Skip Menu |
Report information
Id: 129029
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: brian.carpenter [at] gmail.com
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: CoreDump
Perl Version: (no value)
Fixed In: 5.25.5



Subject: SIGBUS Perl_sv_peek (dump.c:367)
Download (untitled) / with headers
text/plain 996b
The following script triggers a Bus error (SIGBUS) in Perl v5.25.4 (v5.25.3-305-g8c6b0c7) with the -D. Removing it stifles the crash. #!perl -D2000002 ${qq$\x5F$}=q0 and s gggge Program received signal SIGBUS, Bus error. 0x00000000007d1e64 in Perl_sv_peek (sv=<optimized out>) at dump.c:367 367 else if (sv == (const SV *)0x55555555 || ((char)SvTYPE(sv)) == 'U') { (gdb) bt #0 0x00000000007d1e64 in Perl_sv_peek (sv=<optimized out>) at dump.c:367 #1 0x0000000000bded28 in S_deb_stack_n (stack_base=0x619000009680, stack_min=<optimized out>, stack_max=3, mark_min=<optimized out>, mark_max=108176) at deb.c:145 #2 0x0000000000bdf95e in Perl_deb_stack_all () at deb.c:299 #3 0x00000000007f169d in Perl_runops_debug () at dump.c:2220 #4 0x00000000005a0ff7 in S_run_body (oldscope=<optimized out>) at perl.c:2524 #5 perl_run (my_perl=<optimized out>) at perl.c:2447 #6 0x00000000004de68e in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perlmain.c:123
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 307b
On Sat Aug 20 23:07:45 2016, brian.carpenter@gmail.com wrote: Show quoted text
> The following script triggers a Bus error (SIGBUS) in Perl v5.25.4 > (v5.25.3-305-g8c6b0c7) with the -D. Removing it stifles the crash. > > #!perl -D2000002 > ${qq$\x5F$}=q0 and s gggge
This one I cannot reproduce. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 426b
On Sat Aug 20 23:07:45 2016, brian.carpenter@gmail.com wrote: Show quoted text
> The following script triggers a Bus error (SIGBUS) in Perl v5.25.4 > (v5.25.3-305-g8c6b0c7) with the -D. Removing it stifles the crash. > > #!perl -D2000002 > ${qq$\x5F$}=q0 and s gggge
This is probably equivalent to: #!perl -DvJRTDxms $_='q0' and s///ge Being unable to reproduce the crash, I cannot confirm that it is equivalent. -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 157b
Show quoted text
> > Being unable to reproduce the crash, I cannot confirm that it is equivalent. >
I've attached a test case that exhibits this behavior. Give it a try.
Subject: test654
Download test654
application/octet-stream 43b

