Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assert fail w/o other symptoms - op.c:7750 Perl_cv_const_sv_or_av #15017

Closed
p5pRT opened this issue Oct 29, 2015 · 8 comments
Closed

Assert fail w/o other symptoms - op.c:7750 Perl_cv_const_sv_or_av #15017

p5pRT opened this issue Oct 29, 2015 · 8 comments

Comments

@p5pRT
Copy link

p5pRT commented Oct 29, 2015

Migrated from rt.perl.org#126482 (status was 'resolved')

Searchable as RT126482$

@p5pRT
Copy link
Author

p5pRT commented Oct 29, 2015

From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers an assert fail in DEBUGGING perls without any other symptoms in the normal perl interpreter. The testcase is the file​:

sub(){sub ub(){0}ub ub

This is indeed a rather odd thing to do, as it couldn't conceivably be expected to do anything but error, but since normal perls error properly, I suspect that this assert fail could be a sign that a more complex program could cause a more complex error state even in normal perls, or that normal perls could break down the line.

dcollins@​nightshade64​:/usr/local/perl-afl$ ./bin/perl -e 'sub(){sub ub(){0}ub ub'
perl​: op.c​:7750​: Perl_cv_const_sv_or_av​: Assertion `((svtype)((cv)->sv_flags & 0xff)) == SVt_PVCV || ((svtype)((cv)->sv_flags & 0xff)) == SVt_PVFM' failed.
Aborted

The output with a normal perl is the expected error​:

dcollins@​nightshade64​:/usr/local/perl-afl$ ~/perl/perl -e 'sub(){sub ub(){0}ub ub'
Too many arguments for main​::ub at -e line 1, at EOF
Missing right curly or square bracket at -e line 1, at end of line
syntax error at -e line 1, at EOF
Execution of -e aborted due to compilation errors.

**GDB**

(gdb) run
Starting program​: /usr/local/perl-afl/bin/perl -e sub\(\)\{sub\ ub\(\)\{0\}ub\ ub
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
perl​: op.c​:7750​: Perl_cv_const_sv_or_av​: Assertion `((svtype)((cv)->sv_flags & 0xff)) == SVt_PVCV || ((svtype)((cv)->sv_flags & 0xff)) == SVt_PVFM' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff6cf4107 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6cf4107 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6cf54e8 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff6ced226 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ffff6ced2d2 in __assert_fail ()
  from /lib/x86_64-linux-gnu/libc.so.6
#4 0x0000000000441119 in Perl_cv_const_sv_or_av (cv=cv@​entry=0x11ba930)
  at op.c​:7750
#5 0x00000000005ebb24 in Perl_yylex () at toke.c​:7045
#6 0x00000000006527ad in Perl_yyparse (gramtype=gramtype@​entry=258)
  at perly.c​:322
#7 0x000000000051e645 in S_parse_body (env=env@​entry=0x0,
  xsinit=xsinit@​entry=0x428c60 <xs_init>) at perl.c​:2307
#8 0x0000000000525437 in perl_parse (my_perl=<optimized out>,
  xsinit=xsinit@​entry=0x428c60 <xs_init>, argc=<optimized out>,
  argv=<optimized out>, env=env@​entry=0x0) at perl.c​:1634
#9 0x0000000000428888 in main (argc=3, argv=0x7fffffffe658,
  env=0x7fffffffe678) at perlmain.c​:114
(gdb) f 4
#4 0x0000000000441119 in Perl_cv_const_sv_or_av (cv=cv@​entry=0x11ba930)
  at op.c​:7750
7750 assert (SvTYPE(cv) == SVt_PVCV || SvTYPE(cv) == SVt_PVFM);
(gdb) info locals
__PRETTY_FUNCTION__ = "Perl_cv_const_sv_or_av"
(gdb) q

**VALGRIND**

dcollins@​nightshade64​:/usr/local/perl-afl$ valgrind ./bin/perl -e 'sub(){sub ub(){0}ub ub'
==23798== Memcheck, a memory error detector
==23798== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==23798== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==23798== Command​: ./bin/perl -e sub(){sub\ ub(){0}ub\ ub
==23798==
perl​: op.c​:7750​: Perl_cv_const_sv_or_av​: Assertion `((svtype)((cv)->sv_flags & 0xff)) == SVt_PVCV || ((svtype)((cv)->sv_flags & 0xff)) == SVt_PVFM' failed.
==23798==
==23798== Process terminating with default action of signal 6 (SIGABRT)
==23798== at 0x5BDC107​: raise (raise.c​:56)
==23798== by 0x5BDD4E7​: abort (abort.c​:89)
==23798== by 0x5BD5225​: __assert_fail_base (assert.c​:92)
==23798== by 0x5BD52D1​: __assert_fail (assert.c​:101)
==23798== by 0x441118​: Perl_cv_const_sv_or_av (op.c​:7750)
==23798== by 0x5EBB23​: Perl_yylex (toke.c​:7045)
==23798== by 0x6527AC​: Perl_yyparse (perly.c​:322)
==23798== by 0x51E644​: S_parse_body (perl.c​:2307)
==23798== by 0x525436​: perl_parse (perl.c​:1634)
==23798== by 0x428887​: main (perlmain.c​:114)
==23798==
==23798== HEAP SUMMARY​:
==23798== in use at exit​: 118,114 bytes in 563 blocks
==23798== total heap usage​: 697 allocs, 134 frees, 136,150 bytes allocated
==23798==
==23798== LEAK SUMMARY​:
==23798== definitely lost​: 176 bytes in 1 blocks
==23798== indirectly lost​: 1,974 bytes in 20 blocks
==23798== possibly lost​: 24 bytes in 1 blocks
==23798== still reachable​: 115,940 bytes in 541 blocks
==23798== suppressed​: 0 bytes in 0 blocks
==23798== Rerun with --leak-check=full to see details of leaked memory
==23798==
==23798== For counts of detected and suppressed errors, rerun with​: -v
==23798== ERROR SUMMARY​: 0 errors from 0 contexts (suppressed​: 0 from 0)
Aborted

**PERL -V**

dcollins@​nightshade64​:/usr/local/perl-afl$ ./bin/perl -V
Summary of my perl5 (revision 5 version 23 subversion 5) configuration​:
  Commit id​: 7195e5d
  Platform​:
  osname=linux, osvers=3.16.0-4-amd64, archname=x86_64-linux-ld
  uname='linux nightshade64 3.16.0-4-amd64 #1 smp debian 3.16.7-ckt11-1+deb8u4 (2015-09-19) x86_64 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache afl-gcc', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='5.2.0', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='ccache afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.19.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.19'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_ALL
  USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE
  USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
  USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at Oct 22 2015 15​:44​:40
  @​INC​:
  /usr/local/perl-afl/lib/site_perl/5.23.5/x86_64-linux-ld
  /usr/local/perl-afl/lib/site_perl/5.23.5
  /usr/local/perl-afl/lib/5.23.5/x86_64-linux-ld
  /usr/local/perl-afl/lib/5.23.5
  /usr/local/perl-afl/lib/site_perl/5.23.4
  /usr/local/perl-afl/lib/site_perl
  .

@p5pRT
Copy link
Author

p5pRT commented Aug 16, 2016

From @tonycoz

On Wed Oct 28 19​:59​:10 2015, dcollinsn@​gmail.com wrote​:

sub(){sub ub(){0}ub ub

This can be simplified to​:

sub ub(){0} ub ub

This was introduced by

Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Sun Aug 31 20​:13​:21 2014 -0700

  Avoid creating GVs when subs are declared
 
  This patch changes ‘sub foo {...}’ declarations to store subroutine
  references in the stash, to save memory.
 
  Typeglobs still notionally exist. Accessing CvGV(cv) will reify them.
  Hence, currently the savings are lost when a sub call is compiled.
 
  $ ./miniperl -e 'sub foo{} BEGIN { warn $​::{foo} } foo(); BEGIN { warn $​::{f

Tony

@p5pRT
Copy link
Author

p5pRT commented Aug 16, 2016

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Aug 16, 2016

From @cpansprout

On Mon Aug 15 18​:43​:54 2016, tonyc wrote​:

On Wed Oct 28 19​:59​:10 2015, dcollinsn@​gmail.com wrote​:

sub(){sub ub(){0}ub ub

This can be simplified to​:

sub ub(){0} ub ub

This was introduced by

2eaf799

Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Sun Aug 31 20​:13​:21 2014 -0700

Avoid creating GVs when subs are declared

I’m looking into it.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Aug 16, 2016

From @cpansprout

On Mon Aug 15 19​:36​:18 2016, sprout wrote​:

On Mon Aug 15 18​:43​:54 2016, tonyc wrote​:

On Wed Oct 28 19​:59​:10 2015, dcollinsn@​gmail.com wrote​:

sub(){sub ub(){0}ub ub

This can be simplified to​:

sub ub(){0} ub ub

This was introduced by

2eaf799

Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Sun Aug 31 20​:13​:21 2014 -0700

Avoid creating GVs when subs are declared

I’m looking into it.

Fixed in c82de78.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Aug 16, 2016

@cpansprout - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant