From @geeknik

While fuzzing Perl built from git source (v5.23.0-69-gf907dd3), I came across the following "script" that causes an assertion failure at sv.c​:6395.

perl -e 'map{%0=map{0}m 0 0}%0=map{0}0'

It also causes Perl v5.21.6-602-ge9d2bd8 to segfault at sv.c​:5837.

#0 S_sv_unmagicext_flags (sv=sv@​entry=0xe3a710, type=type@​entry=60, vtbl=vtbl@​entry=0x0,
  flags=flags@​entry=0) at sv.c​:5837
#1 0x00000000007b7321 in S_sv_unmagicext_flags (flags=0, vtbl=0x0, type=60, sv=0xe3a710) at sv.c​:5832
#2 Perl_sv_unmagic (type=60, sv=0xe3a710) at sv.c​:5879
#3 Perl_sv_clear (orig_sv=orig_sv@​entry=0xe3a710) at sv.c​:6511
#4 0x00000000007b1118 in Perl_sv_free2 (sv=0xe3a710, rc=<optimized out>) at sv.c​:6972
#5 0x00000000008baabd in S_SvREFCNT_dec (sv=<optimized out>) at inline.h​:166
#6 Perl_leave_scope (base=3) at scope.c​:866
#7 0x00000000008ef0f0 in Perl_pp_mapwhile () at pp_ctl.c​:1067
#8 0x0000000000775a6b in Perl_runops_standard () at run.c​:41
#9 0x00000000004f3dbf in S_run_body (oldscope=1) at perl.c​:2421
#10 perl_run (my_perl=<optimized out>) at perl.c​:2344
#11 0x000000000042ab1c in main (argc=2, argv=0x7fffffffe3a8, env=0x7fffffffe3c0) at perlmain.c​:116
#12 0x00007ffff6f98ead in __libc_start_main (main=<optimized out>, argc=<optimized out>,
  ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>,
  stack_end=0x7fffffffe398) at libc-start.c​:244
#13 0x000000000042ab95 in _start ()

From @rjbs

* Brian Carpenter <perlbug-followup@​perl.org> [2015-07-02T14​:29​:46]

While fuzzing Perl built from git source (v5.23.0-69-gf907dd3), I came across
the following "script" that causes an assertion failure at sv.c​:6395.

We have a small backlog of tickets of this sort​: fuzzing leading to assertion
failures, segvs, etc.

Is it worth organizing these under a meta-ticket for tracking as one or more
category?

--
rjbs

The RT System itself - Status changed from 'new' to 'open'

From @dcollinsn

I have a local text file to categorize the tickets I have opened of this
type, with a one line description of each. For example​:

*Assert fails without other symptoms
**NEW 126257 op.c 2762 `(o->op_flags & 3) != 1'
  0/x$0my@​m​:d
**NEW 126258 op.c 717 `!(o->op_private &
~PL_op_private_valid[type])' grep$0,0}
**NEW 126260 regexec.c 5389 `(((U8)(*l) & 0xfe) == 0xc2)'
  /0\G|0+|/>>s>>\x{100}>>s>>>g/0
**NEW 126261 sv.c 11449 `(IV)elen >= 0'
  /00000000/0?s>>000000000000000000000000>g
x/0000000000000[0000000▒0000000000[.00./i\0000
**FIXED 126404 regcomp.c 13810 `(! ((current)->sv_flags & 0x00000100))'
  00./(?[!()])/
** ?????? pp_sys.c 690 `((((rgv)->sv_flags &
(0x00004000|0x00008000))' pipe$$5,0

A meta-ticket could track all the open ones, but it might be more helpful
for triage if all fuzzers (and static analysis users, perhaps?) were to
make this information available in a more centralized fashion (where
multiple users can edit it). Is there a suitable place to do that? Failing
all else, a Google spreadsheet perhaps?

--
Dan

On Tue, Oct 27, 2015 at 10​:30 PM, Ricardo Signes <perl.p5p@​rjbs.manxome.org>
wrote​:

* Brian Carpenter <perlbug-followup@​perl.org> [2015-07-02T14​:29​:46]

While fuzzing Perl built from git source (v5.23.0-69-gf907dd3), I came
across
the following "script" that causes an assertion failure at sv.c​:6395.

We have a small backlog of tickets of this sort​: fuzzing leading to
assertion
failures, segvs, etc.

Is it worth organizing these under a meta-ticket for tracking as one or
more
category?

--
rjbs

From @iabyn

On Thu, Jul 02, 2015 at 11​:29​:46AM -0700, Brian Carpenter wrote​:

perl -e 'map{%0=map{0}m 0 0}%0=map{0}0'

It also causes Perl v5.21.6-602-ge9d2bd8 to segfault at sv.c​:5837.

It's another stack-not-refocunted issue.

--
A walk of a thousand miles begins with a single step...
then continues for another 1,999,999 or so.