Message body not shown because it is not plain text.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 326b
On Sun Aug 21 15:12:21 2016, brian.carpenter@gmail.com wrote: Show quoted text
> > > > Being unable to reproduce the crash, I cannot confirm that it is > > equivalent. > >
> > I've attached a test case that exhibits this behavior. Give it a try.
Still no difference (on darwin). I guess my machine is special. :-) -- Father Chrysostomos
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 502b
On Sun Aug 21 17:23:39 2016, sprout wrote: Show quoted text
> Still no difference (on darwin). I guess my machine is special. :-)
The machine I'm running my tests on is a Debian 8.5 x64 VM (512MB RAM, 20GB DISK, 1 vCPU). I've only seen 5 or 6 of these Perl `scripts` which trigger this `Bus error` and I've never encountered it while fuzzing other things on similar architectures (PHP, OpenSSL, Ruby, Python, Bash, GCC, CLANG, etc), and before this 48 hour Perl sprint, I hadn't seen it in previous Perl sessions.
From: Zefram <zefram [...] fysh.org>
Date: Mon, 22 Aug 2016 02:08:41 +0100
Subject: Re: [perl #129029] SIGBUS Perl_sv_peek (dump.c:367)
To: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 531b
SIGBUS is very little used by the x86 architecture. The usual cause of SIGBUS (on any architecture) is an unaligned memory access, but x86 by default permits unaligned access. (Alignment checking *can* be turned on, via a CPU flag, and will duly generate SIGBUS on Linux.) Other ways of generating SIGBUS are to clear the segment registers, run into a memory fault, and that's about it. None of these is an obvious candidate for your case. Please show us a register dump and disassembly from the point of the SIGBUS. -zefram
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 10.5k
On Sun Aug 21 18:09:14 2016, zefram@fysh.org wrote: Show quoted text
> Please show us a register dump and disassembly from the point of the > SIGBUS.
Program received signal SIGBUS, Bus error. 0x00000000007d20d4 in Perl_sv_peek (sv=<optimized out>) at dump.c:367 367 else if (sv == (const SV *)0x55555555 || ((char)SvTYPE(sv)) == 'U') { 0x00000000007d20ab <Perl_sv_peek+251>: 64 49 63 04 24 movslq %fs:(%r12),%rax 0x00000000007d20b0 <Perl_sv_peek+256>: 48 8b 0d e9 ad 9e 00 mov 0x9eade9(%rip),%rcx # 0x11bcea0 <__afl_area_ptr> 0x00000000007d20b7 <Perl_sv_peek+263>: 48 35 29 bf 00 00 xor $0xbf29,%rax 0x00000000007d20bd <Perl_sv_peek+269>: fe 04 01 incb (%rcx,%rax,1) 0x00000000007d20c0 <Perl_sv_peek+272>: 64 41 c7 04 24 94 5f 00 00 movl $0x5f94,%fs:(%r12) 0x00000000007d20c9 <Perl_sv_peek+281>: 4d 8d 7e 0c lea 0xc(%r14),%r15 0x00000000007d20cd <Perl_sv_peek+285>: 4c 89 fd mov %r15,%rbp 0x00000000007d20d0 <Perl_sv_peek+288>: 48 c1 ed 03 shr $0x3,%rbp => 0x00000000007d20d4 <Perl_sv_peek+292>: 8a 85 00 80 ff 7f mov 0x7fff8000(%rbp),%al 0x00000000007d20da <Perl_sv_peek+298>: 84 c0 test %al,%al 0x00000000007d20dc <Perl_sv_peek+300>: 74 14 je 0x7d20f2 <Perl_sv_peek+322> 0x00000000007d20de <Perl_sv_peek+302>: 44 89 f9 mov %r15d,%ecx 0x00000000007d20e1 <Perl_sv_peek+305>: 83 e1 07 and $0x7,%ecx 0x00000000007d20e4 <Perl_sv_peek+308>: 83 c1 03 add $0x3,%ecx 0x00000000007d20e7 <Perl_sv_peek+311>: 0f be c0 movsbl %al,%eax 0x00000000007d20ea <Perl_sv_peek+314>: 39 c1 cmp %eax,%ecx 0x00000000007d20ec <Perl_sv_peek+316>: 0f 8d 36 23 00 00 jge 0x7d4428 <Perl_sv_peek+9336> 0x00000000007d20f2 <Perl_sv_peek+322>: 41 0f b6 07 movzbl (%r15),%eax 0x00000000007d20f6 <Perl_sv_peek+326>: 83 f8 55 cmp $0x55,%eax 0x00000000007d20f9 <Perl_sv_peek+329>: 0f 84 b6 0d 00 00 je 0x7d2eb5 <Perl_sv_peek+3845> (gdb) info all-registers rax 0xb949 47433 rbx 0x62100000e7c8 107820859058120 rcx 0x1df7750 31422288 rdx 0x1df7750 31422288 rsi 0xc27c 49788 rdi 0x62100000e7d4 107820859058132 rbp 0x17d7d7d7d7d7d7d9 0x17d7d7d7d7d7d7d9 rsp 0x7fffffffe100 0x7fffffffe100 r8 0x60200007e890 105690555738256 r9 0x62100000e7c8 107820859058120 r10 0x94c433 9749555 r11 0x3 3 r12 0xfffffffffffffff8 -8 r13 0x0 0 r14 0xbebebebebebebebe -4702111234474983746 r15 0xbebebebebebebeca -4702111234474983734 rip 0x7d20d4 0x7d20d4 <Perl_sv_peek+292> eflags 0x10a02 [ IF OF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 st0 0 (raw 0x00000000000000000000) st1 0 (raw 0x00000000000000000000) st2 0 (raw 0x00000000000000000000) st3 0 (raw 0x00000000000000000000) st4 0 (raw 0x00000000000000000000) st5 0 (raw 0x00000000000000000000) st6 0 (raw 0x00000000000000000000) st7 0 (raw 0x00000000000000000000) fctrl 0x37f 895 fstat 0x23 35 ftag 0xffff 65535 fiseg 0x0 0 fioff 0x542dd8 5516760 foseg 0x7ffd 32765 fooff 0xf095b900 -258623232 fop 0x0 0 mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ] ymm0 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm1 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm3 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm4 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x58, 0x1f, 0x5, 0x0, 0x60, 0x60, 0x0, 0x0, 0x1b, 0xee, 0x3b, 0x0 <repeats 21 times>}, v16_int16 = {0x1f58, 0x5, 0x6060, 0x0, 0xee1b, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x51f58, 0x6060, 0x3bee1b, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x606000051f58, 0x3bee1b, 0x0, 0x0}, v2_int128 = {0x00000000003bee1b0000606000051f58, 0x00000000000000000000000000000000}} ymm5 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0, 0x3, 0x0 <repeats 19 times>}, v16_int16 = {0x0, 0x0, 0x1, 0x0, 0x2, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x1, 0x2, 0x3, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x100000000, 0x300000002, 0x0, 0x0}, v2_int128 = {0x00000003000000020000000100000000, 0x00000000000000000000000000000000}} ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x4, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x6, 0x0, 0x0, 0x0, 0x7, 0x0 <repeats 19 times>}, v16_int16 = {0x4, 0x0, 0x5, 0x0, 0x6, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x4, 0x5, 0x6, 0x7, 0x0, 0x0, 0x0, ---Type <return> to continue, or q <return> to quit--- 0x0}, v4_int64 = {0x500000004, 0x700000006, 0x0, 0x0}, v2_int128 = {0x00000007000000060000000500000004, 0x00000000000000000000000000000000}} ymm7 {v8_float = {0x1, 0x1, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x80, 0x3f, 0x0, 0x0, 0x80, 0x3f, 0x0, 0x0, 0x80, 0x3f, 0x0, 0x0, 0x80, 0x3f, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0x3f80, 0x0, 0x3f80, 0x0, 0x3f80, 0x0, 0x3f80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = { 0x3f800000, 0x3f800000, 0x3f800000, 0x3f800000, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3f8000003f800000, 0x3f8000003f800000, 0x0, 0x0}, v2_int128 = { 0x3f8000003f8000003f8000003f800000, 0x00000000000000000000000000000000}} ymm8 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0xfd <repeats 16 times>, 0x0 <repeats 16 times>}, v16_int16 = {0xfdfd, 0xfdfd, 0xfdfd, 0xfdfd, 0xfdfd, 0xfdfd, 0xfdfd, 0xfdfd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xfdfdfdfd, 0xfdfdfdfd, 0xfdfdfdfd, 0xfdfdfdfd, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xfdfdfdfdfdfdfdfd, 0xfdfdfdfdfdfdfdfd, 0x0, 0x0}, v2_int128 = {0xfdfdfdfdfdfdfdfdfdfdfdfdfdfdfdfd, 0x00000000000000000000000000000000}} ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm10 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0xff <repeats 16 times>, 0x0 <repeats 16 times>}, v16_int16 = {0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0}, v2_int128 = {0xffffffffffffffffffffffffffffffff, 0x00000000000000000000000000000000}} ymm11 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0xff <repeats 16 times>, 0x0 <repeats 16 times>}, v16_int16 = {0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0}, v2_int128 = {0xffffffffffffffffffffffffffffffff, 0x00000000000000000000000000000000}} ymm12 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm13 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm14 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}} ymm15 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
Subject: Re: [perl #129029] SIGBUS Perl_sv_peek (dump.c:367)
To: perl5-porters [...] perl.org
From: Zefram <zefram [...] fysh.org>
Date: Mon, 22 Aug 2016 03:21:56 +0100
Download (untitled) / with headers
text/plain 771b
Brian Carpenter via RT wrote: Show quoted text
>=> 0x00000000007d20d4 <Perl_sv_peek+292>: 8a 85 00 80 ff 7f mov 0x7fff8000(%rbp),%al
... Show quoted text
>ds 0x0 0
There's your proximate problem: segment register clear for a memory operation. The mystery is how it got like that. I'd never expect to see %ds (or %es) clear in normal operation. Your %rbp doesn't look healthy either, having been derived from a 0xbebebebebebebebe filler pattern found in %r14. But what's the offset of 0x7fff8000 on that address about? I don't see what in the source corresponds to that bit. Maybe your fuzzing compiler generates some funny code? A few instructions later I can see the SvTYPE(sv) == 'U' check, so the disassembly bears at least some relation to the source. -zefram
To: perlbug-followup [...] perl.org
Subject: Re: [perl #129029] SIGBUS Perl_sv_peek (dump.c:367)
From: "Brian 'geeknik' Carpenter" <brian.carpenter [...] gmail.com>
Date: Sun, 21 Aug 2016 21:42:38 -0500
Download (untitled) / with headers
text/plain 949b
3350 lines of debugging output before the Bus error happens.


On Sun, Aug 21, 2016 at 9:22 PM, Zefram via RT <perlbug-followup@perl.org> wrote:
Show quoted text
Brian Carpenter via RT wrote:
>=> 0x00000000007d20d4 <Perl_sv_peek+292>:       8a 85 00 80 ff 7f       mov    0x7fff8000(%rbp),%al
...
>ds             0x0      0

There's your proximate problem: segment register clear for a memory
operation.  The mystery is how it got like that.  I'd never expect to
see %ds (or %es) clear in normal operation.  Your %rbp doesn't look
healthy either, having been derived from a 0xbebebebebebebebe filler
pattern found in %r14.  But what's the offset of 0x7fff8000 on that
address about?  I don't see what in the source corresponds to that bit.
Maybe your fuzzing compiler generates some funny code?  A few instructions
later I can see the SvTYPE(sv) == 'U' check, so the disassembly bears
at least some relation to the source.

-zefram



Download test640-output.txt
text/plain 116.9k

Message body is not shown because sender requested not to inline it.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 4.8k
Intrigued by some of the triage effort, I pulled out my AFL toolchain from a few months ago. I was still unable to reproduce this, on a Perl built with GCC 6.1.1-4 via AFL 2.13b in a 64 bit Debian VM. Brian, does this still crash on a non-instrumented Perl? Either way, can we have the output of the `perl -V` of a perl that reproduces this on your VM? I'd love to try to reproduce as closely as possible. For reference, I failed to reproduce with this perl: $ ./perl -Ilib -V Summary of my perl5 (revision 5 version 25 subversion 5) configuration: Commit id: 92d73bfab7792718f9ad5c5dc54013176ed9c76b Platform: osname=linux osvers=4.6.0-1-amd64 archname=x86_64-linux-quadmath uname='linux nightshade64 4.6.0-1-amd64 #1 smp debian 4.6.1-1 (2016-06-06) x86_64 gnulinux ' config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=afl-gcc -Uuselongdouble -Duse64bitall -Doptimize=-O3 -g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -Dusequadmath -des' hint=recommended useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n bincompat5005=undef Compiler: cc='afl-gcc' ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' optimize='-O3 -g' cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='6.1.1 20160519' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='__float128' nvsize=16 Off_t='off_t' lseeksize=8 alignbytes=16 prototype=define Linker and Libraries: ld='afl-gcc' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/6/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath libc=libc-2.22.so so=so useshrplib=false libperl=libperl.a gnulibc_version='2.22' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O3 -g -L/usr/local/lib -fstack-protector-strong' Characteristics of this binary (from libperl): Compile-time options: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE PERL_DONT_CREATE_GVSV PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP PERL_OP_PARENT PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_PERLIO USE_PERL_ATOF USE_QUADMATH Built under linux Compiled at Aug 21 2016 22:48:53 %ENV: PERLBREW_BASHRC_VERSION="0.76" PERLBREW_HOME="/home/dcollins/.perlbrew" PERLBREW_ROOT="/home/dcollins/toolchain/perl5" @INC: lib /usr/local/perl-afl/lib/site_perl/5.25.5/x86_64-linux-quadmath /usr/local/perl-afl/lib/site_perl/5.25.5 /usr/local/perl-afl/lib/5.25.5/x86_64-linux-quadmath /usr/local/perl-afl/lib/5.25.5 . $ afl-gcc -v afl-cc 2.13b by <lcamtuf@google.com> Using built-in specs. COLLECT_GCC=gcc-6 COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/6/lto-wrapper Target: x86_64-linux-gnu Configured with: ../src/configure -v --with-pkgversion='Debian 6.1.1-4' --with-bugurl=file:///usr/share/doc/gcc-6/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-6 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-6-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-6-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-6-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu Thread model: posix gcc version 6.1.1 20160519 (Debian 6.1.1-4) -- Respectfully, Dan Collins
Subject: Re: [perl #129029] SIGBUS Perl_sv_peek (dump.c:367)
To: perlbug-followup [...] perl.org
Date: Sun, 21 Aug 2016 22:11:42 -0500
From: "Brian 'geeknik' Carpenter" <brian.carpenter [...] gmail.com>
Download (untitled) / with headers
text/plain 6.9k
./perl -V
Can't locate Config.pm in @INC (you may need to install the Config module) (@INC contains: /usr/local/lib/perl5/site_perl/5.25.4/x86_64-linux /usr/local/lib/perl5/site_perl/5.25.4 /usr/local/lib/perl5/5.25.4/x86_64-linux /usr/local/lib/perl5/5.25.4 .).
BEGIN failed--compilation aborted.

