Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

segfault in Perl_pad_free at pad.c:1820 #14815

Closed
p5pRT opened this issue Jul 24, 2015 · 19 comments
Closed

segfault in Perl_pad_free at pad.c:1820 #14815

p5pRT opened this issue Jul 24, 2015 · 19 comments

Comments

@p5pRT
Copy link

p5pRT commented Jul 24, 2015

Migrated from rt.perl.org#125679 (status was 'resolved')

Searchable as RT125679$

@p5pRT
Copy link
Author

p5pRT commented Jul 24, 2015

From @geeknik

While fuzzing Perl v5.23.2 (v5.23.1-27-g5cce15f), I found the attached script which causes a segfault in Perl_pad_free at pad.c​:1820.

Can't modify reference to eval "string" in list assignment at test01 line 1, near "};"
Unmatched right curly bracket at test01 line 1, at end of line
syntax error at test01 line 1, near "efasasasg}"
Unrecognized character \x10; marked by <-- HERE after asasg};ef<-- HERE near column 92 at test01 line 1.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000667284 in Perl_pad_free () at pad.c​:1820
1820 if (sv && sv != &PL_sv_undef && !SvPADMY(sv))
(gdb) bt
#0 0x0000000000667284 in Perl_pad_free () at pad.c​:1820
#1 0x000000000043d2f5 in Perl_op_clear () at op.c​:1091
#2 0x000000000043e7cc in Perl_op_free () at op.c​:786
#3 0x0000000000659130 in S_clear_yystack ()
#4 0x0000000000af2db6 in Perl_leave_scope () at scope.c​:1241
#5 0x000000000050ba93 in S_my_exit_jump ()
#6 0x000000000053d5e9 in Perl_my_failure_exit ()
#7 0x0000000000b4d9c5 in Perl_die_unwind () at pp_ctl.c​:1689
#8 0x00000000007dafcd in Perl_vcroak () at util.c​:1697
#9 0x00000000007db592 in Perl_croak () at util.c​:1742
#10 0x00000000005e96cd in Perl_yylex () at toke.c​:4642
#11 0x000000000065b4e5 in Perl_yyparse ()
#12 0x00000000005350d9 in perl_parse ()
#13 0x000000000042ab98 in main () at perlmain.c​:114

Hexdump​:
0000000 655c 6176 3d6c 7b71 7270 6e69 7270 6e69
0000010 2274 245c 3d5f 7c7d 7b71 7270 7069 7272
0000020 2269 2274 245c 3d5f 5e7d 6e69 7b73 3b7d
0000030 6665 7d7b 6541 6166 6173 7b73 3b7d 5f65
0000040 7b73 3b7d 6665 7361 7361 7d7b 653b 6166
0000050 6173 6173 6773 3b7d 6665 1000 000a
000005d

@p5pRT
Copy link
Author

p5pRT commented Jul 24, 2015

From @geeknik

test01

@p5pRT
Copy link
Author

p5pRT commented Jul 25, 2015

From @shlomif

Hi Brian,

On Fri Jul 24 10​:28​:38 2015, brian.carpenter@​gmail.com wrote​:

While fuzzing Perl v5.23.2 (v5.23.1-27-g5cce15f), I found the attached
script which causes a segfault in Perl_pad_free at pad.c​:1820.

