Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

pp_ctl.c:5165: MAGIC *S_doparseform(SV *): Assertion `!isGV_with_GP(_svpvx)' failed #15862

Closed
p5pRT opened this issue Feb 5, 2017 · 6 comments

Comments

@p5pRT
Copy link

p5pRT commented Feb 5, 2017

Migrated from rt.perl.org#130722 (status was 'resolved')

Searchable as RT130722$

@p5pRT
Copy link
Author

p5pRT commented Feb 5, 2017

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.25.9-35-g32207c637b built with afl and run
under libdislocator, I found the following program

for(1..2){formline*0}

to cause an assertion failure. GDB info about the crash location​:

(gdb) bt
#0 __GI_raise (sig=sig@​entry=6) at ../sysdeps/unix/sysv/linux/raise.c​:58
#1 0x00007f6bb585f40a in __GI_abort () at abort.c​:89
#2 0x00007f6bb5856e47 in __assert_fail_base (fmt=<optimized out>,
assertion=assertion@​entry=0x7f6bb6f6fbfe "!isGV_with_GP(_svpvx)",
  file=file@​entry=0x7f6bb6f6f9a5 "pp_ctl.c", line=line@​entry=5165,
function=function@​entry=0x7f6bb6f74a08 <__PRETTY_FUNCTION__.17320>
"S_doparseform")
  at assert.c​:92
#3 0x00007f6bb5856ef2 in __GI___assert_fail (assertion=0x7f6bb6f6fbfe
"!isGV_with_GP(_svpvx)", file=0x7f6bb6f6f9a5 "pp_ctl.c", line=5165,
  function=0x7f6bb6f74a08 <__PRETTY_FUNCTION__.17320>
"S_doparseform") at assert.c​:101
#4 0x00007f6bb6e14f01 in S_doparseform (sv=0x7f6bb7c279d8) at pp_ctl.c​:5165
#5 0x00007f6bb6df1ed9 in Perl_pp_formline () at pp_ctl.c​:494
#6 0x00007f6bb6ce2885 in Perl_runops_debug () at dump.c​:2450
#7 0x00007f6bb6bdb9a0 in S_run_body (oldscope=1) at perl.c​:2528
#8 0x00007f6bb6bdaf1e in perl_run (my_perl=0x7f6bb7c11010) at perl.c​:2451
#9 0x00007f6bb6b95efe in main (argc=2, argv=0x7fff553fb958,
env=0x7fff553fb970) at perlmain.c​:123

This used to produce "Can't coerce GLOB to string in form line" error
instead of assertion failure up to
37ffbfc, but this commit only seems
to expose the crash while fixing another problem.

Perl Info

Flags:
    category=core
    severity=low

Site configuration information for perl 5.25.9:

Configured by root at Sat Jan 14 02:25:05 MSK 2017.

Summary of my perl5 (revision 5 version 25 subversion 9) configuration:
  Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0
  Platform:
    osname=linux
    osvers=3.16.0-4-amd64
    archname=x86_64-linux
    uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.25.9:
    lib
    /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.25.9
    /usr/local/lib/perl5/5.25.9/x86_64-linux
    /usr/local/lib/perl5/5.25.9


Environment for perl 5.25.9:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Feb 7, 2017

From @tonycoz

On Sun, 05 Feb 2017 15​:12​:50 -0800, randir wrote​:

While fuzzing perl v5.25.9-35-g32207c637b built with afl and run
under libdislocator, I found the following program

for(1..2){formline*0}

to cause an assertion failure. GDB info about the crash location​:

Fixed by​:

commit dd314e1
Author​: Tony Cook <tony@​develop-help.com>
Date​: Tue Feb 7 16​:14​:53 2017 +1100

  (perl #130722) don't call SvPVX() on a glob
 
  S_doparseform() called SvPVX() on the format argument, which
  produced an assertion failure when the format was supplied as a
  glob.
 
  Since S_doparseform() calls SvPV() initially and stores the result,
  just use that result.

Tony

@p5pRT
Copy link
Author

p5pRT commented Feb 7, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Feb 7, 2017

@tonycoz - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant