Skip Menu |
Report information
Id: 130727
Status: resolved
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: randir <sergey.aleynikov [at] gmail.com>
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: medium
Type: core
Perl Version: 5.25.9
Fixed In: 5.25.10



Date: Tue, 7 Feb 2017 00:21:24 +0300
To: perlbug [...] perl.org
From: Sergey Aleynikov <sergey.aleynikov [...] gmail.com>
Subject: op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed
Download (untitled) / with headers
text/plain 5.3k
This is a bug report for perl from sergey.aleynikov@gmail.com, generated with the help of perlbug 1.40 running under perl 5.25.9. ----------------------------------------------------------------- [Please describe your issue here] While fuzzing perl v5.25.9-35-g32207c637b built with afl and run under libdislocator, I found the following program p$0[],%{[],local$0[0][0]} to cause an assertion failure, even when run under -c for a syntax check. GDB info about the crash location: (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58 #1 0x00007f9cfcbaf40a in __GI_abort () at abort.c:89 #2 0x00007f9cfcba6e47 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x7f9cfe23ecf8 "!(o->op_private & ~(0x03|0x30))", file=file@entry=0x7f9cfe2392ae "op.c", line=line@entry=13184, function=function@entry=0x7f9cfe2407a0 <__PRETTY_FUNCTION__.19575> "S_maybe_multideref") at assert.c:92 #3 0x00007f9cfcba6ef2 in __GI___assert_fail (assertion=0x7f9cfe23ecf8 "!(o->op_private & ~(0x03|0x30))", file=0x7f9cfe2392ae "op.c", line=13184, function=0x7f9cfe2407a0 <__PRETTY_FUNCTION__.19575> "S_maybe_multideref") at assert.c:101 #4 0x00007f9cfdf1e1a5 in S_maybe_multideref (start=0x7f9d00335018, orig_o=0x7f9d00334f98, orig_action=6, hints=0 '\000') at op.c:13184 #5 0x00007f9cfdf1f2ea in Perl_rpeep (o=0x7f9d00335018) at op.c:13771 #6 0x00007f9cfdf227ea in Perl_peep (o=0x7f9d00334be8) at op.c:14786 #7 0x00007f9cfdeed5b1 in S_process_optree (cv=0x0, optree=0x7f9d003330c0, start=0x7f9d00334be8) at op.c:2475 #8 0x00007f9cfdef46a7 in Perl_newPROG (o=0x7f9d003330c0) at op.c:4303 #9 0x00007f9cfdfa7eeb in Perl_yyparse (gramtype=258) at perly.y:123 #10 0x00007f9cfdf2ab84 in S_parse_body (env=0x0, xsinit=0x7f9cfdee5fa8 <xs_init>) at perl.c:2376 #11 0x00007f9cfdf28ee9 in perl_parse (my_perl=0x7f9d00312010, xsinit=0x7f9cfdee5fa8 <xs_init>, argc=2, argv=0x7ffe6bfd88d8, env=0x0) at perl.c:1691 #12 0x00007f9cfdee5ee6 in main (argc=2, argv=0x7ffe6bfd88d8, env=0x7ffe6bfd88f0) at perlmain.c:121 (gdb) f 4 #4 0x00007f9cfdf1e1a5 in S_maybe_multideref (start=0x7f9d00335018, orig_o=0x7f9d00334f98, orig_action=6, hints=0 '\000') at op.c:13184 13184 ASSUME(!(o->op_private & ~(OPpARG2_MASK|OPpDEREF))); (gdb) p o->op_private $1 = 162 '\242' [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=medium --- Site configuration information for perl 5.25.9: Configured by root at Sat Jan 14 02:25:05 MSK 2017. Summary of my perl5 (revision 5 version 25 subversion 9) configuration: Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0 Platform: osname=linux osvers=3.16.0-4-amd64 archname=x86_64-linux uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 gnulinux ' config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O0 -g -ggdb3' hint=recommended useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n bincompat5005=undef Compiler: cc='afl-clang-fast' ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O0 -g -ggdb3' cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='afl-clang-fast' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.24.so so=so useshrplib=false libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong' --- @INC for perl 5.25.9: lib /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux /usr/local/lib/perl5/site_perl/5.25.9 /usr/local/lib/perl5/5.25.9/x86_64-linux /usr/local/lib/perl5/5.25.9 --- Environment for perl 5.25.9: HOME=/home/afl LANG=en_US.UTF-8 LANGUAGE=en_US:en LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games PERLBREW_BASHRC_VERSION=0.78 PERLBREW_HOME=/home/afl/.perlbrew PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin PERLBREW_PERL=perl-5.22.1 PERLBREW_ROOT=/home/afl/perlbrew PERLBREW_VERSION=0.78 PERL_BADLANG (unset) SHELL=/usr/bin/zsh
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.1k
On Mon, 06 Feb 2017 13:21:39 -0800, randir wrote: Show quoted text
> While fuzzing perl v5.25.9-35-g32207c637b built with afl and run > under libdislocator, I found the following program > > p$0[],%{[],local$0[0][0]} > > to cause an assertion failure, even when run under -c for a syntax > check.
This simplifies to: % ./miniperl -wle 'sub p { print for @_ }; p($x[0], %{local $x[0]})' miniperl: op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed. Aborted (core dumped) % The assert is complaining about OPpLVAL_INTRO set at op.c:3328, and can also be triggered with eg '(local $x[0])->{x}' or '(local $x[0])->[0]'. If I hack out the assert it happily does what appears to be the right thing (though I'm not sure about the first warning): % ./hackedminiperl -wle 'sub p { print for @_ } p($x[0], %{local $x[0]})' Use of uninitialized value in hash dereference at -e line 1. Use of uninitialized value $_ in print at -e line 1. % Without the local() we get to see the autovivified hashref, which I assume is also correct: % ./miniperl -wle 'sub p { print for @_ } p($x[0], %{$x[0]})' HASH(0x1ea15c0) % I don't know enough to suggest what should be changed here. Hugo
CC: perl5-porters [...] perl.org
Date: Tue, 7 Feb 2017 15:07:10 +0000
From: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #130727] op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed
To: Hugo van der Sanden via RT <perlbug-followup [...] perl.org>
Download (untitled) / with headers
text/plain 1.3k
On Tue, Feb 07, 2017 at 04:47:09AM -0800, Hugo van der Sanden via RT wrote: Show quoted text
> On Mon, 06 Feb 2017 13:21:39 -0800, randir wrote:
> > While fuzzing perl v5.25.9-35-g32207c637b built with afl and run > > under libdislocator, I found the following program > > > > p$0[],%{[],local$0[0][0]} > > > > to cause an assertion failure, even when run under -c for a syntax > > check.
> > This simplifies to: > > % ./miniperl -wle 'sub p { print for @_ }; p($x[0], %{local $x[0]})' > miniperl: op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed. > Aborted (core dumped) > % > > The assert is complaining about OPpLVAL_INTRO set at op.c:3328, and can also be triggered with eg '(local $x[0])->{x}' or '(local $x[0])->[0]'. > > If I hack out the assert it happily does what appears to be the right thing (though I'm not sure about the first warning): > > % ./hackedminiperl -wle 'sub p { print for @_ } p($x[0], %{local $x[0]})' > Use of uninitialized value in hash dereference at -e line 1. > Use of uninitialized value $_ in print at -e line 1. > > % > > Without the local() we get to see the autovivified hashref, which I assume is also correct: > > % ./miniperl -wle 'sub p { print for @_ } p($x[0], %{$x[0]})' > HASH(0x1ea15c0) > % > > I don't know enough to suggest what should be changed here.
I'm currently working on this. Will update soon. -- Monto Blanco... scorchio!
To: Hugo van der Sanden via RT <perlbug-followup [...] perl.org>
From: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #130727] op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed
Date: Tue, 7 Feb 2017 16:03:35 +0000
CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.6k
On Tue, Feb 07, 2017 at 03:07:10PM +0000, Dave Mitchell wrote: Show quoted text
> I'm currently working on this. Will update soon.
I've just pushed this: commit 43dbb3c1592f7f9ccbe0aba64ef2684f39b673ed Author: David Mitchell <davem@iabyn.com> AuthorDate: Tue Feb 7 15:45:14 2017 +0000 Commit: David Mitchell <davem@iabyn.com> CommitDate: Tue Feb 7 15:46:57 2017 +0000 multideref: handle both OPpLVAL_INTRO,OPpDEREF RT #130727 In a nested dereference like $a[0]{b}[1], all but the last aelem/helem will normally have a OPpDEREF_AV/HV flag, while the last won't have a deref but may well have OPpLVAL_INTRO, e.g. local $a[0]{b}[1] = 1; The code in S_maybe_multideref() which converts a chain of aelem/helem's into a single mltideref op assumes this - in particular that an op can't have both OPpLVAL_INTRO and OPpDEREF* at the same time. However, the following code violates that assumption: @{ local $a[0]{b}[1] } = 1; In @{expr} = 1, the array is in lvalue context, which makes expr be done in ref (autovivify) context. So the final aelem in the above expression gets both OPpLVAL_INTRO and OPpDEREF_AV flags. In the old days, pp_aelem (probably more by luck than design) would action OPpLVAL_INTRO and ignore OPpDEREF_AV. This commit makes pp_multideref behave in the same way. In particular, there's no point in autovivifying $a[0]{b}[1] as an array ref since the local() will be undone before it gets a change to be used. The easiest way to achieve this is to tun off the OPpDEREF flag on the aelem/helem op if the OPpLVAL_INTRO flag is set. -- You're only as old as you look.
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 476b
On Tue, 07 Feb 2017 08:04:36 -0800, davem wrote: Show quoted text
> On Tue, Feb 07, 2017 at 03:07:10PM +0000, Dave Mitchell wrote:
> > I'm currently working on this. Will update soon.
> > I've just pushed this: > > commit 43dbb3c1592f7f9ccbe0aba64ef2684f39b673ed > Author: David Mitchell <davem@iabyn.com> > AuthorDate: Tue Feb 7 15:45:14 2017 +0000 > Commit: David Mitchell <davem@iabyn.com> > CommitDate: Tue Feb 7 15:46:57 2017 +0000
Does that mean this ticket is closable? Tony
Subject: Re: [perl #130727] op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed
From: Dave Mitchell <davem [...] iabyn.com>
To: Tony Cook via RT <perlbug-followup [...] perl.org>
Date: Wed, 15 Feb 2017 11:19:31 +0000
CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 647b
On Sun, Feb 12, 2017 at 03:45:28PM -0800, Tony Cook via RT wrote: Show quoted text
> On Tue, 07 Feb 2017 08:04:36 -0800, davem wrote:
> > On Tue, Feb 07, 2017 at 03:07:10PM +0000, Dave Mitchell wrote:
> > > I'm currently working on this. Will update soon.
> > > > I've just pushed this: > > > > commit 43dbb3c1592f7f9ccbe0aba64ef2684f39b673ed > > Author: David Mitchell <davem@iabyn.com> > > AuthorDate: Tue Feb 7 15:45:14 2017 +0000 > > Commit: David Mitchell <davem@iabyn.com> > > CommitDate: Tue Feb 7 15:46:57 2017 +0000
> > Does that mean this ticket is closable?
Yes, I forgot to do that. Closed now. -- A problem shared is a problem doubled.
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 394b
On Wed, 15 Feb 2017 03:21:46 -0800, davem wrote: Show quoted text
> Yes, I forgot to do that. Closed now.
While this fixes cases deducted by Hugo van der Sanden and provided in your commit message, the original ./perl -e 'p$0[],%{[],local$0[0][0]}' still segfaults, though with another message: perl: op.c:13196: void S_maybe_multideref(OP *, OP *, UV, U8): Assertion `o->op_next->op_type == OP_LEAVE' failed.
Date: Sat, 18 Feb 2017 10:53:50 +0000
CC: perl5-porters [...] perl.org
Subject: Re: [perl #130727] op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed
From: Dave Mitchell <davem [...] iabyn.com>
To: Sergey Aleynikov via RT <perlbug-followup [...] perl.org>
Download (untitled) / with headers
text/plain 631b
On Thu, Feb 16, 2017 at 01:27:46PM -0800, Sergey Aleynikov via RT wrote: Show quoted text
> On Wed, 15 Feb 2017 03:21:46 -0800, davem wrote:
> > Yes, I forgot to do that. Closed now.
> > While this fixes cases deducted by Hugo van der Sanden and provided in your commit message, the original ./perl -e 'p$0[],%{[],local$0[0][0]}' still segfaults, though with another message: > > perl: op.c:13196: void S_maybe_multideref(OP *, OP *, UV, U8): Assertion `o->op_next->op_type == OP_LEAVE' failed.
Fixed by v5.25.9-154-gd8f2fe0 -- I don't want to achieve immortality through my work... I want to achieve it through not dying. -- Woody Allen
Download (untitled) / with headers
text/plain 313b
Thank you for filing this report. You have helped make Perl better. With the release today of Perl 5.26.0, this and 210 other issues have been resolved. Perl 5.26.0 may be downloaded via: https://metacpan.org/release/XSAWYERX/perl-5.26.0 If you find that the problem persists, feel free to reopen this ticket.


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org