Can't modify reference to eval "string" in list assignment at test01
line 1, near "};"
Unmatched right curly bracket at test01 line 1, at end of line
syntax error at test01 line 1, near "efasasasg}"
Unrecognized character \x10; marked by <-- HERE after asasg};ef<--
HERE near column 92 at test01 line 1.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000667284 in Perl_pad_free () at pad.c​:1820
1820 if (sv && sv != &PL_sv_undef && !SvPADMY(sv))
(gdb) bt
#0 0x0000000000667284 in Perl_pad_free () at pad.c​:1820
#1 0x000000000043d2f5 in Perl_op_clear () at op.c​:1091
#2 0x000000000043e7cc in Perl_op_free () at op.c​:786
#3 0x0000000000659130 in S_clear_yystack ()
#4 0x0000000000af2db6 in Perl_leave_scope () at scope.c​:1241
#5 0x000000000050ba93 in S_my_exit_jump ()
#6 0x000000000053d5e9 in Perl_my_failure_exit ()
#7 0x0000000000b4d9c5 in Perl_die_unwind () at pp_ctl.c​:1689
#8 0x00000000007dafcd in Perl_vcroak () at util.c​:1697
#9 0x00000000007db592 in Perl_croak () at util.c​:1742
#10 0x00000000005e96cd in Perl_yylex () at toke.c​:4642
#11 0x000000000065b4e5 in Perl_yyparse ()
#12 0x00000000005350d9 in perl_parse ()
#13 0x000000000042ab98 in main () at perlmain.c​:114

Hexdump​:
0000000 655c 6176 3d6c 7b71 7270 6e69 7270 6e69
0000010 2274 245c 3d5f 7c7d 7b71 7270 7069 7272
0000020 2269 2274 245c 3d5f 5e7d 6e69 7b73 3b7d
0000030 6665 7d7b 6541 6166 6173 7b73 3b7d 5f65
0000040 7b73 3b7d 6665 7361 7361 7d7b 653b 6166
0000050 6173 6173 6773 3b7d 6665 1000 000a
000005d

I cannot reproduce this segfault on my Mageia Linux x86-64 6/Cauldron system​:

shlomif@​telaviv1​:~/Download/unpack/perl/p5/git/perl$ gdb ./perl
GNU gdb (GDB) 7.9.50.20150531-1.mga6 (Mageia release 6)
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://gnu.org/licenses/gpl.html>
This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-mageia-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see​:
<http​://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at​:
<http​://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./perl...done.
(gdb) r /home/shlomif/test01.pl
Starting program​: /home/shlomif/Download/unpack/perl/p5/git/perl/perl /home/shlomif/test01.pl
Missing separate debuginfos, use​: dnf debuginfo-install glibc-2.20-20.mga5.x86_64
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Can't modify reference to eval "string" in list assignment at /home/shlomif/test01.pl line 1, near "};"
Unmatched right curly bracket at /home/shlomif/test01.pl line 1, at end of line
syntax error at /home/shlomif/test01.pl line 1, near "efasasasg}"
Unrecognized character \x10; marked by <-- HERE after asasg};ef<-- HERE near column 92 at /home/shlomif/test01.pl line 1.
[Inferior 1 (process 5784) exited with code 0377]
Missing separate debuginfos, use​: dnf debuginfo-install lib64ffi6-3.2.1-1.mga6.x86_64 lib64gio2.0_0-2.45.4-1.mga6.x86_64 lib64glib2.0_0-2.45.4-1.mga6.x86_64 lib64gudev1.0_0-230-3.mga6.x86_64 lib64nm0-1.0.4-1.mga6.x86_64 lib64nspr4-4.10.8-1.mga5.x86_64 lib64nss3-3.19.2-1.mga6.x86_64 lib64pcre1-8.37-3.mga6.x86_64 lib64udev1-222-1.mga6.x86_64 lib64uuid1-2.25.2-6.mga6.x86_64 lib64zlib1-1.2.8-7.mga5.x86_64
(gdb) q
shlomif@​telaviv1​:~/Download/unpack/perl/p5/git/perl$ git show
commit c362894
Author​: Ricardo Signes <rjbs@​cpan.org>
Date​: Fri Jul 24 18​:47​:03 2015 -0400

  bump version on Attribute​::Handlers
 
  ...because of CPAN release to get blead code on CPAN

I've built bleadperl using this script​:

sh Configure -de -Dprefix=$HOME/apps/perl/bleadperl -Doptimize='-O3 -march=native' -Dusedevel

@p5pRT
Copy link
Author

p5pRT commented Jul 25, 2015

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Jul 25, 2015

From @geeknik

My command line to build bleadperl on Debian 7 x64 (which never changes btw)​:

