From @geeknik

Triggered with Perl v5.25.7-98-gdf13534 while fuzzing with AFL.

od -tx1 test430
0000000 6d 61 70 2a 00 00 24 5f 3d 20 24 23 24 5f 3d 38
0000020 2c 25 5f 3d 44 2e 2e 00 20 46 54 2c 44 4f 55 4d
0000040 38 2c 25 5f 3d 44 2e 2e 00 20 46 2c 04 22 39 6e
0000060 6e 67 67 31 7f 00 00 80 ff ff 7f 44 68 55 4d 2c
0000100 04 22 22 6e 6e 67 67 31 24 2a 11 00 43 4b 57 a8
0000120 9f
0000121

=================================================================
==15593==ERROR​: AddressSanitizer​: attempting double-free on 0x60200000b4f0
in thread T0​:
  #0 0x4c0a4b in __interceptor_free (/root/perl/perl+0x4c0a4b)
  #1 0x7fce59 in Perl_safesysfree /root/perl/util.c​:388​:2
  #2 0x8abb3d in Perl_vivify_ref /root/perl/pp_hot.c​:4362​:2
  #3 0x9aeb55 in Perl_pp_rv2sv /root/perl/pp.c​:404​:11
  #4 0x7f81fb in Perl_runops_debug /root/perl/dump.c​:2260​:23
  #5 0x5a0ab3 in S_run_body /root/perl/perl.c​:2526​:2
  #6 0x5a0ab3 in perl_run /root/perl/perl.c​:2449
  #7 0x4de6dd in main /root/perl/perlmain.c​:123​:9
  #8 0x7f5d28d62b44 in __libc_start_main
/build/glibc-daoqzt/glibc-2.19/csu/libc-start.c​:287
  #9 0x4de34c in _start (/root/perl/perl+0x4de34c)

0x60200000b4f0 is located 0 bytes inside of 10-byte region
[0x60200000b4f0,0x60200000b4fa)
freed by thread T0 here​:
  #0 0x4c0a4b in __interceptor_free (/root/perl/perl+0x4c0a4b)
  #1 0x7fce59 in Perl_safesysfree /root/perl/util.c​:388​:2
  #2 0x957ec2 in Perl_sv_free2 /root/perl/sv.c​:7056​:9

previously allocated by thread T0 here​:
  #0 0x4c0ccb in malloc (/root/perl/perl+0x4c0ccb)
  #1 0x7fc067 in Perl_safesysmalloc /root/perl/util.c​:153​:21

SUMMARY​: AddressSanitizer​: double-free ??​:0 __interceptor_free
==15593==ABORTING

Perl 5.20.2 fails under Valgrind with​:
==8886== Invalid free() / delete / delete[] / realloc()
==8886== at 0x4C29E90​: free (vg_replace_malloc.c​:473)
==8886== by 0x4F031B7​: Perl_vivify_ref (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F1ECCE​: Perl_pp_rv2sv (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4EFB055​: Perl_runops_standard (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4E8B73D​: perl_run (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x400E18​: main (in /usr/bin/perl)
==8886== Address 0x5f447b0 is 0 bytes inside a block of size 10 free'd
==8886== at 0x4C29E90​: free (vg_replace_malloc.c​:473)
==8886== by 0x4F0CFAB​: Perl_sv_clear (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F0D289​: Perl_sv_free2 (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4EF4C9A​: ??? (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4EF7D99​: Perl_hv_clear (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4EFDF04​: Perl_pp_aassign (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4EFB055​: Perl_runops_standard (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4E8B73D​: perl_run (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x400E18​: main (in /usr/bin/perl)
==8886==
Not a GLOB reference at test430 line 1.
==8886== Invalid read of size 1
==8886== at 0x4F0DA54​: ??? (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F0DBBD​: Perl_sv_unmagic (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F0C7DE​: Perl_sv_clear (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F0D289​: Perl_sv_free2 (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F31D00​: Perl_leave_scope (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4E82775​: ??? (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4E8B902​: Perl_my_failure_exit (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F3AF5C​: Perl_die_unwind (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4EDD838​: Perl_vcroak (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4EDD9C3​: Perl_die (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F1E999​: Perl_pp_rv2gv (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4EFB055​: Perl_runops_standard (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== Address 0xff00000012 is not stack'd, malloc'd or (recently) free'd
==8886==
==8886==
==8886== Process terminating with default action of signal 11 (SIGSEGV)
==8886== Access not within mapped region at address 0xFF00000012
==8886== at 0x4F0DA54​: ??? (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F0DBBD​: Perl_sv_unmagic (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F0C7DE​: Perl_sv_clear (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F0D289​: Perl_sv_free2 (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F31D00​: Perl_leave_scope (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4E82775​: ??? (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4E8B902​: Perl_my_failure_exit (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F3AF5C​: Perl_die_unwind (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4EDD838​: Perl_vcroak (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4EDD9C3​: Perl_die (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4F1E999​: Perl_pp_rv2gv (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== by 0x4EFB055​: Perl_runops_standard (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==8886== If you believe this happened as a result of a stack
==8886== overflow in your program's main thread (unlikely but
==8886== possible), you can try to increase the size of the
==8886== main thread stack using the --main-stacksize= flag.
==8886== The main thread stack size used in this run was 8388608.
Segmentation fault

From @geeknik

test430.gz

From @tonycoz

On Mon, 12 Dec 2016 17​:26​:26 -0800, brian.carpenter@​gmail.com wrote​:

Triggered with Perl v5.25.7-98-gdf13534 while fuzzing with AFL.

od -tx1 test430
0000000 6d 61 70 2a 00 00 24 5f 3d 20 24 23 24 5f 3d 38
0000020 2c 25 5f 3d 44 2e 2e 00 20 46 54 2c 44 4f 55 4d
0000040 38 2c 25 5f 3d 44 2e 2e 00 20 46 2c 04 22 39 6e
0000060 6e 67 67 31 7f 00 00 80 ff ff 7f 44 68 55 4d 2c
0000100 04 22 22 6e 6e 67 67 31 24 2a 11 00 43 4b 57 a8
0000120 9f
0000121

Another stack-not-refcounted bug.

