Skip Menu |
Report information
Id: 131647
Status: open
Priority: 0/
Queue: perl5

Owner: Nobody
Requestors: randir <sergey.aleynikov [at] gmail.com>
Cc:
AdminCc:

Operating System: (no value)
PatchStatus: (no value)
Severity: medium
Type: core
Perl Version: 5.27.1
Fixed In: (no value)



Date: Sat, 24 Jun 2017 17:01:45 +0300
From: Sergey Aleynikov <sergey.aleynikov [...] gmail.com>
Subject: op.c:8067: SV *Perl_cv_const_sv_or_av(const CV *const): Assertion `SvTYPE(cv) == SVt_PVCV || SvTYPE(cv) == SVt_PVFM' failed.
To: perlbug [...] perl.org
Download (untitled) / with headers
text/plain 6.1k
This is a bug report for perl from sergey.aleynikov@gmail.com, generated with the help of perlbug 1.40 running under perl 5.27.1. ----------------------------------------------------------------- [Please describe your issue here] While fuzzing perl v5.27.1-37-g4c95ee9f29 built with afl and run under libdislocator, I found the following program @I0::""my I0"";sub f00}f00 to cause an assertion failure. This is a regression between 5.20 and 5.22, bisect points to: commit 0f94cb1fe27e58a59d3391214dab34037ab184db Author: Father Chrysostomos <sprout@cpan.org> Date: Thu Nov 27 22:30:54 2014 -0800 [perl #123223] Make PADNAME a separate type distinct from SV. This should fix the CPAN modules that were failing when the PadnameLVALUE flag was added, because it shared the same bit as SVs_OBJECT and pad names were going through code paths not designed to handle pad names. Unfortunately, it will probably break other CPAN modules, but I think this change is for the better, as it makes both pad names and SVs sim- pler and makes pad names take less memory. GDB info about the crash location is: (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:51 #1 0x00007ffff6cf63fa in __GI_abort () at abort.c:89 #2 0x00007ffff6cede37 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x5555558e3158 "SvTYPE(cv) == SVt_PVCV || SvTYPE(cv) == SVt_PVFM", file=file@entry=0x5555558def2e "op.c", line=line@entry=8067, function=function@entry=0x5555558e61f0 <__PRETTY_FUNCTION__.17680> "Perl_cv_const_sv_or_av") at assert.c:92 #3 0x00007ffff6cedee2 in __GI___assert_fail (assertion=0x5555558e3158 "SvTYPE(cv) == SVt_PVCV || SvTYPE(cv) == SVt_PVFM", file=0x5555558def2e "op.c", line=8067, function=0x5555558e61f0 <__PRETTY_FUNCTION__.17680> "Perl_cv_const_sv_or_av") at assert.c:101 #4 0x00005555555a19d7 in Perl_cv_const_sv_or_av (cv=0x555555c0b530) at op.c:8067 #5 0x0000555555627e6b in Perl_yylex () at toke.c:7406 #6 0x0000555555649164 in Perl_yyparse (gramtype=258) at perly.c:340 #7 0x00005555555cad4c in S_parse_body (env=0x0, xsinit=0x555555583fe8 <xs_init>) at perl.c:2401 #8 0x00005555555c90b1 in perl_parse (my_perl=0x555555bed010, xsinit=0x555555583fe8 <xs_init>, argc=2, argv=0x7fffffffe1c8, env=0x0) at perl.c:1719 #9 0x0000555555583f26 in main (argc=2, argv=0x7fffffffe1c8, env=0x7fffffffe1e0) at perlmain.c:121 (gdb) f 5 #5 0x0000555555627e6b in Perl_yylex () at toke.c:7406 7406 if ((sv = cv_const_sv_or_av(cv))) { (gdb) p sv_dump(cv) SV = PVHV(0x555555bf6010) at 0x555555c0b530 REFCNT = 3 FLAGS = (OOK,SHAREKEYS) AUX_FLAGS = 0 ARRAY = 0x555555c17e00 KEYS = 0 