New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Assert fail/segfault in Perl_sv_pvn_force_flags #15044
Comments
From @dcollinsnGreetings Porters, I have compiled bleadperl with the afl-gcc compiler using: ./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des And then fuzzed the resulting binary using: AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @@ After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers an assert fail in DEBUGGING perls without any other symptoms in the normal perl interpreter. The testcase is the file: /(?{})|(??{U:0})/|s|||g dcollins@nightshade64:/usr/local/perl-afl/out$ ~/perldebug/perl -e '/(?{})|(??{U:0})/|s|||g' On non-debugging perls, this eventually leads to a segfault: ==11561== Invalid read of size 8 **GDB** (gdb) run Program received signal SIGABRT, Aborted. **VALGRIND** ==5662== Memcheck, a memory error detector **PERL -V** dcollins@nightshade64:/usr/local/perl-afl$ ./bin/perl -V Characteristics of this binary (from libperl): |
From @tonycozOn Tue Nov 10 19:04:55 2015, dcollinsn@gmail.com wrote:
This can be simplified further to: s/(?{})|(??{U:0})//g
There's two problems in the original: 1) it looks like #124368 is biting us in a different way in that the regexp being used by pp_subst is the one from the match 2) pp_subst() (in either example) creates a new temp sv (line 3078): dstr = newSVpvn_flags(orig, s-orig, then later calls CALLREGEXEC() (line 3129): } while (CALLREGEXEC(rx, s, strend, orig, and the pp_nextstate called when running the C<U:0> code calls FREETMPS, releasing dstr, and so the following (line 3133) tries to work with a freed SV: sv_catpvn_nomg_maybeutf8(dstr, s, strend - s, DO_UTF8(TARG)); and asserts. Tony |
The RT System itself - Status changed from 'new' to 'open' |
From @tonycozOn Wed Dec 02 19:45:43 2015, tonyc wrote:
Or not, s/// has the same empty regexp behaviour as m// Tony |
From @hvdsI can't reproduce this with blead. Bisect using: % Porting/bisect.pl --start=7195e5da55a40d15e29ad80562668bdd6895441f --crash --expect-fail --target=miniperl -e '/(?{})|(??{U:0})/|s|||g' ..leads to 1dfbe6b which is partway through the huge "revamp context system" from DaveM merged in February (at 9d876b6): It sounds reasonable to me that the context work fixes what appears to be a premature free, so I'm resolving this ticket. Hugo |
@hvds - Status changed from 'open' to 'resolved' |
Migrated from rt.perl.org#126614 (status was 'resolved')
Searchable as RT126614$
The text was updated successfully, but these errors were encountered: