Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Perl_sv_backoff(SV *const): Assertion `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV' failed (sv.c:1516) #15757

Open
p5pRT opened this issue Dec 11, 2016 · 4 comments

Comments

@p5pRT
Copy link

p5pRT commented Dec 11, 2016

Migrated from rt.perl.org#130316 (status was 'open')

Searchable as RT130316$

@p5pRT
Copy link
Author

p5pRT commented Dec 11, 2016

From @geeknik

Triggered with Perl v5.25.7-98-gdf13534 while fuzzing with AFL.

od -tx1 test163
0000000 6d 61 70 2a 53 3d 24 5f 3d 20 24 54 0d 25 24 54
0000020 2c 25 bd 3d 54 2c 25 54 2c 25 bd 3d 54 2c 25 24
0000040 54 2c 2c 2a 4f 55 4d 2c 04 00 77 2c 2d 54 2d 54
0000060 2d 6c 2d 77 4f 2d 54 2d 55 4d 2c 04 00 77 2c 2d
0000100 54 2d 54 2d 6c 2d 77 2e 2d 54 2d 2d 54 2d 6c 2d
0000120 77 2e 2d 5e 2d 54 20 2d 77 2c 2d 54 2d 2d 77 2c
0000140 2d 54 2d 54 21 54 20 2d 77 2c 2d fb fb fb fb fb
0000160 fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
0000200 fb fb fb fb fb fb fb fb 73 2e 00 2e ea 3f 69 0c
0000220 75 6f 55 00
0000224

./perl test163
perl​: sv.c​:1516​: void Perl_sv_backoff(SV *const)​: Assertion
`((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV' failed.
Aborted

@p5pRT
Copy link
Author

p5pRT commented Dec 11, 2016

From @geeknik

test163.gz

@p5pRT
Copy link
Author

p5pRT commented Dec 12, 2016

From @iabyn

On Sun, Dec 11, 2016 at 12​:53​:01PM -0800, Brian Carpenter wrote​:

# New Ticket Created by Brian Carpenter
# Please include the string​: [perl #130316]
# in the subject line of all future correspondence about this issue.
# <URL​: https://rt-archive.perl.org/perl5/Ticket/Display.html?id=130316 >

Triggered with Perl v5.25.7-98-gdf13534 while fuzzing with AFL.

od -tx1 test163
0000000 6d 61 70 2a 53 3d 24 5f 3d 20 24 54 0d 25 24 54
0000020 2c 25 bd 3d 54 2c 25 54 2c 25 bd 3d 54 2c 25 24
0000040 54 2c 2c 2a 4f 55 4d 2c 04 00 77 2c 2d 54 2d 54
0000060 2d 6c 2d 77 4f 2d 54 2d 55 4d 2c 04 00 77 2c 2d
0000100 54 2d 54 2d 6c 2d 77 2e 2d 54 2d 2d 54 2d 6c 2d
0000120 77 2e 2d 5e 2d 54 20 2d 77 2c 2d 54 2d 2d 77 2c
0000140 2d 54 2d 54 21 54 20 2d 77 2c 2d fb fb fb fb fb
0000160 fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
0000200 fb fb fb fb fb fb fb fb 73 2e 00 2e ea 3f 69 0c
0000220 75 6f 55 00
0000224

./perl test163
perl​: sv.c​:1516​: void Perl_sv_backoff(SV *const)​: Assertion
`((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV' failed.
Aborted

Another stack-not-refcounted issue. Can be reduced to

  map(
  ($_ = $T % 1),
  ((%x) = 'T'),
  ((%x) = 'T'),
  %$T
  );

the second assignment to %x frees the old value of $x{T} but leaves it on
the stack. The %$T then autovivifies $T as a ref to a hash, and the
newely-alloctaed hash is the just-freed SV, so now there's a HV on the
stack and it all goes horribly wrong.

--
More than any other time in history, mankind faces a crossroads. One path
leads to despair and utter hopelessness. The other, to total extinction.
Let us pray we have the wisdom to choose correctly.
  -- Woody Allen

@p5pRT
Copy link
Author

p5pRT commented Dec 12, 2016

The RT System itself - Status changed from 'new' to 'open'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants