Skip Menu |
Report information
Id: 130727
Status: pending release
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: randir <sergey.aleynikov [at] gmail.com>
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: medium
Type: core
Perl Version: 5.25.9
Fixed In: 5.25.10



Date: Tue, 7 Feb 2017 00:21:24 +0300
To: perlbug [...] perl.org
From: Sergey Aleynikov <sergey.aleynikov [...] gmail.com>
Subject: op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed
Download (untitled) / with headers
text/plain 5.3k
This is a bug report for perl from sergey.aleynikov@gmail.com, generated with the help of perlbug 1.40 running under perl 5.25.9. ----------------------------------------------------------------- [Please describe your issue here] While fuzzing perl v5.25.9-35-g32207c637b built with afl and run under libdislocator, I found the following program p$0[],%{[],local$0[0][0]} to cause an assertion failure, even when run under -c for a syntax check. GDB info about the crash location: (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58 #1 0x00007f9cfcbaf40a in __GI_abort () at abort.c:89 #2 0x00007f9cfcba6e47 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x7f9cfe23ecf8 "!(o->op_private & ~(0x03|0x30))", file=file@entry=0x7f9cfe2392ae "op.c", line=line@entry=13184, function=function@entry=0x7f9cfe2407a0 <__PRETTY_FUNCTION__.19575> "S_maybe_multideref") at assert.c:92 #3 0x00007f9cfcba6ef2 in __GI___assert_fail (assertion=0x7f9cfe23ecf8 "!(o->op_private & ~(0x03|0x30))", file=0x7f9cfe2392ae "op.c", line=13184, function=0x7f9cfe2407a0 <__PRETTY_FUNCTION__.19575> "S_maybe_multideref") at assert.c:101 #4 0x00007f9cfdf1e1a5 in S_maybe_multideref (start=0x7f9d00335018, orig_o=0x7f9d00334f98, orig_action=6, hints=0 '\000') at op.c:13184 #5 0x00007f9cfdf1f2ea in Perl_rpeep (o=0x7f9d00335018) at op.c:13771 #6 0x00007f9cfdf227ea in Perl_peep (o=0x7f9d00334be8) at op.c:14786 #7 0x00007f9cfdeed5b1 in S_process_optree (cv=0x0, optree=0x7f9d003330c0, start=0x7f9d00334be8) at op.c:2475 #8 0x00007f9cfdef46a7 in Perl_newPROG (o=0x7f9d003330c0) at op.c:4303 #9 0x00007f9cfdfa7eeb in Perl_yyparse (gramtype=258) at perly.y:123 #10 0x00007f9cfdf2ab84 in S_parse_body (env=0x0, xsinit=0x7f9cfdee5fa8 <xs_init>) at perl.c:2376 #11 0x00007f9cfdf28ee9 in perl_parse (my_perl=0x7f9d00312010, xsinit=0x7f9cfdee5fa8 <xs_init>, argc=2, argv=0x7ffe6bfd88d8, env=0x0) at perl.c:1691 #12 0x00007f9cfdee5ee6 in main (argc=2, argv=0x7ffe6bfd88d8, env=0x7ffe6bfd88f0) at perlmain.c:121 (gdb) f 4 #4 0x00007f9cfdf1e1a5 in S_maybe_multideref (start=0x7f9d00335018, orig_o=0x7f9d00334f98, orig_action=6, hints=0 '\000') at op.c:13184 13184 ASSUME(!(o->op_private & ~(OPpARG2_MASK|OPpDEREF))); (gdb) p o->op_private $1 = 162 '\242' [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=medium --- Site configuration information for perl 5.25.9: Configured by root at Sat Jan 14 02:25:05 MSK 2017. Summary of my perl5 (revision 5 version 25 subversion 9) configuration: Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0 Platform: osname=linux osvers=3.16.0-4-amd64 archname=x86_64-linux uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 gnulinux ' config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O0 -g -ggdb3' hint=recommended useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n bincompat5005=undef Compiler: cc='afl-clang-fast' ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O0 -g -ggdb3' cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='afl-clang-fast' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.24.so so=so useshrplib=false libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong' --- @INC for perl 5.25.9: lib /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux /usr/local/lib/perl5/site_perl/5.25.9 /usr/local/lib/perl5/5.25.9/x86_64-linux /usr/local/lib/perl5/5.25.9 --- Environment for perl 5.25.9: HOME=/home/afl LANG=en_US.UTF-8 LANGUAGE=en_US:en LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games PERLBREW_BASHRC_VERSION=0.78 PERLBREW_HOME=/home/afl/.perlbrew PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin PERLBREW_PERL=perl-5.22.1 PERLBREW_ROOT=/home/afl/perlbrew PERLBREW_VERSION=0.78 PERL_BADLANG (unset) SHELL=/usr/bin/zsh
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.1k
On Mon, 06 Feb 2017 13:21:39 -0800, randir wrote: Show quoted text
> While fuzzing perl v5.25.9-35-g32207c637b built with afl and run > under libdislocator, I found the following program > > p$0[],%{[],local$0[0][0]} > > to cause an assertion failure, even when run under -c for a syntax > check.
This simplifies to: % ./miniperl -wle 'sub p { print for @_ }; p($x[0], %{local $x[0]})' miniperl: op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed. Aborted (core dumped) % The assert is complaining about OPpLVAL_INTRO set at op.c:3328, and can also be triggered with eg '(local $x[0])->{x}' or '(local $x[0])->[0]'. If I hack out the assert it happily does what appears to be the right thing (though I'm not sure about the first warning): % ./hackedminiperl -wle 'sub p { print for @_ } p($x[0], %{local $x[0]})' Use of uninitialized value in hash dereference at -e line 1. Use of uninitialized value $_ in print at -e line 1. % Without the local() we get to see the autovivified hashref, which I assume is also correct: % ./miniperl -wle 'sub p { print for @_ } p($x[0], %{$x[0]})' HASH(0x1ea15c0) % I don't know enough to suggest what should be changed here. Hugo
CC: perl5-porters [...] perl.org
Date: Tue, 7 Feb 2017 15:07:10 +0000
From: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #130727] op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed
To: Hugo van der Sanden via RT <perlbug-followup [...] perl.org>
Download (untitled) / with headers
text/plain 1.3k
On Tue, Feb 07, 2017 at 04:47:09AM -0800, Hugo van der Sanden via RT wrote: Show quoted text
> On Mon, 06 Feb 2017 13:21:39 -0800, randir wrote:
> > While fuzzing perl v5.25.9-35-g32207c637b built with afl and run > > under libdislocator, I found the following program > > > > p$0[],%{[],local$0[0][0]} > > > > to cause an assertion failure, even when run under -c for a syntax > > check.
> > This simplifies to: > > % ./miniperl -wle 'sub p { print for @_ }; p($x[0], %{local $x[0]})' > miniperl: op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed. > Aborted (core dumped) > % > > The assert is complaining about OPpLVAL_INTRO set at op.c:3328, and can also be triggered with eg '(local $x[0])->{x}' or '(local $x[0])->[0]'. > > If I hack out the assert it happily does what appears to be the right thing (though I'm not sure about the first warning): > > % ./hackedminiperl -wle 'sub p { print for @_ } p($x[0], %{local $x[0]})' > Use of uninitialized value in hash dereference at -e line 1. > Use of uninitialized value $_ in print at -e line 1. > > % > > Without the local() we get to see the autovivified hashref, which I assume is also correct: > > % ./miniperl -wle 'sub p { print for @_ } p($x[0], %{$x[0]})' > HASH(0x1ea15c0) > % > > I don't know enough to suggest what should be changed here.
I'm currently working on this. Will update soon. -- Monto Blanco... scorchio!
To: Hugo van der Sanden via RT <perlbug-followup [...] perl.org>
From: Dave Mitchell <davem [...] iabyn.com>
Subject: Re: [perl #130727] op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed
Date: Tue, 7 Feb 2017 16:03:35 +0000
CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 1.6k
On Tue, Feb 07, 2017 at 03:07:10PM +0000, Dave Mitchell wrote: Show quoted text
> I'm currently working on this. Will update soon.
I've just pushed this: commit 43dbb3c1592f7f9ccbe0aba64ef2684f39b673ed Author: David Mitchell <davem@iabyn.com> AuthorDate: Tue Feb 7 15:45:14 2017 +0000 Commit: David Mitchell <davem@iabyn.com> CommitDate: Tue Feb 7 15:46:57 2017 +0000 multideref: handle both OPpLVAL_INTRO,OPpDEREF RT #130727 In a nested dereference like $a[0]{b}[1], all but the last aelem/helem will normally have a OPpDEREF_AV/HV flag, while the last won't have a deref but may well have OPpLVAL_INTRO, e.g. local $a[0]{b}[1] = 1; The code in S_maybe_multideref() which converts a chain of aelem/helem's into a single mltideref op assumes this - in particular that an op can't have both OPpLVAL_INTRO and OPpDEREF* at the same time. However, the following code violates that assumption: @{ local $a[0]{b}[1] } = 1; In @{expr} = 1, the array is in lvalue context, which makes expr be done in ref (autovivify) context. So the final aelem in the above expression gets both OPpLVAL_INTRO and OPpDEREF_AV flags. In the old days, pp_aelem (probably more by luck than design) would action OPpLVAL_INTRO and ignore OPpDEREF_AV. This commit makes pp_multideref behave in the same way. In particular, there's no point in autovivifying $a[0]{b}[1] as an array ref since the local() will be undone before it gets a change to be used. The easiest way to achieve this is to tun off the OPpDEREF flag on the aelem/helem op if the OPpLVAL_INTRO flag is set. -- You're only as old as you look.
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 476b
On Tue, 07 Feb 2017 08:04:36 -0800, davem wrote: Show quoted text
> On Tue, Feb 07, 2017 at 03:07:10PM +0000, Dave Mitchell wrote:
> > I'm currently working on this. Will update soon.
> > I've just pushed this: > > commit 43dbb3c1592f7f9ccbe0aba64ef2684f39b673ed > Author: David Mitchell <davem@iabyn.com> > AuthorDate: Tue Feb 7 15:45:14 2017 +0000 > Commit: David Mitchell <davem@iabyn.com> > CommitDate: Tue Feb 7 15:46:57 2017 +0000
Does that mean this ticket is closable? Tony
Subject: Re: [perl #130727] op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed
From: Dave Mitchell <davem [...] iabyn.com>
To: Tony Cook via RT <perlbug-followup [...] perl.org>
Date: Wed, 15 Feb 2017 11:19:31 +0000
CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 647b
On Sun, Feb 12, 2017 at 03:45:28PM -0800, Tony Cook via RT wrote: Show quoted text
> On Tue, 07 Feb 2017 08:04:36 -0800, davem wrote:
> > On Tue, Feb 07, 2017 at 03:07:10PM +0000, Dave Mitchell wrote:
> > > I'm currently working on this. Will update soon.
> > > > I've just pushed this: > > > > commit 43dbb3c1592f7f9ccbe0aba64ef2684f39b673ed > > Author: David Mitchell <davem@iabyn.com> > > AuthorDate: Tue Feb 7 15:45:14 2017 +0000 > > Commit: David Mitchell <davem@iabyn.com> > > CommitDate: Tue Feb 7 15:46:57 2017 +0000
> > Does that mean this ticket is closable?
Yes, I forgot to do that. Closed now. -- A problem shared is a problem doubled.
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 394b
On Wed, 15 Feb 2017 03:21:46 -0800, davem wrote: Show quoted text
> Yes, I forgot to do that. Closed now.
While this fixes cases deducted by Hugo van der Sanden and provided in your commit message, the original ./perl -e 'p$0[],%{[],local$0[0][0]}' still segfaults, though with another message: perl: op.c:13196: void S_maybe_multideref(OP *, OP *, UV, U8): Assertion `o->op_next->op_type == OP_LEAVE' failed.
Date: Sat, 18 Feb 2017 10:53:50 +0000
CC: perl5-porters [...] perl.org
Subject: Re: [perl #130727] op.c:13184: S_maybe_multideref: Assertion `!(o->op_private & ~(0x03|0x30))' failed
From: Dave Mitchell <davem [...] iabyn.com>
To: Sergey Aleynikov via RT <perlbug-followup [...] perl.org>
Download (untitled) / with headers
text/plain 631b
On Thu, Feb 16, 2017 at 01:27:46PM -0800, Sergey Aleynikov via RT wrote: Show quoted text
> On Wed, 15 Feb 2017 03:21:46 -0800, davem wrote:
> > Yes, I forgot to do that. Closed now.
> > While this fixes cases deducted by Hugo van der Sanden and provided in your commit message, the original ./perl -e 'p$0[],%{[],local$0[0][0]}' still segfaults, though with another message: > > perl: op.c:13196: void S_maybe_multideref(OP *, OP *, UV, U8): Assertion `o->op_next->op_type == OP_LEAVE' failed.
Fixed by v5.25.9-154-gd8f2fe0 -- I don't want to achieve immortality through my work... I want to achieve it through not dying. -- Woody Allen


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org