From @geeknik

The following "script" causes an assertion failure in Perl v5.23.0 (v5.22.0-85-g16ac183).

perl -e '$x=*x=$x=*>'
perl​: sv.c​:3979​: S_glob_assign_glob​: Assertion `((svtype)((_gvgp)->sv_flags & 0xff)) == SVt_PVGV || ((svtype)((_gvgp)->sv_flags & 0xff)) == SVt_PVLV' failed.
Aborted

The same script also causes a null ptr deref and seg fault in Perl v5.21.7 (v5.21.6-602-ge9d2bd8)​:

==8620== Invalid read of size 8
==8620== at 0x7779FC​: Perl_pp_gvsv (pp_hot.c​:65)
==8620== by 0x775A6A​: Perl_runops_standard (run.c​:41)
==8620== by 0x4F3DBE​: perl_run (perl.c​:2421)
==8620== by 0x42AB1B​: main (perlmain.c​:116)
==8620== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==8620==
==8620==
==8620== Process terminating with default action of signal 11 (SIGSEGV)
==8620== Access not within mapped region at address 0x0
==8620== at 0x7779FC​: Perl_pp_gvsv (pp_hot.c​:65)
==8620== by 0x775A6A​: Perl_runops_standard (run.c​:41)
==8620== by 0x4F3DBE​: perl_run (perl.c​:2421)
==8620== by 0x42AB1B​: main (perlmain.c​:116)
==8620== If you believe this happened as a result of a stack
==8620== overflow in your program's main thread (unlikely but
==8620== possible), you can try to increase the size of the
==8620== main thread stack using the --main-stacksize= flag.
==8620== The main thread stack size used in this run was 8388608.
Segmentation fault

Program received signal SIGSEGV, Segmentation fault.
0x00000000007779fc in Perl_pp_gvsv () at pp_hot.c​:65
65 pp_hot.c​: No such file or directory.
(gdb) bt
#0 0x00000000007779fc in Perl_pp_gvsv () at pp_hot.c​:65
#1 0x0000000000775a6b in Perl_runops_standard () at run.c​:41
#2 0x00000000004f3dbf in S_run_body (oldscope=1) at perl.c​:2421
#3 perl_run (my_perl=<optimized out>) at perl.c​:2344
#4 0x000000000042ab1c in main (argc=2, argv=0x7fffffffe388,
  env=0x7fffffffe3a0) at perlmain.c​:116
#5 0x00007ffff6f98ead in __libc_start_main (main=<optimized out>,
  argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>,
  fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe378)
  at libc-start.c​:244
#6 0x000000000042ab95 in _start ()
(gdb) i r
rax 0x3f0 1008
rbx 0xe28b58 14846808
rcx 0x0 0
rdx 0x0 0
rsi 0x0 0
rdi 0xe3b020 14921760
rbp 0xe28b60 0xe28b60
rsp 0x7fffffffe120 0x7fffffffe120
r8 0xe466a8 14968488
r9 0xe3cf70 14929776
r10 0x0 0
r11 0xe46c30 14969904
r12 0x42ab6c 4369260
r13 0x7fffffffe380 140737488348032
r14 0x0 0
r15 0x0 0
rip 0x7779fc 0x7779fc <Perl_pp_gvsv+260>
eflags 0x10246 [ PF ZF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0

This bug was found with AFL (http​://lcamtuf.coredump.cx/afl/)

From @tonycoz

On Tue Jun 09 09​:40​:17 2015, brian.carpenter@​gmail.com wrote​:

The following "script" causes an assertion failure in Perl v5.23.0
(v5.22.0-85-g16ac183).

perl -e '$x=*x=$x=*>'

This can be simplified to​:

  perl -e '*x=$x=*>'

There's nothing special about *>​:

  perl -e '*x=$x=*y'

will also assert.

Tony

The RT System itself - Status changed from 'new' to 'open'

From @geeknik

FYI, this bug doesn't appear to affect perl 5, version 20, subversion 2 (v5.20.2) built for i386-freebsd-thread-multi-64int on FreeBSD 9.3-RELEASE-p9.

From @tonycoz

On Tue Jun 09 09​:40​:17 2015, brian.carpenter@​gmail.com wrote​:

The following "script" causes an assertion failure in Perl v5.23.0
(v5.22.0-85-g16ac183).

perl -e '$x=*x=$x=*>'
perl​: sv.c​:3979​: S_glob_assign_glob​: Assertion `((svtype)((_gvgp)-

sv_flags & 0xff)) == SVt_PVGV || ((svtype)((_gvgp)->sv_flags & 0xff))
== SVt_PVLV' failed.
Aborted

Looks like this was fixed in​:

commit 3c62f09
Author​: David Mitchell <davem@​iabyn.com>
Date​: Sun Aug 30 09​:48​:28 2015 +0100

  RT #125840 stop *x = $x doing bad things
 
  If $x is a GV then *x's GP would be freed before $x's GP is assigned to
  it. That would prematurely free $x, so protect it with a temporary ref
  count bump.

Closing.

Tony

@tonycoz - Status changed from 'open' to 'pending release'

From @khwilliamson

Thank you for submitting this report. You have helped make Perl better.
 
With the release of Perl 5.24.0 on May 9, 2016, this and 149 other issues have been resolved.

Perl 5.24.0 may be downloaded via https://metacpan.org/release/RJBS/perl-5.24.0

@khwilliamson - Status changed from 'pending release' to 'resolved'