From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers a segmentation fault in the perl interpreter. The testcase is the file​:

*_=a for 0..1

Interestingly the following sequence which appears similar shows different behavior​:

dcollins@​nightshade64​:~/perldebug$ ./perl -e '*_="" for 0..1'
Segmentation fault
dcollins@​nightshade64​:~/perldebug$ ./perl -e '@​x=0..1; *_="" for 0..1'
Segmentation fault
dcollins@​nightshade64​:~/perldebug$ ./perl -e '@​x=0..1; *_="" for @​x'
dcollins@​nightshade64​:~/perldebug$

And the use of *_ is relevant​:

dcollins@​nightshade64​:~/perldebug$ ./perl -e '*_=a for 0..1'
Segmentation fault
dcollins@​nightshade64​:~/perldebug$ ./perl -e '*x=a for 0..1'
dcollins@​nightshade64​:~/perldebug$

So I wonder if this is a problem due to the for statement modifying *_ while it is on the stack. The crash occurs in Perl_pp_iter as shown below - I assume that either Sv_REFCNT or SvMAGICAL accesses the second element of the struct at oldsv, and the first element of that struct is a pointer, since the accessed address is 0x8 on 64-bit and 0x4 on 32-bit. I have no perl that does not crash here, so a bisect was not attempted.

**GDB**

(gdb) run
Starting program​: /home/dcollins/perldebug/perl -e \*_=a\ for\ 0..1
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00000000009004d6 in Perl_pp_iter () at pp_hot.c​:2585
2585 if (LIKELY(SvREFCNT(oldsv) == 1 && !SvMAGICAL(oldsv))) {
(gdb) bt
#0 0x00000000009004d6 in Perl_pp_iter () at pp_hot.c​:2585
#1 0x00000000007e0aff in Perl_runops_debug () at dump.c​:2224
#2 0x0000000000544229 in S_run_body (oldscope=1) at perl.c​:2459
#3 perl_run (my_perl=<optimized out>) at perl.c​:2382
#4 0x000000000042c028 in main (argc=3, argv=0x7fffffffe658,
  env=0x7fffffffe678) at perlmain.c​:116
(gdb) info locals
cur = 1
sp = 0x11f5a20
cx = 0x11f5e88
oldsv = 0x0
itersvp = 0x1200470
__PRETTY_FUNCTION__ = "Perl_pp_iter"
(gdb) f 1
#1 0x00000000007e0aff in Perl_runops_debug () at dump.c​:2224
2224 } while ((PL_op = PL_op->op_ppaddr(aTHX)));
(gdb) p PL_op
$1 = (OP *) 0x12107c0
(gdb) p *PL_op
$2 = {op_next = 0x1210ce8, op_sibling = 0x1210d30,
  op_ppaddr = 0x8ffc50 <Perl_pp_iter>, op_targ = 0, op_type = 200,
  op_opt = 1, op_slabbed = 1, op_savefree = 0, op_static = 0, op_folded = 0,
  op_moresib = 1, op_spare = 0, op_flags = 2 '\002', op_private = 0 '\000'}
(gdb)

**VALGRIND**

==24813== Memcheck, a memory error detector
==24813== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==24813== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==24813== Command​: ./perl -e *_=a\ for\ 0..1
==24813==
==24813== Invalid read of size 8
==24813== at 0x9004D6​: Perl_pp_iter (pp_hot.c​:2585)
==24813== by 0x7E0AFE​: Perl_runops_debug (dump.c​:2224)
==24813== by 0x544228​: S_run_body (perl.c​:2459)
==24813== by 0x544228​: perl_run (perl.c​:2382)
==24813== by 0x42C027​: main (perlmain.c​:116)
==24813== Address 0x8 is not stack'd, malloc'd or (recently) free'd
==24813==
==24813==
==24813== Process terminating with default action of signal 11 (SIGSEGV)
==24813== Access not within mapped region at address 0x8
==24813== at 0x9004D6​: Perl_pp_iter (pp_hot.c​:2585)
==24813== by 0x7E0AFE​: Perl_runops_debug (dump.c​:2224)
==24813== by 0x544228​: S_run_body (perl.c​:2459)
==24813== by 0x544228​: perl_run (perl.c​:2382)
==24813== by 0x42C027​: main (perlmain.c​:116)
==24813== If you believe this happened as a result of a stack
==24813== overflow in your program's main thread (unlikely but
==24813== possible), you can try to increase the size of the
==24813== main thread stack using the --main-stacksize= flag.
==24813== The main thread stack size used in this run was 8388608.
==24813==
==24813== HEAP SUMMARY​:
==24813== in use at exit​: 110,107 bytes in 541 blocks
==24813== total heap usage​: 642 allocs, 101 frees, 127,693 bytes allocated
==24813==
==24813== LEAK SUMMARY​:
==24813== definitely lost​: 176 bytes in 1 blocks
==24813== indirectly lost​: 1,974 bytes in 20 blocks
==24813== possibly lost​: 0 bytes in 0 blocks
==24813== still reachable​: 107,957 bytes in 520 blocks
==24813== suppressed​: 0 bytes in 0 blocks
==24813== Rerun with --leak-check=full to see details of leaked memory
==24813==
==24813== For counts of detected and suppressed errors, rerun with​: -v
==24813== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 0 from 0)
Segmentation fault

**PERL -V**

Summary of my perl5 (revision 5 version 23 subversion 4) configuration​:
  Commit id​: 94757bf
  Platform​:
  osname=linux, osvers=3.16.0-4-amd64, archname=x86_64-linux-ld
  uname='linux nightshade64 3.16.0-4-amd64 #1 smp debian 3.16.7-ckt11-1+deb8u4 (2015-09-19) x86_64 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache afl-gcc', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='4.9.2', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='ccache afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/4.9/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.19.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.19'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_ALL
  USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE
  USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
  USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at Oct 11 2015 21​:47​:48
  @​INC​:
  /usr/local/perl-afl/lib/site_perl/5.23.4/x86_64-linux-ld
  /usr/local/perl-afl/lib/site_perl/5.23.4
  /usr/local/perl-afl/lib/5.23.4/x86_64-linux-ld
  /usr/local/perl-afl/lib/5.23.4
  .

From @geeknik

Most likely a dupe of https://rt-archive.perl.org/perl5/Ticket/Display.html?id=123994.

The RT System itself - Status changed from 'new' to 'open'