./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g && AFL_HARDEN=1 make -j12 test-prep

On Sat Jul 25 02​:51​:25 2015, shlomif wrote​:

I've built bleadperl using this script​:

sh Configure -de -Dprefix=$HOME/apps/perl/bleadperl -Doptimize='-O3
-march=native' -Dusedevel

@p5pRT
Copy link
Author

p5pRT commented Jul 26, 2015

From @bulk88

On Sat Jul 25 02​:51​:25 2015, shlomif wrote​:

Hi Brian,

On Fri Jul 24 10​:28​:38 2015, brian.carpenter@​gmail.com wrote​:

While fuzzing Perl v5.23.2 (v5.23.1-27-g5cce15f), I found the
attached
script which causes a segfault in Perl_pad_free at pad.c​:1820.

Can't modify reference to eval "string" in list assignment at test01
line 1, near "};"
Unmatched right curly bracket at test01 line 1, at end of line
syntax error at test01 line 1, near "efasasasg}"
Unrecognized character \x10; marked by <-- HERE after asasg};ef<--
HERE near column 92 at test01 line 1.

Program received signal SIGSEGV, Segmentation fault.
0x0000000000667284 in Perl_pad_free () at pad.c​:1820
1820 if (sv && sv != &PL_sv_undef && !SvPADMY(sv))
(gdb) bt
#0 0x0000000000667284 in Perl_pad_free () at pad.c​:1820
#1 0x000000000043d2f5 in Perl_op_clear () at op.c​:1091
#2 0x000000000043e7cc in Perl_op_free () at op.c​:786
#3 0x0000000000659130 in S_clear_yystack ()
#4 0x0000000000af2db6 in Perl_leave_scope () at scope.c​:1241
#5 0x000000000050ba93 in S_my_exit_jump ()
#6 0x000000000053d5e9 in Perl_my_failure_exit ()
#7 0x0000000000b4d9c5 in Perl_die_unwind () at pp_ctl.c​:1689
#8 0x00000000007dafcd in Perl_vcroak () at util.c​:1697
#9 0x00000000007db592 in Perl_croak () at util.c​:1742
#10 0x00000000005e96cd in Perl_yylex () at toke.c​:4642
#11 0x000000000065b4e5 in Perl_yyparse ()
#12 0x00000000005350d9 in perl_parse ()
#13 0x000000000042ab98 in main () at perlmain.c​:114

Hexdump​:
0000000 655c 6176 3d6c 7b71 7270 6e69 7270 6e69
0000010 2274 245c 3d5f 7c7d 7b71 7270 7069 7272
0000020 2269 2274 245c 3d5f 5e7d 6e69 7b73 3b7d
0000030 6665 7d7b 6541 6166 6173 7b73 3b7d 5f65
0000040 7b73 3b7d 6665 7361 7361 7d7b 653b 6166
0000050 6173 6173 6773 3b7d 6665 1000 000a
000005d

I cannot reproduce this segfault on my Mageia Linux x86-64 6/Cauldron
system​:

I can reproduce this with full win32 perl, but not with the same build of win32 miniperl. miniperl is fine, full perl isn't.


C​:\Documents and Settings\Owner\Desktop>drmemory -- C​:\perl521\srcnewb4opt\minip
erl.exe crashtest.pl
WARNING​: _NT_SYMBOL_PATH incorrect​: using local location instead
Dr.M Dr. Memory version 1.7.0
Dr.M Running "C​:\perl521\srcnewb4opt\miniperl.exe crashtest.pl"
Can't modify reference to eval "string" in list assignment at crashtest.pl line
1, near "};"
Unmatched right curly bracket at crashtest.pl line 1, at end of line
syntax error at crashtest.pl line 1, near "efasasasg}"
Unrecognized character \x10; marked by <-- HERE after asasg};ef <-- HERE near co
lumn 92 at crashtest.pl line 1.
Dr.M
Dr.M NO ERRORS FOUND​:
Dr.M 0 unique, 0 total unaddressable access(es)
Dr.M 0 unique, 0 total uninitialized access(es)
Dr.M 0 unique, 0 total invalid heap argument(s)
Dr.M 0 unique, 0 total GDI usage error(s)
Dr.M 0 unique, 0 total handle leak(s)
Dr.M 0 unique, 0 total warning(s)
Dr.M 0 unique, 0 total, 0 byte(s) of leak(s)
Dr.M 0 unique, 0 total, 0 byte(s) of possible leak(s)
Dr.M ERRORS IGNORED​:
Dr.M 4 potential error(s) (suspected false positives)
Dr.M (details​: C​:\Documents and Settings\Owner\Application Data\Dr.
Memory\DrMemory-miniperl.exDr.M e.8776.000\potential_errors.txt)
Dr.M 43 potential leak(s) (suspected false positives)
Dr.M (details​: C​:\Documents and Settings\Owner\Application Data\Dr.
Memory\DrMemory-miniperl.exDr.M e.8776.000\potential_errors.txt)
Dr.M 228 unique, 619 total, 86486 byte(s) of still-reachable allocati
on(s)
Dr.M (re-run with "-show_reachable" for details)
Dr.M Details​: C​:\Documents and Settings\Owner\Application Data\Dr. Memory\Dr
Memory-miniperl.exe.8776.000Dr.M \results.txt
Dr.M WARNING​: application exited with abnormal code 0xff

C​:\Documents and Settings\Owner\Desktop>drmemory -- C​:\perl521\srcnewb4opt\perl.
exe crashtest.pl
WARNING​: _NT_SYMBOL_PATH incorrect​: using local location instead
Dr.M Dr. Memory version 1.7.0
Dr.M Running "C​:\perl521\srcnewb4opt\perl.exe crashtest.pl"
Can't modify reference to eval "string" in list assignment at crashtest.pl line
1, near "};"
Unmatched right curly bracket at crashtest.pl line 1, at end of line
syntax error at crashtest.pl line 1, near "efasasasg}"
Unrecognized character \x10; marked by <-- HERE after asasg};ef <-- HERE near co
lumn 92 at crashtest.pl line 1.
Dr.M
Dr.M Error #1​: UNINITIALIZED READ​: reading 0x0012ea80-0x0012ea84 4 byte(s)
Dr.M # 0 perl523.dll!Perl_pad_free [c​:\perl521\srcnewb4opt\pad.c​:18
20]
Dr.M # 1 perl523.dll!Perl_op_clear [c​:\perl521\srcnewb4opt\win32\op
.c​:1091]
Dr.M # 2 perl523.dll!Perl_op_free [c​:\perl521\srcnewb4opt\win32\op
.c​:786]
Dr.M # 3 perl523.dll!S_clear_yystack [c​:\perl521\srcnewb4opt\perly.c​:
222]
Dr.M # 4 perl523.dll!Perl_leave_scope [c​:\perl521\srcnewb4opt\scope.c​:
1121]
Dr.M # 5 perl523.dll!S_my_exit_jump [c​:\perl521\srcnewb4opt\win32\pe
rl.c​:5043]
Dr.M # 6 perl523.dll!Perl_my_failure_exit [c​:\perl521\srcnewb4opt\win32\pe
rl.c​:5030]
Dr.M # 7 perl523.dll!Perl_die_unwind [c​:\perl521\srcnewb4opt\pp_ctl.c
:1689]
Dr.M # 8 perl523.dll!Perl_vcroak [c​:\perl521\srcnewb4opt\util.c​:1
697]
Dr.M # 9 perl523.dll!Perl_croak [c​:\perl521\srcnewb4opt\util.c​:1
742]
Dr.M #10 perl523.dll!Perl_yylex [c​:\perl521\srcnewb4opt\toke.c​:4
644]
Dr.M #11 perl523.dll!Perl_yyparse [c​:\perl521\srcnewb4opt\perly.c​:
322]
Dr.M Note​: @​0​:00​:02.250 in thread 9396
Dr.M Note​: instruction​: cmp 0xfffffffc(%ebp) $0x00000000
Dr.M
Dr.M ERRORS FOUND​:
Dr.M 0 unique, 0 total unaddressable access(es)
Dr.M 1 unique, 1 total uninitialized access(es)
Dr.M 0 unique, 0 total invalid heap argument(s)
Dr.M 0 unique, 0 total GDI usage error(s)
Dr.M 0 unique, 0 total handle leak(s)
Dr.M 0 unique, 0 total warning(s)
Dr.M 0 unique, 0 total, 0 byte(s) of leak(s)
Dr.M 0 unique, 0 total, 0 byte(s) of possible leak(s)
Dr.M ERRORS IGNORED​:
Dr.M 4 potential error(s) (suspected false positives)
Dr.M (details​: C​:\Documents and Settings\Owner\Application Data\Dr.
Memory\DrMemory-perl.exe.78Dr.M 60.000\potential_errors.txt)
Dr.M 50 potential leak(s) (suspected false positives)
Dr.M (details​: C​:\Documents and Settings\Owner\Application Data\Dr.
Memory\DrMemory-perl.exe.78Dr.M 60.000\potential_errors.txt)
Dr.M 8 unique, 21 total, 1178 byte(s) of still-reachable allocati
on(s)
Dr.M (re-run with "-show_reachable" for details)
Dr.M Details​: C​:\Documents and Settings\Owner\Application Data\Dr. Memory\Dr
Memory-perl.exe.7860.000\resDr.M ults.txt
Dr.M WARNING​: application exited with abnormal code 0xff

C​:\Documents and Settings\Owner\Desktop>


--
bulk88 ~ bulk88 at hotmail.com

@p5pRT
Copy link
Author

p5pRT commented Jul 26, 2015

From @hvds

I tried this with​:
  ./Configure -des -Dcc=afl-gcc -Doptimize='-g -O2' -DDEBUGGING -Dusedevel
.. and quite a few other configurations, using perl @​ 5cce15f, and was unable
to reproduce the crash with any variant.

This is with afl-cc 1.47b and gcc (Ubuntu 4.8.2-19ubuntu1) 4.8.2. I also
tried with Ubuntu clang version 3.4-1ubuntu3.

Hugo

"Brian Carpenter via RT" <perlbug-followup@​perl.org> wrote​:
:My command line to build bleadperl on Debian 7 x64 (which never changes btw)​:
:
:./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g && AFL_HARDEN=1 make -j12 test-prep
:
:On Sat Jul 25 02​:51​:25 2015, shlomif wrote​:
:>
:> I've built bleadperl using this script​:
:>
:> sh Configure -de -Dprefix=$HOME/apps/perl/bleadperl -Doptimize='-O3
:> -march=native' -Dusedevel
:
:
:---
:via perlbug​: queue​: perl5 status​: open
:https://rt-archive.perl.org/perl5/Ticket/Display.html?id=125679

@p5pRT
Copy link
Author

p5pRT commented Jul 26, 2015

From @geeknik

The only other differences is that I'm using GCC 4.9.2 and AFL 1.83b. To be honest, the test case was rather weird in the fact that I couldn't get afl-tmin to minimize it or even recognize that it was crashing, but I captured it with Valgrind and GDB. Not sure what else I can provide, guess we can put this on hold and see if I can get it to pop again?

On Sun Jul 26 04​:31​:03 2015, hv wrote​:

I tried this with​:
./Configure -des -Dcc=afl-gcc -Doptimize='-g -O2' -DDEBUGGING
-Dusedevel
.. and quite a few other configurations, using perl @​ 5cce15f, and was
unable
to reproduce the crash with any variant.

This is with afl-cc 1.47b and gcc (Ubuntu 4.8.2-19ubuntu1) 4.8.2. I
also
tried with Ubuntu clang version 3.4-1ubuntu3.

Hugo

@p5pRT
Copy link
Author

p5pRT commented Jul 26, 2015

From @geeknik

Here is the core dump and the Valgrind output if that helps.

geeknik@​deb7fuzz​:~/perl$ git show
commit 5cce15f
Author​: Karl Williamson <khw@​cpan.org>
Date​: Wed Jul 22 10​:28​:08 2015 -0600

geeknik@​deb7fuzz​:~/tmp$ ~/perl/perl test01
Can't modify reference to eval "string" in list assignment at test01 line 1, near "};"
Unmatched right curly bracket at test01 line 1, at end of line
syntax error at test01 line 1, near "efasasasg}"
Unrecognized character \x10; marked by <-- HERE after asasg};ef<-- HERE near column 92 at test01 line 1.
Segmentation fault

geeknik@​deb7fuzz​:~/tmp$ valgrind --version
valgrind-3.11.0.SVN

geeknik@​deb7fuzz​:~/tmp$ valgrind -q ~/perl/perl test01
Can't modify reference to eval "string" in list assignment at test01 line 1, near "};"
Unmatched right curly bracket at test01 line 1, at end of line
syntax error at test01 line 1, near "efasasasg}"
Unrecognized character \x10; marked by <-- HERE after asasg};ef<-- HERE near column 92 at test01 line 1.
==56793== Invalid read of size 4
==56793== at 0x667284​: Perl_pad_free (pad.c​:1820)
==56793== by 0x43D2F4​: Perl_op_clear (op.c​:1091)
==56793== by 0x43E7CB​: Perl_op_free (op.c​:786)
==56793== by 0x65912F​: S_clear_yystack (perly.c​:222)
==56793== by 0xAF2DB5​: Perl_leave_scope (scope.c​:1241)
==56793== by 0x50BA92​: S_my_exit_jump (perl.c​:5043)
==56793== by 0x53D5E8​: Perl_my_failure_exit (perl.c​:5030)
==56793== by 0xB4D9C4​: Perl_die_unwind (pp_ctl.c​:1689)
==56793== by 0x7DAFCC​: Perl_vcroak (util.c​:1697)
==56793== by 0x7DB591​: Perl_croak (util.c​:1742)
==56793== by 0x5E96CC​: Perl_yylex (toke.c​:4642)
==56793== by 0x65B4E4​: Perl_yyparse (perly.c​:322)
==56793== Address 0xff0000000c is not stack'd, malloc'd or (recently) free'd
==56793==
==56793==
==56793== Process terminating with default action of signal 11 (SIGSEGV)
==56793== Access not within mapped region at address 0xFF0000000C
==56793== at 0x667284​: Perl_pad_free (pad.c​:1820)
==56793== by 0x43D2F4​: Perl_op_clear (op.c​:1091)
==56793== by 0x43E7CB​: Perl_op_free (op.c​:786)
==56793== by 0x65912F​: S_clear_yystack (perly.c​:222)
==56793== by 0xAF2DB5​: Perl_leave_scope (scope.c​:1241)
==56793== by 0x50BA92​: S_my_exit_jump (perl.c​:5043)
==56793== by 0x53D5E8​: Perl_my_failure_exit (perl.c​:5030)
==56793== by 0xB4D9C4​: Perl_die_unwind (pp_ctl.c​:1689)
==56793== by 0x7DAFCC​: Perl_vcroak (util.c​:1697)
==56793== by 0x7DB591​: Perl_croak (util.c​:1742)
==56793== by 0x5E96CC​: Perl_yylex (toke.c​:4642)
==56793== by 0x65B4E4​: Perl_yyparse (perly.c​:322)
==56793== If you believe this happened as a result of a stack
==56793== overflow in your program's main thread (unlikely but
==56793== possible), you can try to increase the size of the
==56793== main thread stack using the --main-stacksize= flag.
==56793== The main thread stack size used in this run was 8388608.
Segmentation fault

@p5pRT
Copy link
Author

p5pRT commented Jul 26, 2015

From @geeknik

core.gz

@p5pRT
Copy link
Author

p5pRT commented Jul 26, 2015

From [Unknown Contact. See original ticket]

Here is the core dump and the Valgrind output if that helps.

geeknik@​deb7fuzz​:~/perl$ git show
commit 5cce15f
Author​: Karl Williamson <khw@​cpan.org>
Date​: Wed Jul 22 10​:28​:08 2015 -0600

geeknik@​deb7fuzz​:~/tmp$ ~/perl/perl test01
Can't modify reference to eval "string" in list assignment at test01 line 1, near "};"
Unmatched right curly bracket at test01 line 1, at end of line
syntax error at test01 line 1, near "efasasasg}"
Unrecognized character \x10; marked by <-- HERE after asasg};ef<-- HERE near column 92 at test01 line 1.
Segmentation fault

geeknik@​deb7fuzz​:~/tmp$ valgrind --version
valgrind-3.11.0.SVN

geeknik@​deb7fuzz​:~/tmp$ valgrind -q ~/perl/perl test01
Can't modify reference to eval "string" in list assignment at test01 line 1, near "};"
Unmatched right curly bracket at test01 line 1, at end of line
syntax error at test01 line 1, near "efasasasg}"
Unrecognized character \x10; marked by <-- HERE after asasg};ef<-- HERE near column 92 at test01 line 1.
==56793== Invalid read of size 4
==56793== at 0x667284​: Perl_pad_free (pad.c​:1820)
==56793== by 0x43D2F4​: Perl_op_clear (op.c​:1091)
==56793== by 0x43E7CB​: Perl_op_free (op.c​:786)
==56793== by 0x65912F​: S_clear_yystack (perly.c​:222)
==56793== by 0xAF2DB5​: Perl_leave_scope (scope.c​:1241)
==56793== by 0x50BA92​: S_my_exit_jump (perl.c​:5043)
==56793== by 0x53D5E8​: Perl_my_failure_exit (perl.c​:5030)
==56793== by 0xB4D9C4​: Perl_die_unwind (pp_ctl.c​:1689)
==56793== by 0x7DAFCC​: Perl_vcroak (util.c​:1697)
==56793== by 0x7DB591​: Perl_croak (util.c​:1742)
==56793== by 0x5E96CC​: Perl_yylex (toke.c​:4642)
==56793== by 0x65B4E4​: Perl_yyparse (perly.c​:322)
==56793== Address 0xff0000000c is not stack'd, malloc'd or (recently) free'd
==56793==
==56793==
==56793== Process terminating with default action of signal 11 (SIGSEGV)
==56793== Access not within mapped region at address 0xFF0000000C
==56793== at 0x667284​: Perl_pad_free (pad.c​:1820)
==56793== by 0x43D2F4​: Perl_op_clear (op.c​:1091)
==56793== by 0x43E7CB​: Perl_op_free (op.c​:786)
==56793== by 0x65912F​: S_clear_yystack (perly.c​:222)
==56793== by 0xAF2DB5​: Perl_leave_scope (scope.c​:1241)
==56793== by 0x50BA92​: S_my_exit_jump (perl.c​:5043)
==56793== by 0x53D5E8​: Perl_my_failure_exit (perl.c​:5030)
==56793== by 0xB4D9C4​: Perl_die_unwind (pp_ctl.c​:1689)
==56793== by 0x7DAFCC​: Perl_vcroak (util.c​:1697)
==56793== by 0x7DB591​: Perl_croak (util.c​:1742)
==56793== by 0x5E96CC​: Perl_yylex (toke.c​:4642)
==56793== by 0x65B4E4​: Perl_yyparse (perly.c​:322)
==56793== If you believe this happened as a result of a stack
==56793== overflow in your program's main thread (unlikely but
==56793== possible), you can try to increase the size of the
==56793== main thread stack using the --main-stacksize= flag.
==56793== The main thread stack size used in this run was 8388608.
Segmentation fault

@p5pRT
Copy link
Author

p5pRT commented Aug 28, 2016

From @geeknik

Unable to reproduce this `bug` in Perl v5.25.4-20-gc2f7c0b*. Feel free to close.

