From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers an assert fail in debug buids of the perl interpreter. The testcase is the file below. On normal builds, this runs normally (albeit with an expected warning). On debug builds, this returns an assert fail.

dcollins@​nightshade64​:~/perldebug$ ./perl -Ilib -e 'sub MODIFY_HASH_ATTRIBUTES{}my(%o)​:s==0'
perl​: sv.c​:2595​: Perl_sv_2nv_flags​: Assertion `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed.
Aborted

This seems to be the "hash equivalent" of [perl #128183]?

Debugging tool output is below. A git bisect was performed and reported the following, which is the commit where the assert was initially added.

217f6fa is the first bad commit
commit 217f6fa
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Fri Jul 19 08​:51​:47 2013 -0700

  sv.c​: Assert that sv_[ivp]v are not passed aggregates

  The lack of assertions can hide bugs. See 32a6097 for instance

:100644 100644 3ac0a2bce83bc12406be1fa22acefa8f8a2014c7 daa87f00081d96c8d15f94f02c32cd85e8af0266 M sv.c
bisect run success

**GDB**

dcollins@​nightshade64​:~/perldebug$ gdb --args ./perl -Ilib -e 'sub MODIFY_HASH_ATTRIBUTES{}my(%o)​:s==0'
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://gnu.org/licenses/gpl.html>
This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see​:
<http​://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at​:
<http​://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./perl...done.
(gdb) run
Starting program​: /home/dcollins/perldebug/perl -Ilib -e sub\ MODIFY_HASH_ATTRIBUTES\{\}my\(%o\)​:s==0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
perl​: sv.c​:2595​: Perl_sv_2nv_flags​: Assertion `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6cfa8fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff6cf23a7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ffff6cf2452 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00000000005cd9fc in Perl_sv_2nv_flags (sv=0xab2730, flags=0) at sv.c​:2594
#5 0x000000000062c724 in Perl_do_ncmp (left=0xab2730, right=0xab27a8) at pp.c​:2281
#6 0x00000000005a933d in Perl_pp_eq () at pp_hot.c​:464
#7 0x000000000055a245 in Perl_runops_debug () at dump.c​:2239
#8 0x00000000004623d3 in S_run_body (oldscope=1) at perl.c​:2517
#9 0x00000000004619fe in perl_run (my_perl=0xa9c010) at perl.c​:2440
#10 0x000000000041eae0 in main (argc=4, argv=0x7fffffffe608, env=0x7fffffffe630)
  at perlmain.c​:116
(gdb) f 4
#4 0x00000000005cd9fc in Perl_sv_2nv_flags (sv=0xab2730, flags=0) at sv.c​:2594
2594 assert (SvTYPE(sv) != SVt_PVAV && SvTYPE(sv) != SVt_PVHV
(gdb) l
2589 NV
2590 Perl_sv_2nv_flags(pTHX_ SV *const sv, const I32 flags)
2591 {
2592 PERL_ARGS_ASSERT_SV_2NV_FLAGS;
2593
2594 assert (SvTYPE(sv) != SVt_PVAV && SvTYPE(sv) != SVt_PVHV
2595 && SvTYPE(sv) != SVt_PVFM);
2596 if (SvGMAGICAL(sv) || SvVALID(sv) || isREGEXP(sv)) {
2597 /* FBMs use the space for SvIVX and SvNVX for other purposes, and use
2598 the same flag bit as SVf_IVisUV, so must not let them cache NVs.
(gdb) info locals
__PRETTY_FUNCTION__ = "Perl_sv_2nv_flags"
(gdb) q

**VALGRIND**

No reported memory management errors.

**PERL -V**

dcollins@​nightshade64​:~/perldebug$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 2) configuration​:
  Commit id​: c29dfc6
  Platform​:
  osname=linux, osvers=4.5.0-2-amd64, archname=x86_64-linux-ld
  uname='linux nightshade64 4.5.0-2-amd64 #1 smp debian 4.5.3-2 (2016-05-08) x86_64 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache gcc-6.1 -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache gcc-6.1', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='6.1.0', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='ccache gcc-6.1', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/6.1.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.22'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_OP_PARENT PERL_PRESERVE_IVUV PERL_USE_DEVEL
  USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES
  USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
  USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at May 26 2016 17​:57​:37
  @​INC​:
  lib
  /usr/local/perl-afl/lib/site_perl/5.25.2/x86_64-linux-ld
  /usr/local/perl-afl/lib/site_perl/5.25.2
  /usr/local/perl-afl/lib/5.25.2/x86_64-linux-ld
  /usr/local/perl-afl/lib/5.25.2
  /usr/local/perl-afl/lib/site_perl/5.25.1
  /usr/local/perl-afl/lib/site_perl/5.24.0
  /usr/local/perl-afl/lib/site_perl
  .

From @cpansprout

On Thu May 26 18​:57​:12 2016, dcollinsn@​gmail.com wrote​:

dcollins@​nightshade64​:~/perldebug$ ./perl -Ilib -e 'sub
MODIFY_HASH_ATTRIBUTES{}my(%o)​:s==0'
perl​: sv.c​:2595​: Perl_sv_2nv_flags​: Assertion `((svtype)((sv)-

sv_flags & 0xff)) != SVt_PVAV && ((svtype)((sv)->sv_flags & 0xff)) !=
SVt_PVHV && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' failed.
Aborted

This seems to be the "hash equivalent" of [perl #128183]?

No, #128183 has a backslash before the my() and an assignment operator after it. It has to do with refaliasing not playing nicely with attributes.

This bug is different​:

$ ./perl -Ilib -MO=Concise -e 'my(%o)​:s==0'
g <@​> leave[1 ref] vKP/REFC ->(end)
1 <0> enter ->2
2 <;> nextstate(main 64 -e​:1) v​:{ ->3
f <2> eq vK/2 ->g
d <@​> list sK ->e
3 <0> pushmark v ->4
4 <0> padhv[%o​:64,65] vPM/LVINTRO ->5
c <1> entersub[t2] vKS*/TARG ->d
5 <0> pushmark s ->6
6 <$> const[PV "attributes"] sM ->7
7 <$> const[PV "main"] sM ->8
9 <1> srefgen sKM/1 ->a
- <1> ex-list lKRM ->9
8 <0> padsv[%o​:64,65] sRM ->9
a <$> const[PV "s"] sM ->b
b <.> method_named[PV "import"] ->c
e <$> const[IV 0] s ->f
-e syntax OK
$ ./perl -Ilib -MO=Concise -e 'my(%o)==0'
6 <@​> leave[1 ref] vKP/REFC ->(end)
1 <0> enter ->2
2 <;> nextstate(main 1 -e​:1) v​:{ ->3
5 <2> eq vK/2 ->6
3 <0> padhv[%o​:1,2] sPM/LVINTRO ->4
4 <$> const[IV 0] s ->5
-e syntax OK

When we have an attribute, the padhv op is in void context (the v in vPM/LVINTRO), whereas it should be in scalar context.

--

Father Chrysostomos

The RT System itself - Status changed from 'new' to 'open'

From zefram@fysh.org

The test case doesn't assert for me on blead, but I still see the padhv
being in void context. I see some related misbehaviour, anywhere that
an attributed hash is put into scalar context​:

$ perl -lwe 'sub MODIFY_HASH_ATTRIBUTES{} print scalar(my%o) // "undef"'
0
$ perl -lwe 'sub MODIFY_HASH_ATTRIBUTES{} print scalar(my%p​:S) // "undef"'
undef

There's also inconsistent behaviour in scalar lvalue context​:

$ perl -lwe 'sub MODIFY_HASH_ATTRIBUTES{} (my%o) .= 1'
Can't modify private hash in concatenation (.) or string at -e line 1, at EOF
Execution of -e aborted due to compilation errors.
$ perl -lwe 'sub MODIFY_HASH_ATTRIBUTES{} (my%p​:S) .= 1'
Modification of a read-only value attempted at -e line 1.

In fact anything that needs to understand that the hash declaration is
a hash declaration gets into trouble​:

$ perl -lwe 'sub f (\%) { print "ok" } f(my %o)'
ok
$ perl -lwe 'sub f (\%) { print "ok" } f(my %p​:S)'
Too many arguments for main​::f at -e line 1, near "​:S)
"
Execution of -e aborted due to compilation errors.
$ perl -lwe 'sub f (\%) { print "ok" } f((my %p​:S))'
Type of arg 1 to main​::f must be hash (not list) at -e line 1, near "))
"
Execution of -e aborted due to compilation errors.

The problem is the dubious way in which an optree is constructed to apply
attributes at runtime. I'm sure at the time it seemed like a neat hack
to stick the object and its attribute-applying expression into a list,
but it's turned out to not be up to the task. Identifying an attributed
declaration in this form is tricky, and easily omitted from places that
need to do it. It's one of the issues making [perl #114932] so tricky.

I think the optrees for declarations with attributes should have a
different form, which is more distinct from ordinary lists and looks more
like ordinary object references. It should look as ordinary as possible,
because attributes are obscure and will continue to be forgotten about
by the authors of most op munging code. (They've got far too much to
think about without attributes too.) So I think the attribute stuff
should be hidden away as children of the pad[sah]v op.

-zefram