Skip Menu |
Report information
Id: 130705
Status: pending release
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: randir <sergey.aleynikov [at]>

Operating System: (no value)
PatchStatus: (no value)
Severity: low
Type: core
Perl Version: 5.25.9
Fixed In: (no value)

Date: Thu, 2 Feb 2017 23:24:41 +0300
Subject: sv.c:2941: Perl_sv_2pv_flags: Assertion `SvTYPE(sv) != SVt_PVAV && SvTYPE(sv) != SVt_PVHV && SvTYPE(sv) != SVt_PVFM' failed
From: Sergey Aleynikov <sergey.aleynikov [...]>
To: perlbug [...]
This is a bug report for perl from, generated with the help of perlbug 1.40 running under perl 5.25.9. ----------------------------------------------------------------- [Please describe your issue here] While fuzzing perl v5.25.9-35-g32207c637b built with afl and run under libdislocator, I found the following program warn(0->[0 =~ qr/1/ ~~ 0]) to cause an assertion failure. GDB info about the crash location: (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58 #1 0x00007f44ee76340a in __GI_abort () at abort.c:89 #2 0x00007f44ee75ae47 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x7f44efe5e760 "SvTYPE(sv) != SVt_PVAV && SvTYPE(sv) != SVt_PVHV && SvTYPE(sv) != SVt_PVFM", file=file@entry=0x7f44efe5caf8 "sv.c", line=line@entry=2941, function=function@entry=0x7f44efe6bc50 <__PRETTY_FUNCTION__.16041> "Perl_sv_2pv_flags") at assert.c:92 #3 0x00007f44ee75aef2 in __GI___assert_fail (assertion=0x7f44efe5e760 "SvTYPE(sv) != SVt_PVAV && SvTYPE(sv) != SVt_PVHV && SvTYPE(sv) != SVt_PVFM", file=0x7f44efe5caf8 "sv.c", line=2941, function=0x7f44efe6bc50 <__PRETTY_FUNCTION__.16041> "Perl_sv_2pv_flags") at assert.c:101 #4 0x00007f44efc62f9c in Perl_sv_2pv_flags (sv=0x7f44f1ee5f28, lp=0x7ffd7200f8a8, flags=34) at sv.c:2940 #5 0x00007f44efc81f3b in Perl_sv_catsv_flags (dsv=0x7f44f1ee5f58, ssv=0x7f44f1ee5f28, flags=2) at sv.c:5579 #6 0x00007f44efd4baa4 in Perl_do_join (sv=0x7f44f1ee5f58, delim=0x7f44f00d5860 <PL_sv_no>, mark=0x7f44f1ed3b58, sp=0x7f44f1ed3b60) at doop.c:692 #7 0x00007f44efd1f925 in Perl_pp_warn () at pp_sys.c:428 #8 0x00007f44efbe68ee in Perl_runops_debug () at dump.c:2450 #9 0x00007f44efadf9a0 in S_run_body (oldscope=1) at perl.c:2528 #10 0x00007f44efadef1e in perl_run (my_perl=0x7f44f1ecf010) at perl.c:2451 #11 0x00007f44efa99efe in main (argc=2, argv=0x7ffd7200fd78, env=0x7ffd7200fd90) at perlmain.c:123 [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=low --- Site configuration information for perl 5.25.9: Configured by root at Sat Jan 14 02:25:05 MSK 2017. Summary of my perl5 (revision 5 version 25 subversion 9) configuration: Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0 Platform: osname=linux osvers=3.16.0-4-amd64 archname=x86_64-linux uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 gnulinux ' config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O0 -g -ggdb3' hint=recommended useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n bincompat5005=undef Compiler: cc='afl-clang-fast' ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O0 -g -ggdb3' cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='afl-clang-fast' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc so=so useshrplib=false libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong' --- @INC for perl 5.25.9: lib /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux /usr/local/lib/perl5/site_perl/5.25.9 /usr/local/lib/perl5/5.25.9/x86_64-linux /usr/local/lib/perl5/5.25.9 --- Environment for perl 5.25.9: HOME=/home/afl LANG=en_US.UTF-8 LANGUAGE=en_US:en LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games PERLBREW_BASHRC_VERSION=0.78 PERLBREW_HOME=/home/afl/.perlbrew PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin PERLBREW_PERL=perl-5.22.1 PERLBREW_ROOT=/home/afl/perlbrew PERLBREW_VERSION=0.78 PERL_BADLANG (unset) SHELL=/usr/bin/zsh
RT-Send-CC: perl5-porters [...]
Download (untitled) / with headers
text/plain 594b
On Thu, 02 Feb 2017 12:24:54 -0800, randir wrote: Show quoted text
> While fuzzing perl v5.25.9-35-g32207c637b built with afl and run > under libdislocator, I found the following program > > warn(0->[0 =~ qr/1/ ~~ 0])
Perl_ck_smartmatch was converting the match operator from 0 =~ qr/1/ into a qr// operator, this is fine for a match without =~, but for a match with an argument like the above, it messes up the stack, and in this case leaves an AV (implicitly @0) on the stack for warn() to fail on. Fixed in d6851fe9ee8e6b96009415e29da3235452bd8045. I used print() in the tests to simplify them. Tony

This service is sponsored and maintained by Best Practical Solutions and runs on infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at