Rarely running this doesn't produce this error for me, but​:

$ ./perl ../130332.pl
Modification of a read-only value attempted at ../130332.pl line 1.

More rarely it produces​:

$ ./perl ../130332.pl

==18246==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x6210000114f0 at pc 0x839aa3 bp 0x7ffe5993e640 sp 0x7ffe5993e638
READ of size 8 at 0x6210000114f0 thread T0
  #0 0x839aa2 in Perl_vivify_ref /home/tony/dev/perl/git/perl/pp_hot.c​:4362
  #1 0x923c4a in Perl_pp_rv2sv /home/tony/dev/perl/git/perl/pp.c​:404
  #2 0x73a813 in Perl_runops_debug /home/tony/dev/perl/git/perl/dump.c​:2260
  #3 0x4be8d3 in S_run_body /home/tony/dev/perl/git/perl/perl.c​:2526
  #4 0x4bcc5e in perl_run /home/tony/dev/perl/git/perl/perl.c​:2449
  #5 0x41fa8b in main /home/tony/dev/perl/git/perl/perlmain.c​:123
  #6 0x7f22f781eb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
  #7 0x41f808 (/home/tony/dev/perl/git/perl/perl+0x41f808)

0x6210000114f0 is located 0 bytes to the right of 4080-byte region [0x621000010500,0x6210000114f0)
allocated by thread T0 here​:
  #0 0x7f22f897073f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
  #1 0x73e0ee in Perl_safesysmalloc /home/tony/dev/perl/git/perl/util.c​:153
  #2 0x8434f3 in S_more_sv /home/tony/dev/perl/git/perl/sv.c​:307
  #3 0x8e6555 in Perl_newSV_type /home/tony/dev/perl/git/perl/sv.c​:9654
  #4 0x4f9aba in S_parse_gv_stash_name /home/tony/dev/perl/git/perl/gv.c​:1639
  #5 0x507c5b in Perl_gv_fetchpvn_flags /home/tony/dev/perl/git/perl/gv.c​:2324
  #6 0x47876c in Perl_newXS_len_flags /home/tony/dev/perl/git/perl/op.c​:9134
  #7 0x47854b in Perl_newXS_flags /home/tony/dev/perl/git/perl/op.c​:9108
  #8 0xb7ebf4 in Perl_boot_core_UNIVERSAL /home/tony/dev/perl/git/perl/universal.c​:1084
  #9 0x4babf9 in S_parse_body /home/tony/dev/perl/git/perl/perl.c​:2274
  #10 0x4b7f50 in perl_parse /home/tony/dev/perl/git/perl/perl.c​:1689
  #11 0x41fa73 in main /home/tony/dev/perl/git/perl/perlmain.c​:121
  #12 0x7f22f781eb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /home/tony/dev/perl/git/perl/pp_hot.c​:4362 Perl_vivify_ref
Shadow bytes around the buggy address​:
  0x0c427fffa240​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa250​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa260​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa270​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffa280​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffa290​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
  0x0c427fffa2a0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa2b0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa2c0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa2d0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffa2e0​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Contiguous container OOB​:fc
  ASan internal​: fe
==18246==ABORTING

which looks like #130321.

Simplifies to​:

./perl -e 'map*$_= $#$_=8,%_=D.. FD,%_=D.. F'

The variations are likely from hash ordering.

Tony

The RT System itself - Status changed from 'new' to 'open'

From @iabyn

On Tue, Dec 13, 2016 at 09​:27​:33PM -0800, Tony Cook via RT wrote​:

which looks like #130321.

Simplifies to​:

./perl -e 'map*$_= $#$_=8,%_=D.. FD,%_=D.. F'

The variations are likely from hash ordering.

And as for #130321, I propose that the ticket be moved to the public
queue, added to the 'stack not ref counted' meta ticket, then ignored
until such time as we fix that wider issue.

--
Wesley Crusher gets beaten up by his classmates for being a smarmy git,
and consequently has a go at making some friends of his own age for a
change.
  -- Things That Never Happen in "Star Trek" #18

From @iabyn

On Mon, Feb 20, 2017 at 11​:45​:12AM +0000, Dave Mitchell wrote​:

On Tue, Dec 13, 2016 at 09​:27​:33PM -0800, Tony Cook via RT wrote​:

which looks like #130321.

Simplifies to​:

./perl -e 'map*$_= $#$_=8,%_=D.. FD,%_=D.. F'

The variations are likely from hash ordering.

And as for #130321, I propose that the ticket be moved to the public
queue, added to the 'stack not ref counted' meta ticket, then ignored
until such time as we fix that wider issue.

which I am now doing.

--
Fire extinguisher (n) a device for holding open fire doors.