From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers an assert fail in the perl interpreter, but which (correctly) errors out in non-debugging perl. The simplest testcase is the 30-character file​:

/0\G|0+|/>>s>>\x{100}>>s>>>g/0

In a not-debugging perl, the output is​:
Illegal division by zero at allcrash/f1i000171 line 1.

In a debugging perl, the output is​:
perl​: regexec.c​:5389​: S_regmatch​: Assertion `(((U8)(*l) & 0xfe) == 0xc2)' failed.
Aborted

**GDB**
Starting program​: /home/dcollins/perldebug/perl allcrash/f1i000171
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
perl​: regexec.c​:5389​: S_regmatch​: Assertion `(((U8)(*l) & 0xfe) == 0xc2)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff6cf4107 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6cf4107 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6cf54e8 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff6ced226 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ffff6ced2d2 in __assert_fail ()
  from /lib/x86_64-linux-gnu/libc.so.6
#4 0x0000000000ce3bdd in S_regmatch (prog=<optimized out>,
  startpos=<optimized out>, reginfo=<optimized out>) at regexec.c​:5389
#5 S_regtry (reginfo=0x5fd4, startposp=0x5fd4) at regexec.c​:3524
#6 0x0000000000d2310d in Perl_regexec_flags (rx=0x1206a30,
  stringarg=0x5fd4 <error​: Cannot access memory at address 0x5fd4>,
  strend=0x11ffef2 "", strbeg=0x11ffef0 "Ā", minend=0, sv=0x1212cf0,
  data=0x0, flags=152) at regexec.c​:3385
#7 0x000000000090250f in Perl_pp_subst () at pp_hot.c​:3054
#8 0x00000000007df04f in Perl_runops_debug () at dump.c​:2224
#9 0x00000000005448e9 in S_run_body (oldscope=1) at perl.c​:2456
#10 perl_run (my_perl=<optimized out>) at perl.c​:2379
#11 0x000000000042c708 in main (argc=2, argv=0x7fffffffe658,
  env=0x7fffffffe670) at perlmain.c​:116
(gdb) f 4
#4 0x0000000000ce3bdd in S_regmatch (prog=<optimized out>,
  startpos=<optimized out>, reginfo=<optimized out>) at regexec.c​:5389
5389 if (EIGHT_BIT_UTF8_TO_NATIVE(*l, *(l+1)) != * (U8*) s)
(gdb) info locals
e = 0x6 <error​: Cannot access memory at address 0x6>
s = 0x5fd4 <error​: Cannot access memory at address 0x5fd4>
state_num = 128
re_debug_flags = 0
classnum = 18874098
nextchr = 8
maxopenparen = 0
result = 128

**PERL -V**
dcollins@​nightshade64​:~/perldebug$ ./perl -V
Summary of my perl5 (revision 5 version 23 subversion 4) configuration​:
  Commit id​: 94757bf
  Platform​:
  osname=linux, osvers=3.16.0-4-amd64, archname=x86_64-linux-ld
  uname='linux nightshade64 3.16.0-4-amd64 #1 smp debian 3.16.7-ckt11-1+deb8u4 (2015-09-19) x86_64 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache afl-gcc', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='4.9.2', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='ccache afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/4.9/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.19.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.19'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_ALL
  USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE
  USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
  USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at Oct 2 2015 22​:41​:42
  @​INC​:
  /usr/local/perl-afl/lib/site_perl/5.23.4/x86_64-linux-ld
  /usr/local/perl-afl/lib/site_perl/5.23.4
  /usr/local/perl-afl/lib/5.23.4/x86_64-linux-ld
  /usr/local/perl-afl/lib/5.23.4
  .

From @iabyn

On Sun, Oct 04, 2015 at 07​:02​:09AM -0700, Dan Collins wrote​:

/0\G|0+|/>>s>>\x{100}>>s>>>g/0

In a not-debugging perl, the output is​:
Illegal division by zero at allcrash/f1i000171 line 1.

In a debugging perl, the output is​:
perl​: regexec.c​:5389​: S_regmatch​: Assertion `(((U8)(*l) & 0xfe) == 0xc2)' failed.
Aborted

The division by zero was a slight red herring; the assertion failure
actually happened during the substitution preceding it.

Should be fixed by the following​:

commit 4cf1a86
Author​: David Mitchell <davem@​iabyn.com>
AuthorDate​: Wed Dec 2 14​:53​:59 2015 +0000
Commit​: David Mitchell <davem@​iabyn.com>
CommitDate​: Wed Dec 2 15​:13​:59 2015 +0000

  /..\G/​: use chars, not bytes
 
  In something like /..\G/, the engine should start trying to match two
  chars before pos(). It was actually trying to match two bytes before.

--
Fire extinguisher (n) a device for holding open fire doors.

The RT System itself - Status changed from 'new' to 'open'

@iabyn - Status changed from 'open' to 'pending release'

From @khwilliamson

Thank you for submitting this report. You have helped make Perl better.
 
With the release of Perl 5.24.0 on May 9, 2016, this and 149 other issues have been resolved.

Perl 5.24.0 may be downloaded via https://metacpan.org/release/RJBS/perl-5.24.0

@khwilliamson - Status changed from 'pending release' to 'resolved'