Skip Menu |
Report information
Id: 124004
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: unknown
Perl Version: (no value)
Fixed In: 5.22.0



Subject: Perl_sv_2pv_flags: Assertion `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed (sv.c:2963)
Built v5.21.10 (v5.21.9-43-g2c3f32a) with the following command line: ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g && AFL_HARDEN=1 make -j12 test-prep Bug found with AFL (http://lcamtuf.coredump.cx/afl) Valgrind: perl: sv.c:2963: Perl_sv_2pv_flags: Assertion `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed. ==20441== ==20441== Process terminating with default action of signal 6 (SIGABRT): dumping core ==20441== at 0x5B55165: raise (raise.c:64) ==20441== by 0x5B583DF: abort (abort.c:92) ==20441== by 0x5B4E310: __assert_fail (assert.c:81) ==20441== by 0x9719C8: Perl_sv_2pv_flags (sv.c:2962) ==20441== by 0x9CC399: Perl_sv_catsv_flags (sv.c:5538) ==20441== by 0xB255B7: Perl_pp_substcont (pp_ctl.c:222) ==20441== by 0x7CB49E: Perl_runops_debug (dump.c:2237) ==20441== by 0x53B4C8: perl_run (perl.c:2427) ==20441== by 0x42B167: main (perlmain.c:116) GDB: gdb-peda$ file ~/perl/perl gdb-peda$ set args test32-min gdb-peda$ r [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". perl: sv.c:2963: Perl_sv_2pv_flags: Assertion `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed. Program received signal SIGABRT, Aborted. [----------------------------------registers-----------------------------------] RAX: 0x0 RBX: 0x7fffffffe63a --> 0x736574006c726570 ('perl') RCX: 0xffffffffffffffff RDX: 0x6 RSI: 0xa28d RDI: 0xa28d RBP: 0x7ffff6ea9c67 --> 0x257325732500203a (': ') RSP: 0x7fffffffde58 --> 0x7ffff6d933e0 (<*__GI_abort+384>: mov rdx,QWORD PTR fs:0x10) RIP: 0x7ffff6d90165 (<*__GI_raise+53>: cmp rax,0xfffffffffffff000) R8 : 0x7ffff7fdd700 (0x00007ffff7fdd700) R9 : 0x5653203d21202929 (')) != SV') R10: 0x8 R11: 0x206 R12: 0xf37340 ("((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM") R13: 0xf4be70 ("Perl_sv_2pv_flags") R14: 0x7ffff6ea9c67 --> 0x257325732500203a (': ') R15: 0xb93 EFLAGS: 0x206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow) [-------------------------------------code-------------------------------------] 0x7ffff6d9015b <*__GI_raise+43>: movsxd rdi,eax 0x7ffff6d9015e <*__GI_raise+46>: mov eax,0xea 0x7ffff6d90163 <*__GI_raise+51>: syscall => 0x7ffff6d90165 <*__GI_raise+53>: cmp rax,0xfffffffffffff000 0x7ffff6d9016b <*__GI_raise+59>: ja 0x7ffff6d90182 <*__GI_raise+82> 0x7ffff6d9016d <*__GI_raise+61>: repz ret 0x7ffff6d9016f <*__GI_raise+63>: nop 0x7ffff6d90170 <*__GI_raise+64>: test eax,eax [------------------------------------stack-------------------------------------] 0000| 0x7fffffffde58 --> 0x7ffff6d933e0 (<*__GI_abort+384>: mov rdx,QWORD PTR fs:0x10) 0008| 0x7fffffffde60 --> 0xf37340 ("((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM") 0016| 0x7fffffffde68 --> 0x7ffff6eabc21 --> 0x706c6568007325 ('%s') 0024| 0x7fffffffde70 --> 0x7fffffffde90 --> 0x3000000018 0032| 0x7fffffffde78 --> 0xb93 0040| 0x7fffffffde80 --> 0x7fffffffdf80 --> 0x7fffffffe63a --> 0x736574006c726570 ('perl') 0048| 0x7fffffffde88 --> 0x7ffff6dc41b6 (<__fxprintf+310>: lea rsp,[rbp-0x20]) 0056| 0x7fffffffde90 --> 0x3000000018 [------------------------------------------------------------------------------] Legend: code, data, rodata, value Stopped reason: SIGABRT 0x00007ffff6d90165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c:64 64 ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory. Hexdump of the 42-byte test case: 0000000 5f24 223d 3030 3b22 7665 6c61 7322 242f 0000010 2f31 3c24 6f66 4072 3000 652f 7722 6968 0000020 656c 7320 2e28 2f29 2f30 000002a System Info: Debian 7, Kernel 3.2.65-1+deb7u1 x86_64, GCC 4.9.2, libc 2.13-38+deb7u8
Subject: test32-min
Download test32-min
application/octet-stream 42b

Message body not shown because it is not plain text.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.2k
Interestingly, the nul byte in the string eval serves to stop the @0 from being interpolated, so the test case is equivalent to this: % ./miniperl -e '$_ = "xx"; eval q{s/./1 for @x/e} while s/./0/' miniperl: sv.c:2964: Perl_sv_2pv_flags: Assertion `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed. Aborted (core dumped) % I'm not sure whether the non-interpolation is an additional bug. Hacking bisect-runner to treat timeout as success and running with: bisect.pl --target=miniperl -DDEBUGGING --crash --timeout=1 -- ./miniperl -e '$_ = "xx"; eval q{s/./1 for @x/e} while s/./0/' finds this change first introduced in perl-5.16: commit 815dd406a7217429564c39cb160845d317b6da75 Author: Nicholas Clark <nick@ccl4.org> Date: Fri Jun 17 15:19:07 2011 +0200 In pp_subst, use a mortal scalar for dstr, instead of SAVEFREESV(). [...] .. but I don't think I believe it - running with -Ds perturbs things a bit, but shows a stack underflow which I assume is real; reverting 815dd406a7 appears to allow the plain run to go successfully round its endless loop, but -Ds still shows the same stack underflow. I'm unlikely to have time to look further at this any time soon. Hugo
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.9k
On Sat Mar 07 02:42:18 2015, hv wrote: Show quoted text
> Interestingly, the nul byte in the string eval serves to stop the @0 > from being interpolated, so the test case is equivalent to this: > > % ./miniperl -e '$_ = "xx"; eval q{s/./1 for @x/e} while s/./0/' > miniperl: sv.c:2964: Perl_sv_2pv_flags: Assertion `((svtype)((sv)-
> >sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) !=
> SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed. > Aborted (core dumped) > % > > I'm not sure whether the non-interpolation is an additional bug. > > Hacking bisect-runner to treat timeout as success and running with: > > bisect.pl --target=miniperl -DDEBUGGING --crash --timeout=1 -- > ./miniperl -e '$_ = "xx"; eval q{s/./1 for @x/e} while s/./0/' > > finds this change first introduced in perl-5.16: > > commit 815dd406a7217429564c39cb160845d317b6da75 > Author: Nicholas Clark <nick@ccl4.org> > Date: Fri Jun 17 15:19:07 2011 +0200 > > In pp_subst, use a mortal scalar for dstr, instead of SAVEFREESV(). > [...] > > .. but I don't think I believe it - running with -Ds perturbs things a > bit, but shows a stack underflow which I assume is real; reverting > 815dd406a7 appears to allow the plain run to go successfully round its > endless loop, but -Ds still shows the same stack underflow. > > I'm unlikely to have time to look further at this any time soon.
$ ./miniperl -le 'print 1, 2, 3, scalar do { 1 for @x } + 1, 4, 5, 6' 124456 $ /opt/testing/bin/perl5.8.7 -le 'print 1, 2, 3, scalar do { 1 for @x } + 1, 4, 5, 6' 456 $ /opt/bin/perl5.8.8 -le 'print 1, 2, 3, scalar do { 1 for @x } + 1, 4, 5, 6' 124456 With this variation, I get ‘1 2 4 4 5 6’ as far back as 5.002: push @_, 1, 2, 3, scalar do { for(@x){} } + 1, 4, 5, 6; die "@_" unless @_ == 7 Can't find a suitable start revision to default to. Tried perl-5.002 perl-5.003 perl-5.004 perl-5.005 perl-5.6.0 perl-5.8.0 v5.10.0 at ../perl.git/Porting/bisect.pl line 214. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Fixed in c5f78d08dab9b9. -- Father Chrysostomos
Download (untitled) / with headers
text/plain 200b
Thank you for submitting this ticket. The issue should now be resolved with the release today of Perl v5.22, which is available at http://www.perl.org/get.html -- Karl Williamson for the Perl 5 team


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org