From @geeknik

Triggered in v5.25.5 (v5.25.4-130-g7aa7bbc) with AFL + ASAN + libdislocator.

./perl -e 'select$0=%​::=*0==0'
ASAN​:SIGSEGV

==3754==ERROR​: AddressSanitizer​: SEGV on unknown address 0x00000000000f (pc 0x0000009a4fb9 bp 0x621000010f2c sp 0x7ffe58dc62b0 T0)
  #0 0x9a4fb8 in S_rv2gv /root/perl/pp.c​:296​:6
  #1 0x9a419a in Perl_pp_rv2gv /root/perl/pp.c​:312​:10
  #2 0x7f4583 in Perl_runops_debug /root/perl/dump.c​:2239​:23
  #3 0x5a11c6 in S_run_body /root/perl/perl.c​:2525​:2
  #4 0x5a11c6 in perl_run /root/perl/perl.c​:2448
  #5 0x4de5fd in main /root/perl/perlmain.c​:123​:9
  #6 0x7f375e120b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c​:287
  #7 0x4de26c in _start (/root/perl/perl+0x4de26c)

AddressSanitizer can not provide additional info.
SUMMARY​: AddressSanitizer​: SEGV /root/perl/pp.c​:296 S_rv2gv
==3754==ABORTING

From zefram@fysh.org

The test case no longer segvs for me, since v5.25.6-78-g8b0c337.

-zefram

The RT System itself - Status changed from 'new' to 'open'

From @iabyn

On Fri, Jan 27, 2017 at 06​:52​:50AM +0000, Zefram wrote​:

The test case no longer segvs for me, since v5.25.6-78-g8b0c337.

The code can be reduced to​:

  $x = "foo";
  %​:: = ($x);
  *$x;

prior to that commit, pp_assign when assigning to a hash with an odd
number of elements on the RHS, ended up using PL_sv_undef as the hash
value rather than a copy of PL_sv_undef. PL_sv_undef as a value in a stash
apparently means something special, so the glob lookup, *$x, crashed.

That commit fixed the bug of storing PL_sv_undef; I'm not sure whether
there's still a bug of *$x crashing if $​::{$x} is a pointer to
PL_sv_undef - whether that is legal value etc.

Basically the gv_fetchsv_nomg() call in S_rv2gv() returns NULL, which
S_rv2gv() isn't expecting.

Perl_gv_fetchpvn_flags() has​:

  gvp = (GV**)hv_fetch(stash,name,is_utf8 ? -(I32)len : (I32)len,add);
  if (!gvp || *gvp == (const GV *)&PL_sv_undef) {
  if (addmg) gv = (GV *)newSV(0);
  else return NULL;

which is where the test for the magic value PL_sv_undef appears.

--
Never work with children, animals, or actors.

From @cpansprout

On Tue, 28 Mar 2017 08​:33​:20 -0700, davem wrote​:

On Fri, Jan 27, 2017 at 06​:52​:50AM +0000, Zefram wrote​:

The test case no longer segvs for me, since v5.25.6-78-g8b0c337.

The code can be reduced to​:

$x = "foo";
%​:: = \($x\);
\*$x;

prior to that commit, pp_assign when assigning to a hash with an odd
number of elements on the RHS, ended up using PL_sv_undef as the hash
value rather than a copy of PL_sv_undef. PL_sv_undef as a value in a stash
apparently means something special, so the glob lookup, *$x, crashed.

That commit fixed the bug of storing PL_sv_undef; I'm not sure whether
there's still a bug of *$x crashing if $​::{$x} is a pointer to
PL_sv_undef - whether that is legal value etc.

Then one can still make it crash​:

use feature "refaliasing";
\$​::{foo} = \undef;
*{"foo"};

$ pbpaste|./perl -Ilib
Aliasing via reference is experimental at - line 2.
Segmentation fault​: 11

Basically the gv_fetchsv_nomg() call in S_rv2gv() returns NULL, which
S_rv2gv() isn't expecting.

Perl_gv_fetchpvn_flags() has​:

gvp = \(GV\*\*\)hv\_fetch\(stash\,name\,is\_utf8 ? \-\(I32\)len : \(I32\)len\,add\);
if \(\!gvp || \*gvp == \(const GV \*\)&PL\_sv\_undef\) \{
if \(addmg\) gv = \(GV \*\)newSV\(0\);
else return NULL;

which is where the test for the magic value PL_sv_undef appears.

And that seems to be ancient. However, I don’t know what would be logical to do otherwise.

Interestingly, other immortals are also, but differently, problematic.

use feature "refaliasing";
\$​::{foo} = \!1;
*{"foo"};

Aliasing via reference is experimental at - line 2.
Assertion failed​: (!SvPOKp(gv)), function Perl_gv_init_pvn, file gv.c, line 411.
Abort trap​: 6

Perhaps they should just behave like this instead​:

use feature "refaliasing";
\$​::{foo} = \"foo";
*{"foo"};

$ pbpaste|./perl -Ilib
Aliasing via reference is experimental at - line 2.
Modification of a read-only value attempted at - line 3.

But the error message there is not all that helpful in saying what went wrong.

Maybe we could change croak_no_modify to include the op description. (How much would that break?)

--

Father Chrysostomos