@p5pRT
Copy link
Author

p5pRT commented Aug 28, 2016

From [Unknown Contact. See original ticket]

Unable to reproduce this `bug` in Perl v5.25.4-20-gc2f7c0b*. Feel free to close.

@p5pRT
Copy link
Author

p5pRT commented Aug 28, 2016

From @cpansprout

On Sat Aug 27 18​:24​:46 2016, brian.carpenter@​gmail.com wrote​:

Unable to reproduce this `bug` in Perl v5.25.4-20-gc2f7c0b*. Feel free
to close.

Well *I* can reproduce it on darwin.

$ ./perl -Ilib -V​:config_args
config_args='-de -DDEBUGGING -Dusedevel -Duseithreads -Doptimize=-O0 -Aoptimize=-g -Accflags=-DPERL_BOOL_AS_CHAR -Dcc=g++ -Accflags=-DPERL_POISON';

Maybe the last argument is helping.

$ ./miniperl /Users/sprout/Downloads/test01
Can't modify reference to eval "string" in list assignment at /Users/sprout/Downloads/test01 line 1, near "};"
Unmatched right curly bracket at /Users/sprout/Downloads/test01 line 1, at end of line
syntax error at /Users/sprout/Downloads/test01 line 1, near "efasasasg}"
Unrecognized character \x10; marked by <-- HERE after asasg};ef<-- HERE near column 92 at /Users/sprout/Downloads/test01 line 1.
Segmentation fault​: 11

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Aug 28, 2016

From @cpansprout

On Sat Aug 27 22​:06​:12 2016, sprout wrote​:

On Sat Aug 27 18​:24​:46 2016, brian.carpenter@​gmail.com wrote​:

Unable to reproduce this `bug` in Perl v5.25.4-20-gc2f7c0b*. Feel
free
to close.

Well *I* can reproduce it on darwin.

$ ./perl -Ilib -V​:config_args
config_args='-de -DDEBUGGING -Dusedevel -Duseithreads -Doptimize=-O0
-Aoptimize=-g -Accflags=-DPERL_BOOL_AS_CHAR -Dcc=g++ -Accflags=-
DPERL_POISON';

Maybe the last argument is helping.

$ ./miniperl /Users/sprout/Downloads/test01
Can't modify reference to eval "string" in list assignment at
/Users/sprout/Downloads/test01 line 1, near "};"
Unmatched right curly bracket at /Users/sprout/Downloads/test01 line
1, at end of line
syntax error at /Users/sprout/Downloads/test01 line 1, near
"efasasasg}"
Unrecognized character \x10; marked by <-- HERE after asasg};ef<--
HERE near column 92 at /Users/sprout/Downloads/test01 line 1.
Segmentation fault​: 11

And that’s with v5.25.4-21-g51068c1. I reduced it by hand to​:

\eval=""^i{};f{}A{};e{}a{};}

It doesn’t crash for me with -e.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Aug 28, 2016

From @cpansprout

On Sat Aug 27 22​:06​:12 2016, sprout wrote​:

Well *I* can reproduce it on darwin.

$ ./perl -Ilib -V​:config_args
config_args='-de -DDEBUGGING -Dusedevel -Duseithreads -Doptimize=-O0
-Aoptimize=-g -Accflags=-DPERL_BOOL_AS_CHAR -Dcc=g++ -Accflags=-
DPERL_POISON';

Maybe the last argument is helping.

It was the poisson that helped. (I smelt something fishy.)

It turns out that the larger the value of $^H the more likely it is to crash​:

BEGIN{$^H=-1}\eval=time

because the hints were being used as a pad offset, as explained in 2b6a5bf, which fixes the problem.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Aug 28, 2016

@cpansprout - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant