Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sv.c:2941: Perl_sv_2pv_flags: Assertion `SvTYPE(sv) != SVt_PVAV && SvTYPE(sv) != SVt_PVHV && SvTYPE(sv) != SVt_PVFM' failed #15859

Closed
p5pRT opened this issue Feb 2, 2017 · 6 comments

Comments

@p5pRT
Copy link

p5pRT commented Feb 2, 2017

Migrated from rt.perl.org#130705 (status was 'resolved')

Searchable as RT130705$

@p5pRT
Copy link
Author

p5pRT commented Feb 2, 2017

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.25.9-35-g32207c637b built with afl and run
under libdislocator, I found the following program

warn(0->[0 =~ qr/1/ ~~ 0])

to cause an assertion failure. GDB info about the crash location​:

(gdb) bt
#0 __GI_raise (sig=sig@​entry=6) at ../sysdeps/unix/sysv/linux/raise.c​:58
#1 0x00007f44ee76340a in __GI_abort () at abort.c​:89
#2 0x00007f44ee75ae47 in __assert_fail_base (fmt=<optimized out>,
  assertion=assertion@​entry=0x7f44efe5e760 "SvTYPE(sv) != SVt_PVAV
&& SvTYPE(sv) != SVt_PVHV && SvTYPE(sv) != SVt_PVFM",
  file=file@​entry=0x7f44efe5caf8 "sv.c", line=line@​entry=2941,
function=function@​entry=0x7f44efe6bc50 <__PRETTY_FUNCTION__.16041>
"Perl_sv_2pv_flags")
  at assert.c​:92
#3 0x00007f44ee75aef2 in __GI___assert_fail (assertion=0x7f44efe5e760
"SvTYPE(sv) != SVt_PVAV && SvTYPE(sv) != SVt_PVHV && SvTYPE(sv) !=
SVt_PVFM",
  file=0x7f44efe5caf8 "sv.c", line=2941, function=0x7f44efe6bc50
<__PRETTY_FUNCTION__.16041> "Perl_sv_2pv_flags") at assert.c​:101
#4 0x00007f44efc62f9c in Perl_sv_2pv_flags (sv=0x7f44f1ee5f28,
lp=0x7ffd7200f8a8, flags=34) at sv.c​:2940
#5 0x00007f44efc81f3b in Perl_sv_catsv_flags (dsv=0x7f44f1ee5f58,
ssv=0x7f44f1ee5f28, flags=2) at sv.c​:5579
#6 0x00007f44efd4baa4 in Perl_do_join (sv=0x7f44f1ee5f58,
delim=0x7f44f00d5860 <PL_sv_no>, mark=0x7f44f1ed3b58,
sp=0x7f44f1ed3b60) at doop.c​:692
#7 0x00007f44efd1f925 in Perl_pp_warn () at pp_sys.c​:428
#8 0x00007f44efbe68ee in Perl_runops_debug () at dump.c​:2450
#9 0x00007f44efadf9a0 in S_run_body (oldscope=1) at perl.c​:2528
#10 0x00007f44efadef1e in perl_run (my_perl=0x7f44f1ecf010) at perl.c​:2451
#11 0x00007f44efa99efe in main (argc=2, argv=0x7ffd7200fd78,
env=0x7ffd7200fd90) at perlmain.c​:123

Perl Info

Flags:
    category=core
    severity=low

Site configuration information for perl 5.25.9:

Configured by root at Sat Jan 14 02:25:05 MSK 2017.

Summary of my perl5 (revision 5 version 25 subversion 9) configuration:
  Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0
  Platform:
    osname=linux
    osvers=3.16.0-4-amd64
    archname=x86_64-linux
    uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.25.9:
    lib
    /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.25.9
    /usr/local/lib/perl5/5.25.9/x86_64-linux
    /usr/local/lib/perl5/5.25.9


Environment for perl 5.25.9:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Feb 8, 2017

From @tonycoz

On Thu, 02 Feb 2017 12​:24​:54 -0800, randir wrote​:

While fuzzing perl v5.25.9-35-g32207c637b built with afl and run
under libdislocator, I found the following program

warn(0->[0 =~ qr/1/ ~~ 0])

Perl_ck_smartmatch was converting the match operator from

  0 =~ qr/1/

into a qr// operator, this is fine for a match without =~, but
for a match with an argument like the above, it messes up the stack,
and in this case leaves an AV (implicitly @​0) on the stack for warn()
to fail on.

Fixed in d6851fe.

I used print() in the tests to simplify them.

Tony

@p5pRT
Copy link
Author

p5pRT commented Feb 8, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Feb 8, 2017

@tonycoz - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant