Skip Menu |
Report information
Id: 131627
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: randir <sergey.aleynikov [at] gmail.com>
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: medium
Type: core
Perl Version: 5.27.1
Fixed In: (no value)



To: perlbug [...] perl.org
Subject: op.c:13088: void S_maybe_multideref(OP *, OP *, UV, U8): Assertion `!(o->op_flags & ~(3|128))' failed.
Date: Thu, 22 Jun 2017 21:06:24 +0300
From: Sergey Aleynikov <sergey.aleynikov [...] gmail.com>
Download (untitled) / with headers
text/plain 5.6k
This is a bug report for perl from sergey.aleynikov@gmail.com, generated with the help of perlbug 1.40 running under perl 5.27.1. ----------------------------------------------------------------- [Please describe your issue here] While fuzzing perl v5.27.1-37-g4c95ee9f29 built with afl and run under libdislocator, I found the following program m!$0{qw/0/->@*}! to cause an assertion failure, even when run under -c for a syntax check. GDB info about the crash location is: gdb$ bt #0 __GI_raise (sig=sig@entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007f581c96c3fa in __GI_abort () at abort.c:89 #2 0x00007f581c963e37 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x564edf332d0e "!(o->op_flags & ~(3|128))", file=file@entry=0x564edf32cf2e "op.c", line=line@entry=0x3320, function=function@entry=0x564edf3348a0 <__PRETTY_FUNCTION__.19849> "S_maybe_multideref") at assert.c:92 #3 0x00007f581c963ee2 in __GI___assert_fail (assertion=0x564edf332d0e "!(o->op_flags & ~(3|128))", file=0x564edf32cf2e "op.c", line=0x3320, function=0x564edf3348a0 <__PRETTY_FUNCTION__.19849> "S_maybe_multideref") at assert.c:101 #4 0x0000564edf00b36f in S_maybe_multideref (start=0x564edf7e07b8, orig_o=0x564edf7e0738, orig_action=0xd, hints=0x0) at op.c:13088 #5 0x0000564edf00c97c in Perl_rpeep (o=0x564edf7e07b8) at op.c:13798 #6 0x0000564edf00fedf in Perl_peep (o=0x564edf7e0b50) at op.c:14819 #7 0x0000564edefda649 in S_process_optree (cv=0x0, optree=0x564edf7e0b88, start=0x564edf7e0b50) at op.c:2475 #8 0x0000564edefe173f in Perl_newPROG (o=0x564edf7e0b88) at op.c:4303 #9 0x0000564edf09760c in Perl_yyparse (gramtype=0x102) at perly.y:124 #10 0x0000564edf018d4c in S_parse_body (env=0x0, xsinit=0x564edefd1fe8 <xs_init>) at perl.c:2401 #11 0x0000564edf0170b1 in perl_parse (my_perl=0x564edf7b6010, xsinit=0x564edefd1fe8 <xs_init>, argc=0x2, argv=0x7ffff1567488, env=0x0) at perl.c:1719 #12 0x0000564edefd1f26 in main (argc=0x2, argv=0x7ffff1567488, env=0x7ffff15674a0) at perlmain.c:121 gdb$ up 4 #4 0x0000564edf00b36f in S_maybe_multideref (start=0x564edf7e07b8, orig_o=0x564edf7e0738, orig_action=0xd, hints=0x0) at op.c:13088 13088 ASSUME(!(o->op_flags & ~(OPf_WANT|OPf_SPECIAL))); gdb$ p o->op_flags $1 = 0xa [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=medium --- Site configuration information for perl 5.27.1: Configured by root at Sun May 28 01:44:41 MSK 2017. Summary of my perl5 (revision 5 version 26 subversion 0) configuration: Derived from: 4c95ee9f298c2edfc1382d540ff89288790e78b6 Platform: osname=linux osvers=4.9.0-3-amd64 archname=x86_64-linux uname='linux dorothy 4.9.0-3-amd64 #1 smp debian 4.9.25-1 (2017-05-02) x86_64 gnulinux ' config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O0 -g -ggdb3 -fno-omit-frame-pointer' hint=previous useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='afl-clang-fast' ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O0 -g -ggdb3 -fno-omit-frame-pointer' cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='afl-clang-fast' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.24.so so=so useshrplib=false libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O0 -g -ggdb3 -fno-omit-frame-pointer -L/usr/local/lib -fstack-protector-strong' Locally applied patches: uncommitted-changes --- @INC for perl 5.27.1: lib /usr/local/lib/perl5/site_perl/5.26.0/x86_64-linux /usr/local/lib/perl5/site_perl/5.26.0 /usr/local/lib/perl5/5.26.0/x86_64-linux /usr/local/lib/perl5/5.26.0 --- Environment for perl 5.27.1: HOME=/home/afl LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_CTYPE=en_US.UTF-8 LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games PERLBREW_BASHRC_VERSION=0.78 PERLBREW_HOME=/home/afl/.perlbrew PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.24.1-dbg/man PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin PERLBREW_PERL=perl-5.24.1-dbg PERLBREW_ROOT=/home/afl/perlbrew PERLBREW_VERSION=0.78 PERL_BADLANG (unset) SHELL=/usr/bin/zsh
To: perl5-porters [...] perl.org
Subject: Re: [perl #131627] op.c:13088: void S_maybe_multideref(OP *, OP *, UV, U8): Assertion `!(o->op_flags & ~(3|128))' failed.
From: ilmari [...] ilmari.org (Dagfinn Ilmari Mannsåker)
Date: Thu, 22 Jun 2017 21:53:58 +0100
Download (untitled) / with headers
text/plain 1.2k
Sergey Aleynikov (via RT) <perlbug-followup@perl.org> writes: Show quoted text
> While fuzzing perl v5.27.1-37-g4c95ee9f29 built with afl and run > under libdislocator, I found the following program > > m!$0{qw/0/->@*}!
[…] Show quoted text
> #4 0x0000564edf00b36f in S_maybe_multideref (start=0x564edf7e07b8, > orig_o=0x564edf7e0738, orig_action=0xd, hints=0x0) at op.c:13088 > 13088 ASSUME(!(o->op_flags & ~(OPf_WANT|OPf_SPECIAL))); > gdb$ p o->op_flags > $1 = 0xa
The offending flag is OPf_PARENS, which is to indicate that the OP_GV came from a qw() rather than a plain scalar value. Including that flag in the ASSUME() and in the below test for OPf_WANT_SCALAR not only fixes this assert, but allows multideref to do its thing with this (which I added as a test): @x = (10..12); $i = 1; is $x[qw(i)->$*], 11, 'RT #131627: $a[qw(i)->$*]'; Pushed as commit e13dc8886f. The fact that the above works under strict 'refs' is a separate bug, which I intend to address shortly unless someone feels like beating me to it. -- "The surreality of the universe tends towards a maximum" -- Skud's Law "Never formulate a law or axiom that you're not prepared to live with the consequences of." -- Skud's Meta-Law


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org