./afl-gcc -v
afl-cc 2.30b by <lcamtuf@google.com>
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.9/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 4.9.2-10' --with-bugurl=file:///usr/share/doc/gcc-4.9/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.9 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.9 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.9-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --with-arch-32=i586 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 4.9.2 (Debian 4.9.2-10)



On Sun, Aug 21, 2016 at 10:07 PM, Dan Collins via RT <perlbug-followup@perl.org> wrote:
Show quoted text
Intrigued by some of the triage effort, I pulled out my AFL toolchain from a few months ago. I was still unable to reproduce this, on a Perl built with GCC 6.1.1-4 via AFL 2.13b in a 64 bit Debian VM.

Brian, does this still crash on a non-instrumented Perl? Either way, can we have the output of the `perl -V` of a perl that reproduces this on your VM? I'd love to try to reproduce as closely as possible.

For reference, I failed to reproduce with this perl:

$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 5) configuration:
  Commit id: 92d73bfab7792718f9ad5c5dc54013176ed9c76b
  Platform:
    osname=linux
    osvers=4.6.0-1-amd64
    archname=x86_64-linux-quadmath
    uname='linux nightshade64 4.6.0-1-amd64 #1 smp debian 4.6.1-1 (2016-06-06) x86_64 gnulinux '
    config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=afl-gcc -Uuselongdouble -Duse64bitall -Doptimize=-O3 -g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -Dusequadmath -des'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-gcc'
    ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
    optimize='-O3 -g'
    cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='6.1.1 20160519'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='__float128'
    nvsize=16
    Off_t='off_t'
    lseeksize=8
    alignbytes=16
    prototype=define
  Linker and Libraries:
    ld='afl-gcc'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/6/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath
    libc=libc-2.22.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.22'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O3 -g -L/usr/local/lib -fstack-protector-strong'


Characteristics of this binary (from libperl):
  Compile-time options:
    DEBUGGING
    HAS_TIMES
    PERLIO_LAYERS
    PERL_COPY_ON_WRITE
    PERL_DONT_CREATE_GVSV
    PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
    PERL_MALLOC_WRAP
    PERL_OP_PARENT
    PERL_PRESERVE_IVUV
    PERL_USE_DEVEL
    USE_64_BIT_ALL
    USE_64_BIT_INT
    USE_LARGE_FILES
    USE_LOCALE
    USE_LOCALE_COLLATE
    USE_LOCALE_CTYPE
    USE_LOCALE_NUMERIC
    USE_LOCALE_TIME
    USE_PERLIO
    USE_PERL_ATOF
    USE_QUADMATH
  Built under linux
  Compiled at Aug 21 2016 22:48:53
  %ENV:
    PERLBREW_BASHRC_VERSION="0.76"
    PERLBREW_HOME="/home/dcollins/.perlbrew"
    PERLBREW_ROOT="/home/dcollins/toolchain/perl5"
  @INC:
    lib
    /usr/local/perl-afl/lib/site_perl/5.25.5/x86_64-linux-quadmath
    /usr/local/perl-afl/lib/site_perl/5.25.5
    /usr/local/perl-afl/lib/5.25.5/x86_64-linux-quadmath
    /usr/local/perl-afl/lib/5.25.5
    .
$ afl-gcc -v
afl-cc 2.13b by <lcamtuf@google.com>
Using built-in specs.
COLLECT_GCC=gcc-6
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/6/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 6.1.1-4' --with-bugurl=file:///usr/share/doc/gcc-6/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-6 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-6-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-6-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-6-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --with-arch-32=i686 --with-a
 bi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 6.1.1 20160519 (Debian 6.1.1-4)


--
Respectfully,
Dan Collins

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 528b
On Sun Aug 21 20:13:04 2016, brian.carpenter@gmail.com wrote: Show quoted text
> ./perl -V > Can't locate Config.pm in @INC (you may need to install the Config module) > (@INC contains: /usr/local/lib/perl5/site_perl/5.25.4/x86_64-linux > /usr/local/lib/perl5/site_perl/5.25.4 > /usr/local/lib/perl5/5.25.4/x86_64-linux /usr/local/lib/perl5/5.25.4 .). > BEGIN failed--compilation aborted.
Sorry, you'll need to do `./perl -Ilib -V` if you're running that from the build directory of a perl you haven't installed. -- Respectfully, Dan Collins
Date: Mon, 22 Aug 2016 04:19:07 +0100
From: Zefram <zefram [...] fysh.org>
To: perl5-porters [...] perl.org
Subject: Re: [perl #129029] SIGBUS Perl_sv_peek (dump.c:367)
Download (untitled) / with headers
text/plain 281b
Brian 'geeknik' Carpenter wrote: Show quoted text
>3350 lines of debugging output before the Bus error happens.
No smoking gun there. Please try reducing the debugging flags, to find the minimum set that will cause the SIGBUS. Your -D2000002 (which is decimal) amounts to eight flags. -zefram
To: perlbug-followup [...] perl.org
Subject: Re: [perl #129029] SIGBUS Perl_sv_peek (dump.c:367)
From: "Brian 'geeknik' Carpenter" <brian.carpenter [...] gmail.com>
Date: Sun, 21 Aug 2016 22:29:41 -0500
Download (untitled) / with headers
text/plain 4.9k
./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 5) configuration:
  Commit id: 92d73bfab7792718f9ad5c5dc54013176ed9c76b
  Platform:
    osname=linux
    osvers=3.16.0-4-amd64
    archname=x86_64-linux
    uname='linux debian-512mb-nyc3-02 3.16.0-4-amd64 #1 smp debian 3.16.7-ckt25-2+deb8u3 (2016-07-02) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O2 -g'
    hint=previous
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O2 -g'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Debian Clang 3.5.0 (tags/RELEASE_350/final)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /usr/local/lib /usr/include/x86_64-linux-gnu /usr/lib /usr/local/lib /usr/include/x86_64-linux-gnu /usr/lib /usr/local/lib /usr/include/x86_64-linux-gnu /usr/lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.19.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.19'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O2 -g -L/usr/local/lib -fstack-protector-strong'


Characteristics of this binary (from libperl):
  Compile-time options:
    DEBUGGING
    HAS_TIMES
    PERLIO_LAYERS
    PERL_COPY_ON_WRITE
    PERL_DONT_CREATE_GVSV
    PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
    PERL_MALLOC_WRAP
    PERL_OP_PARENT
    PERL_PRESERVE_IVUV
    PERL_USE_DEVEL
    USE_64_BIT_ALL
    USE_64_BIT_INT
    USE_LARGE_FILES
    USE_LOCALE
    USE_LOCALE_COLLATE
    USE_LOCALE_CTYPE
    USE_LOCALE_NUMERIC
    USE_LOCALE_TIME
    USE_PERLIO
    USE_PERL_ATOF
  Built under linux
  Compiled at Aug 21 2016 17:16:25
  @INC:
    lib
    /usr/local/lib/perl5/site_perl/5.25.4/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.25.4
    /usr/local/lib/perl5/5.25.4/x86_64-linux
    /usr/local/lib/perl5/5.25.4


./afl-clang-fast -v
afl-clang-fast 2.30b by <lszekeres@google.com>
Debian clang version 3.5.0-10 (tags/RELEASE_350/final) (based on LLVM 3.5.0)
Target: x86_64-pc-linux-gnu
Thread model: posix
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/4.8
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/4.8.4
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/4.9
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/4.9.2
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.8
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.8.4
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.9
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/4.9.2
Selected GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/4.9
Candidate multilib: .;@m64
Selected multilib: .;@m64
 "/usr/bin/ld" --hash-style=both --build-id --eh-frame-hdr -m elf_x86_64 -dynamic-linker /lib64/ld-linux-x86-64.so.2 -o a.out /usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/../../../x86_64-linux-gnu/crt1.o /usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/../../../x86_64-linux-gnu/crti.o /usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/crtbegin.o -L/usr/bin/../lib/gcc/x86_64-linux-gnu/4.9 -L/usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/../../../x86_64-linux-gnu -L/lib/x86_64-linux-gnu -L/lib/../lib64 -L/usr/lib/x86_64-linux-gnu -L/usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/../../.. -L/usr/lib/llvm-3.5/bin/../lib -L/lib -L/usr/lib ./afl-llvm-rt.o -lgcc --as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s --no-as-needed /usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/crtend.o /usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/../../../x86_64-linux-gnu/crtn.o
/usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/../../../x86_64-linux-gnu/crt1.o: In function `_start':
/build/glibc-uPj9cH/glibc-2.19/csu/../sysdeps/x86_64/start.S:118: undefined reference to `main'
clang: error: linker command failed with exit code 1 (use -v to see invocation)

clang --version
Debian clang version 3.5.0-10 (tags/RELEASE_350/final) (based on LLVM 3.5.0)
Target: x86_64-pc-linux-gnu
Thread model: posix
Date: Sun, 21 Aug 2016 22:37:22 -0500
From: "Brian 'geeknik' Carpenter" <brian.carpenter [...] gmail.com>
Subject: Re: [perl #129029] SIGBUS Perl_sv_peek (dump.c:367)
To: perlbug-followup [...] perl.org
Download (untitled) / with headers
text/plain 163b
My command line for building Perl never changes either:

./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O2\ -g && AFL_USE_ASAN=1 make -j2
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 19.1k

Message body is not shown because it is too large.

RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.9k
On Sun Aug 21 20:19:48 2016, zefram@fysh.org wrote: Show quoted text
> Brian 'geeknik' Carpenter wrote:
> >3350 lines of debugging output before the Bus error happens.
> > No smoking gun there. > > Please try reducing the debugging flags, to find the minimum set that > will cause the SIGBUS. Your -D2000002 (which is decimal) amounts to > eight flags.
I reduced the -D flags to -Dsv and FatherC's simplification also reproduces the problem: #!perl -Dsv $_='q0' and s///ge tony@mars:.../git/perl$ LD_PRELOAD=/home/tony/local/afl-2.32b/lib/afl/libdislocator.so gdb --args ./perl ../129029b.pl ... STACK 0: MAIN CX 0: BLOCK => SV_UNDEF PVMG("q0"\0) Program received signal SIGSEGV, Segmentation fault. 0x0000000000544f5c in Perl_sv_peek (sv=0x4141414141414141) at dump.c:367 367 else if (sv == (const SV *)0x55555555 || ((char)SvTYPE(sv)) == 'U') { (gdb) bt #0 0x0000000000544f5c in Perl_sv_peek (sv=0x4141414141414141) at dump.c:367 #1 0x00000000006fd776 in S_deb_stack_n (stack_base=0x7ffff7fe4c00, stack_min=0, stack_max=3, mark_min=0, mark_max=0) at deb.c:145 #2 0x00000000006fdb37 in Perl_deb_stack_all () at deb.c:299 #3 0x0000000000558fbf in Perl_runops_debug () at dump.c:2220 #4 0x0000000000462a95 in S_run_body (oldscope=1) at perl.c:2525 #5 0x00000000004620c0 in perl_run (my_perl=0x7ffff7ff4fff) at perl.c:2448 #6 0x000000000041efde in main (argc=2, argv=0x7fffffffe838, env=0x7fffffffe850) at perlmain.c:123 valgrind reports: ... STACK 0: MAIN CX 0: BLOCK => SV_UNDEF PVMG("q0"\0) ==13721== Conditional jump or move depends on uninitialised value(s) ==13721== at 0x544F2D: Perl_sv_peek (dump.c:363) ==13721== by 0x6FD775: S_deb_stack_n (deb.c:145) ==13721== by 0x6FDB36: Perl_deb_stack_all (deb.c:299) ==13721== by 0x558FBE: Perl_runops_debug (dump.c:2220) ==13721== by 0x462A94: S_run_body (perl.c:2525) ==13721== by 0x4620BF: perl_run (perl.c:2448) ==13721== by 0x41EFDD: main (perlmain.c:123) ==13721== VOID CX 1: SUBST => ... Tony
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 630b
On Sun Aug 21 23:09:44 2016, tonyc wrote: Show quoted text
> On Sun Aug 21 20:19:48 2016, zefram@fysh.org wrote:
> > Brian 'geeknik' Carpenter wrote:
> > > 3350 lines of debugging output before the Bus error happens.
> > > > No smoking gun there. > > > > Please try reducing the debugging flags, to find the minimum set that > > will cause the SIGBUS. Your -D2000002 (which is decimal) amounts to > > eight flags.
> > I reduced the -D flags to -Dsv and FatherC's simplification also > reproduces the problem:
I forgot to say, this was uninstrumented, not even -fsanitize, just: config_args='-des -Dusedevel -DDEBUGGING -Doptimize=-g -O0' Tony
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 590b
From the author of AFL (Michal Zalewski): "From the non-optimized stack trace near the end: 0x0000000000544f5c in Perl_sv_peek (sv=0x4141414141414141) at dump.c:367 0x41 is a pattern used by libdislocator.so to initialize any memory returned by malloc(). In short, malloc() is not guaranteed to return zero-initialized memory, and libdislocator.so tries to improve the odds of finding bugs by making sure that it *never* returns zeroed data =) The same logic kicks in for realloc() for padding any upsized buffers. Of course, it's possible that there's a bug in libdisloctor.so, too..."
Subject: Re: [perl #129029] SIGBUS Perl_sv_peek (dump.c:367)
To: perl5-porters [...] perl.org
Date: Mon, 22 Aug 2016 14:47:01 +0100
From: Zefram <zefram [...] fysh.org>
Download (untitled) / with headers
text/plain 733b
Dan Collins via RT wrote: Show quoted text
>However, I wasn't trivially able to find any point in the program >where `ds` had any value in it.
It seems I was wrong about that bit. I know about x86, but not so much specifically about x86_64. Turns out it's normal to have %ds et al clear. I'm not sure what determines the segment, but %ds being clear isn't the problem. In your case, the cause of the crash is clear. You have 0x4141414141414141 ('AAAAAAAA') as a pointer value, and you try to read through it. This causes the expected SIGSEGV, for reading unmapped memory. Brian's pointer was also wild. Experimentally, if I try reads with the exact pointer values and offsets that the two of you show, I get SIGSEGV in both cases. -zefram
To: Tony Cook via RT <perlbug-followup [...] perl.org>
Subject: Re: [perl #129029] SIGBUS Perl_sv_peek (dump.c:367)
From: Dave Mitchell <davem [...] iabyn.com>
CC: perl5-porters [...] perl.org
Date: Thu, 25 Aug 2016 16:13:06 +0100
Download (untitled) / with headers
text/plain 2.3k
On Sun, Aug 21, 2016 at 11:09:44PM -0700, Tony Cook via RT wrote: Show quoted text
> On Sun Aug 21 20:19:48 2016, zefram@fysh.org wrote:
> > Brian 'geeknik' Carpenter wrote:
> > >3350 lines of debugging output before the Bus error happens.
> > > > No smoking gun there. > > > > Please try reducing the debugging flags, to find the minimum set that > > will cause the SIGBUS. Your -D2000002 (which is decimal) amounts to > > eight flags.
> > I reduced the -D flags to -Dsv and FatherC's simplification also > reproduces the problem: > > #!perl -Dsv > $_='q0' and s///ge > > tony@mars:.../git/perl$ LD_PRELOAD=/home/tony/local/afl-2.32b/lib/afl/libdislocator.so gdb --args ./perl ../129029b.pl > ... > STACK 0: MAIN > CX 0: BLOCK => SV_UNDEF PVMG("q0"\0) > Program received signal SIGSEGV, Segmentation fault. > 0x0000000000544f5c in Perl_sv_peek (sv=0x4141414141414141) at dump.c:367 > 367 else if (sv == (const SV *)0x55555555 || ((char)SvTYPE(sv)) == 'U') { > (gdb) bt > #0 0x0000000000544f5c in Perl_sv_peek (sv=0x4141414141414141) at dump.c:367 > #1 0x00000000006fd776 in S_deb_stack_n (stack_base=0x7ffff7fe4c00, > stack_min=0, stack_max=3, mark_min=0, mark_max=0) at deb.c:145 > #2 0x00000000006fdb37 in Perl_deb_stack_all () at deb.c:299 > #3 0x0000000000558fbf in Perl_runops_debug () at dump.c:2220 > #4 0x0000000000462a95 in S_run_body (oldscope=1) at perl.c:2525 > #5 0x00000000004620c0 in perl_run (my_perl=0x7ffff7ff4fff) at perl.c:2448 > #6 0x000000000041efde in main (argc=2, argv=0x7fffffffe838, > env=0x7fffffffe850) at perlmain.c:123 >
Now fixed with: commit 5ef710896f62c2e11e9da401acb3247cd70ee203 Author: David Mitchell <davem@iabyn.com> AuthorDate: Wed Aug 24 16:28:00 2016 +0100 Commit: David Mitchell <davem@iabyn.com> CommitDate: Thu Aug 25 16:03:16 2016 +0100 Perl_deb_stack_all() - handle CXt_SUBST better RT #129029 There's a loop which skips CXt_SUBST context entries - but it wasn't checking that the *current* cx is that type, but instead was always checking the base cx and was effectively a noop Also fixup a few code comments in that function. -- "Strange women lying in ponds distributing swords is no basis for a system of government. Supreme executive power derives from a mandate from the masses, not from some farcical aquatic ceremony." -- Dennis, "Monty Python and the Holy Grail"
Download (untitled) / with headers
text/plain 313b
Thank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been resolved. Perl 5.26.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.26.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org