FILL = 0 MAX = 7 RITER = -1 EITER = 0x0 RAND = 0xd63e354b NAME = "Iz" ENAME = "Iz" $1 = void [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=medium --- Site configuration information for perl 5.27.1: Configured by root at Sun May 28 01:44:41 MSK 2017. Summary of my perl5 (revision 5 version 26 subversion 0) configuration: Derived from: 4c95ee9f298c2edfc1382d540ff89288790e78b6 Platform: osname=linux osvers=4.9.0-3-amd64 archname=x86_64-linux uname='linux dorothy 4.9.0-3-amd64 #1 smp debian 4.9.25-1 (2017-05-02) x86_64 gnulinux ' config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O0 -g -ggdb3 -fno-omit-frame-pointer' hint=previous useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='afl-clang-fast' ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O0 -g -ggdb3 -fno-omit-frame-pointer' cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='afl-clang-fast' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.24.so so=so useshrplib=false libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O0 -g -ggdb3 -fno-omit-frame-pointer -L/usr/local/lib -fstack-protector-strong' Locally applied patches: uncommitted-changes --- @INC for perl 5.27.1: lib /usr/local/lib/perl5/site_perl/5.26.0/x86_64-linux /usr/local/lib/perl5/site_perl/5.26.0 /usr/local/lib/perl5/5.26.0/x86_64-linux /usr/local/lib/perl5/5.26.0 --- Environment for perl 5.27.1: HOME=/home/afl LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_CTYPE=en_US.UTF-8 LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games PERLBREW_BASHRC_VERSION=0.78 PERLBREW_HOME=/home/afl/.perlbrew PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.24.1-dbg/man PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin PERLBREW_PERL=perl-5.24.1-dbg PERLBREW_ROOT=/home/afl/perlbrew PERLBREW_VERSION=0.78 PERL_BADLANG (unset) SHELL=/usr/bin/zshpe
RT-Send-CC: perl5-porters [...] perl.org
Download (untitled) / with headers
text/plain 4.2k
On Sat, 24 Jun 2017 07:01:54 -0700, randir wrote: Show quoted text
> While fuzzing perl v5.27.1-37-g4c95ee9f29 built with afl and run > under libdislocator, I found the following program > > @I0::""my I0"";sub f00}f00 > > to cause an assertion failure. This is a regression between 5.20 and > 5.22, bisect points to: > > commit 0f94cb1fe27e58a59d3391214dab34037ab184db > Author: Father Chrysostomos <sprout@cpan.org> > Date: Thu Nov 27 22:30:54 2014 -0800 > > [perl #123223] Make PADNAME a separate type > > distinct from SV. This should fix the CPAN modules that were failing > when the PadnameLVALUE flag was added, because it shared the same > bit as SVs_OBJECT and pad names were going through code paths not > designed to handle pad names. > > Unfortunately, it will probably break other CPAN modules, but I think > this change is for the better, as it makes both pad names and SVs sim- > pler and makes pad names take less memory. > > GDB info about the crash location is: > > (gdb) bt > #0 __GI_raise (sig=sig@entry=6) at > ../sysdeps/unix/sysv/linux/raise.c:51 > #1 0x00007ffff6cf63fa in __GI_abort () at abort.c:89 > #2 0x00007ffff6cede37 in __assert_fail_base (fmt=<optimized out>, > assertion=assertion@entry=0x5555558e3158 "SvTYPE(cv) == SVt_PVCV > || SvTYPE(cv) == SVt_PVFM", file=file@entry=0x5555558def2e "op.c", > line=line@entry=8067, function=function@entry=0x5555558e61f0 > <__PRETTY_FUNCTION__.17680> "Perl_cv_const_sv_or_av") at assert.c:92 > #3 0x00007ffff6cedee2 in __GI___assert_fail (assertion=0x5555558e3158 > "SvTYPE(cv) == SVt_PVCV || SvTYPE(cv) == SVt_PVFM", > file=0x5555558def2e "op.c", > line=8067, function=0x5555558e61f0 <__PRETTY_FUNCTION__.17680> > "Perl_cv_const_sv_or_av") at assert.c:101 > #4 0x00005555555a19d7 in Perl_cv_const_sv_or_av (cv=0x555555c0b530) > at op.c:8067 > #5 0x0000555555627e6b in Perl_yylex () at toke.c:7406 > #6 0x0000555555649164 in Perl_yyparse (gramtype=258) at perly.c:340 > #7 0x00005555555cad4c in S_parse_body (env=0x0, xsinit=0x555555583fe8 > <xs_init>) at perl.c:2401 > #8 0x00005555555c90b1 in perl_parse (my_perl=0x555555bed010, > xsinit=0x555555583fe8 <xs_init>, argc=2, argv=0x7fffffffe1c8, env=0x0) > at perl.c:1719 > #9 0x0000555555583f26 in main (argc=2, argv=0x7fffffffe1c8, > env=0x7fffffffe1e0) at perlmain.c:121 > (gdb) f 5 > #5 0x0000555555627e6b in Perl_yylex () at toke.c:7406 > 7406 if ((sv = cv_const_sv_or_av(cv))) { > (gdb) p sv_dump(cv) > SV = PVHV(0x555555bf6010) at 0x555555c0b530 > REFCNT = 3 > FLAGS = (OOK,SHAREKEYS) > AUX_FLAGS = 0 > ARRAY = 0x555555c17e00 > KEYS = 0 > FILL = 0 > MAX = 7 > RITER = -1 > EITER = 0x0 > RAND = 0xd63e354b > NAME = "Iz" > ENAME = "Iz" > $1 = void
The parser appears to be treating the final f00 as the name of a lexical sub, but finding a non-CV in the protocv: (gdb) 7077 cv = find_lexical_cv(off); 2: off = 2 1: cv = (CV *) 0x0 (gdb) call Perl_sv_dump(PL_compcv) SV = PVCV(0x621000014100) at 0x62100001bf48 REFCNT = 6 FLAGS = (UNIQUE,SLABBED) COMP_STASH = 0x0 SLAB = 0x61500000fa80 ROOT = 0x0 GVGV::GV = 0x0 FILE = "(null)" DEPTH = 0 FLAGS = 0x900 OUTSIDE_SEQ = 0 PADLIST = 0x60300000eb90 OUTSIDE = 0x0 (null) (gdb) s Perl_find_lexical_cv (off=2) at op.c:11425 11425 PADNAME *name = PAD_COMPNAME(off); (gdb) n 11426 CV *compcv = PL_compcv; (gdb) p name $4 = (PADNAME *) 0x604000009890 (gdb) p *name $5 = {xpadn_pv = 0x6040000098ba "&f00", xpadn_ourstash = 0x0, xpadn_type_u = { xpadn_typestash = 0x6210000127a0, xpadn_protocv = 0x6210000127a0}, xpadn_low = 4294967246, xpadn_high = 4294967295, xpadn_refcnt = 1, xpadn_gen = 0, xpadn_len = 4 '\004', xpadn_flags = 8 '\b'} (gdb) n 11427 while (PadnameOUTER(name)) { (gdb) 11433 assert(!PadnameIsOUR(name)); (gdb) 11434 if (!PadnameIsSTATE(name) && PadnamePROTOCV(name)) { (gdb) 11435 return PadnamePROTOCV(name); (gdb) 11438 } (gdb) s Perl_yylex () at toke.c:7079 7079 lex = TRUE; 2: off = 2 1: cv = (CV *) 0x6210000127a0 (gdb) call Perl_sv_dump(cv) SV = PVHV(0x6210000195a0) at 0x6210000127a0 REFCNT = 2 FLAGS = (OOK,SHAREKEYS) AUX_FLAGS = 0 ARRAY = 0x60c00000a780 KEYS = 0 FILL = 0 MAX = 7 RITER = -1 EITER = 0x0 RAND = 0xd9a94a3f NAME = "I0" ENAME = "I0" (gdb) p PL_parser->bufptr $6 = 0x60300000e5d7 "f00\n" Tony


This service is sponsored and maintained by Best Practical Solutions and runs on Perl.org infrastructure.

For issues related to this RT instance (aka "perlbug"), please contact perlbug-admin at perl.org