > PL_compcv > > correctly. But I could be wrong.
> > I think so, I'm seeing similar problems when there's a parse error in > a double quoted string or glob: > > % cat t1 > "\L\L" > % ./miniperl -c t1 > Segmentation fault (core dumped) > % cat t2 > <\U\U> > % ./miniperl -c t2 > Segmentation fault (core dumped) > % > > The first fails during the SvREFCNT_dec here: > #7 0x00000000004b82a6 in Perl_yyparse (gramtype=258) at perly.c:423 > .. and the second just after grabbing a compcv here: > #0 0x00000000004b8938 in Perl_yyparse (gramtype=258) at perly.c:528
This seems to have to do with the parser (perly.c) popping scopes on a syntax error, resulting in inner lexing scopes being popped. But somehow the lexer (toke.c) is confused into thinking the inner lexing scope is still active, so it calls the LEAVE in sublex_done, which tries to free the parser stack when the parser is still active. The solution here may be to use LEAVE_SCOPE(ix) in sublex_done, and store the index somewhere. Or maybe sublex_done should be a no-op if there is no inner lexing scope. I’m still digging. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.7k
On Thu Feb 26 19:59:57 2015, sprout wrote: Show quoted text
> On Tue Feb 24 11:58:05 2015, hv wrote:
> > On Sun Feb 22 16:43:16 2015, sprout wrote:
> > > This assertion failure is fixed in f4460c6f7a, but I get another > > > one > > > now: > > > > > > $ echo -n '/$0{}/' | ./miniperl > > > Assertion failed: (SvTYPE(sv) != (svtype)SVTYPEMASK), function > > > Perl_sv_clear, file sv.c, line 6536. > > > Abort trap: 6 > > > > > > This seems to have to do with perly.c not reference-counting > > > PL_compcv > > > correctly. But I could be wrong.
> > > > I think so, I'm seeing similar problems when there's a parse error in > > a double quoted string or glob: > > > > % cat t1 > > "\L\L" > > % ./miniperl -c t1 > > Segmentation fault (core dumped) > > % cat t2 > > <\U\U> > > % ./miniperl -c t2 > > Segmentation fault (core dumped) > > % > > > > The first fails during the SvREFCNT_dec here: > > #7 0x00000000004b82a6 in Perl_yyparse (gramtype=258) at perly.c:423 > > .. and the second just after grabbing a compcv here: > > #0 0x00000000004b8938 in Perl_yyparse (gramtype=258) at perly.c:528
> > This seems to have to do with the parser (perly.c) popping scopes on a > syntax error, resulting in inner lexing scopes being popped. But > somehow the lexer (toke.c) is confused into thinking the inner lexing > scope is still active, so it calls the LEAVE in sublex_done, which > tries to free the parser stack when the parser is still active. > > The solution here may be to use LEAVE_SCOPE(ix) in sublex_done, and > store the index somewhere. Or maybe sublex_done should be a no-op if > there is no inner lexing scope. I’m still digging.
I finally finished tracking this down. It’s PL_lex_defer again. So the fix is nearly identical to #123801. See commit 479ae48. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.2k
On Sat Feb 28 18:29:21 2015, sprout wrote: Show quoted text
> I finally finished tracking this down. It’s PL_lex_defer again. So > the fix is nearly identical to #123801. See commit 479ae48.
Unfortunately I'm still seeing the additional two cases failing; apologies that I didn't clarify before they should not have a trailing newline: % echo -n '"\L\L"' | ./miniperl -c Segmentation fault (core dumped) % echo -n '<\L\L>' | ./miniperl -c Segmentation fault (core dumped) % They're both failing at the same place now. (The first was previously crashing at perly.c:423.) Program received signal SIGSEGV, Segmentation fault. S_SvREFCNT_dec (sv=0xa22) at inline.h:162 162 U32 rc = SvREFCNT(sv); (gdb) where #0 S_SvREFCNT_dec (sv=0xa22) at inline.h:162 #1 Perl_yyparse (gramtype=gramtype@entry=258) at perly.c:532 #2 0x000000000040fa4b in S_parse_body (xsinit=0x43fda0 <xs_init>, env=0x0) at perl.c:2277 #3 perl_parse (my_perl=<optimized out>, xsinit=xsinit@entry=0x43fda0 <xs_init>, argc=<optimized out>, argv=<optimized out>, env=env@entry=0x0) at perl.c:1611 #4 0x00000000004066c0 in main (argc=3, argv=0x7fffffffe638, env=0x7fffffffe658) at miniperlmain.c:120 (gdb) I confirmed (against the first) that it does bisect to 7aa8cb0de. Hugo
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 758b
On Sun Mar 01 02:00:47 2015, hv wrote: Show quoted text
> On Sat Feb 28 18:29:21 2015, sprout wrote:
> > I finally finished tracking this down. It’s PL_lex_defer again. So > > the fix is nearly identical to #123801. See commit 479ae48.
> > Unfortunately I'm still seeing the additional two cases failing; > apologies that I didn't clarify before they should not have a trailing > newline: > > % echo -n '"\L\L"' | ./miniperl -c > Segmentation fault (core dumped) > % echo -n '<\L\L>' | ./miniperl -c > Segmentation fault (core dumped) > % > > They're both failing at the same place now. (The first was previously > crashing at perly.c:423.)
It was my mistake not to re-read the ticket before closing it. This is now fixed in 66edcf79f81. -- Father Chrysostomos
Download (untitled) / with headers
text/plain 200b
Thank you for submitting this ticket. The issue should now be resolved with the release today of Perl v5.22, which is available at http://www.perl.org/get.html -- Karl Williamson for the Perl 5 team


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org