From @geeknik

Built v5.21.11 (v5.21.10-31-g008e8e8) with the following command line​:

./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g && AFL_HARDEN=1 make -j8 test-prep

Bug found with AFL (http​://lcamtuf.coredump.cx/afl)

Valgrind​:
==54249== Process terminating with default action of signal 6 (SIGABRT)
==54249== at 0x5B55165​: raise (raise.c​:64)
==54249== by 0x5B583DF​: abort (abort.c​:92)
==54249== by 0x5B4E310​: __assert_fail (assert.c​:81)
==54249== by 0x4C2B00​: Perl_ck_stringify (op.c​:11148)
==54249== by 0x470E8B​: Perl_op_convert_list (op.c​:4600)
==54249== by 0x65FB2A​: Perl_yyparse (perly.y​:721)
==54249== by 0x532104​: S_parse_body (perl.c​:2296)
==54249== by 0x539E72​: perl_parse (perl.c​:1626)
==54249== by 0x42AC67​: main (perlmain.c​:114)

GDB​:
perl​: op.c​:11148​: Perl_ck_stringify​: Assertion `!((((kid)->op_sibling) ? (_Bool)1 : (_Bool)0))' failed.

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX​: 0x0
RBX​: 0x7fffffffe622 --> 0x736574006c726570 ('perl')
RCX​: 0xffffffffffffffff
RDX​: 0x6
RSI​: 0xe664
RDI​: 0xe664
RBP​: 0x7ffff6ea9c67 --> 0x257325732500203a ('​: ')
RSP​: 0x7fffffffdd58 --> 0x7ffff6d933e0 (<*__GI_abort+384>​: mov rdx,QWORD PTR fs​:0x10)
RIP​: 0x7ffff6d90165 (<*__GI_raise+53>​: cmp rax,0xfffffffffffff000)
R8 : 0x7ffff7fdd700 (0x00007ffff7fdd700)
R9 : 0x6f425f28203a2031 ('1 : (_Bo')
R10​: 0x8
R11​: 0x202
R12​: 0xebc0b8 ("!((((kid)->op_sibling) ? (_Bool)1 : (_Bool)0))")
R13​: 0xec8db0 ("Perl_ck_stringify")
R14​: 0x7ffff6ea9c67 --> 0x257325732500203a ('​: ')
R15​: 0x2b8c
EFLAGS​: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
  0x7ffff6d9015b <*__GI_raise+43>​: movsxd rdi,eax
  0x7ffff6d9015e <*__GI_raise+46>​: mov eax,0xea
  0x7ffff6d90163 <*__GI_raise+51>​: syscall
=> 0x7ffff6d90165 <*__GI_raise+53>​: cmp rax,0xfffffffffffff000
  0x7ffff6d9016b <*__GI_raise+59>​: ja 0x7ffff6d90182 <*__GI_raise+82>
  0x7ffff6d9016d <*__GI_raise+61>​: repz ret
  0x7ffff6d9016f <*__GI_raise+63>​: nop
  0x7ffff6d90170 <*__GI_raise+64>​: test eax,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdd58 --> 0x7ffff6d933e0 (<*__GI_abort+384>​: mov rdx,QWORD PTR fs​:0x10)
0008| 0x7fffffffdd60 --> 0xebc0b8 ("!((((kid)->op_sibling) ? (_Bool)1 : (_Bool)0))")
0016| 0x7fffffffdd68 --> 0x7ffff6eabc21 --> 0x706c6568007325 ('%s')
0024| 0x7fffffffdd70 --> 0x7fffffffdd90 --> 0x3000000018
0032| 0x7fffffffdd78 --> 0x2b8c
0040| 0x7fffffffdd80 --> 0x7fffffffde80 --> 0x7fffffffe622 --> 0x736574006c726570 ('perl')
0048| 0x7fffffffdd88 --> 0x7ffff6dc41b6 (<__fxprintf+310>​: lea rsp,[rbp-0x20])
0056| 0x7fffffffdd90 --> 0x3000000018
[------------------------------------------------------------------------------]
Legend​: code, data, rodata, value
Stopped reason​: SIGABRT
0x00007ffff6d90165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c​:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c​: No such file or directory.

Hexdump of the 16-byte test case​:
0000000 7171 407b 307b 7d5d 7b24 7d7d 7b2c 297d
0000010

System Info​: Debian 7, Kernel 3.2.65-1+deb7u2 x86_64, GCC 4.9.2, libc 2.13-38+deb7u8

From @geeknik

test24-min

From @geeknik

perl v5.21.7 (v5.21.6-602-ge9d2bd8) just fails like this​:

syntax error at test24-min line 1, near "0]"
syntax error at test24-min line 1, near "${}"
Execution of test24-min aborted due to compilation errors.

From @tonycoz

On Sun Mar 29 13​:43​:30 2015, brian.carpenter@​gmail.com wrote​:

perl v5.21.7 (v5.21.6-602-ge9d2bd8) just fails like this​:

syntax error at test24-min line 1, near "0]"
syntax error at test24-min line 1, near "${}"
Execution of test24-min aborted due to compilation errors.

5.21.7 assrted for me too. I bisected with​:

AFL_HARDEN=1 perl ../bisect.pl --start=v5.18.0 -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g --target=miniperl -e 'eval q/qq{@​{0]}${}},{})/'

which produced​:

bad - non-zero exit from ./miniperl -Ilib -e eval q/qq{@​{0]}${}},{})/
73f4c4f is the first bad commit
commit 73f4c4f
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Sun Oct 12 08​:10​:41 2014 -0700

  Optimise "@​_" to a single join
 
  instead of stringify(join(...)).

:100644 100644 b4176c78c2e28c85545bc01963c0d9453e200a9b 8231b871e400fce359fa074e21d494111f91714f M embed.h
:040000 040000 b8386d4e64ab3a616fc0ded5c3377b1eea6dac3e 780fd754644492829b74143eee8be0a53b105fc7 M lib
:100644 100644 f1cdc0a3d0bc88a93f83b2ec5aab804520ab83c1 1de26aedb5504abe8350ceaf8f2db6e1affa1031 M op.c
:100644 100644 142c75e131db5fc370b0a0a14f4e14a952f04bd7 f555e91fbb267e407b2eee443cef08769dc1b711 M opcode.h
:100644 100644 88449326f28315a7e47db975738fb7bd1b3a2d21 042316019c80bcc058b1d03569905e132ef7289d M proto.h
:040000 040000 d31c2bc09d1c95902de74eaf20cf8e7de829e160 0a0b729f329896c64db99333400d55cd5614ab0d M regen
:040000 040000 d751917c2702ec4dce32a9bca1b4a7b7cefd4507 4079a6297b0ecc81e8948c662aaf422255b31854 M t
bisect run success

Tony

The RT System itself - Status changed from 'new' to 'open'

From @iabyn

On Tue, Apr 21, 2015 at 06​:29​:13PM -0700, Tony Cook via RT wrote​:

On Sun Mar 29 13​:43​:30 2015, brian.carpenter@​gmail.com wrote​:

perl v5.21.7 (v5.21.6-602-ge9d2bd8) just fails like this​:

syntax error at test24-min line 1, near "0]"
syntax error at test24-min line 1, near "${}"
Execution of test24-min aborted due to compilation errors.

5.21.7 assrted for me too. I bisected with​:

AFL_HARDEN=1 perl ../bisect.pl --start=v5.18.0 -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g --target=miniperl -e 'eval q/qq{@​{0]}${}},{})/'

which produced​:

bad - non-zero exit from ./miniperl -Ilib -e eval q/qq{@​{0]}${}},{})/
73f4c4f is the first bad commit
commit 73f4c4f
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Sun Oct 12 08​:10​:41 2014 -0700

Optimise "@​\_" to a single join

instead of stringify\(join\(\.\.\.\)\)\.

Now fixed with

commit 82269f5
Author​: David Mitchell <davem@​iabyn.com>
AuthorDate​: Wed Apr 22 16​:26​:40 2015 +0100
Commit​: David Mitchell <davem@​iabyn.com>
CommitDate​: Wed Apr 22 16​:26​:40 2015 +0100

  RT #124207​: assert failure in ck_stringify()
 
  v5.21.4-416-g73f4c4f converted (among other things) stringify(join(...))
  into just join(...). It asserted that the stringify didn't have any extra
  children, which it won't normally do, since in something like "@​a-" the
  elements of the stringify get bundled up into a single tree of concats
  etc, and stringify just sees a single top-level join or concat or
  whatever. However during error recovery weird stuff can get left on the
  stack.
 
  So rather than asserting no more kids, skip the optimisation if there are
  more kids.

--
"Procrastination grows to fill the available time"
  -- Mitchell's corollary to Parkinson's Law

@iabyn - Status changed from 'open' to 'pending release'

From @khwilliamson

Thank you for submitting this ticket.

The issue should now be resolved with the release today of Perl v5.22, which is available at http​://www.perl.org/get.html
--
Karl Williamson for the Perl 5 team

@khwilliamson - Status changed from 'pending release' to 'resolved'