From @geeknik

Triggered with Perl v5.25.7-98-gdf13534 while fuzzing with AFL.

od -tx1 test557
0000000 6d 61 70 25 00 00 24 5f 3d 20 25 5f 3d 20 25 00
0000020 24 5f 2c 25 3a 3a 04 32 22 6e 6e 3f ff ff e5 bd
0000040 3d 5d 3a 3a 2f 46 ff f5 80 ff 7f 40 48 48 1f 48
0000060 48 48 36 48 48 48 48 48 48 48 64 00 48 48 48 48
0000100 48 48 48 26 48 48 ff ff 80 6e 6e 40 00 fc ed fa
0000120 3a 3a 46 ff ff 80 6e 6e 40 00 ff ff 7f ff ff ff
0000140 f8 af 00 fc ed fa
0000146

==20040==ERROR​: AddressSanitizer​: attempting free on address which was not
malloc()-ed​: 0x60400000adb0 in thread T0
  #0 0x4c0a4b in __interceptor_free (/root/perl/perl+0x4c0a4b)
  #1 0x7fce59 in Perl_safesysfree /root/perl/util.c​:388​:2
  #2 0x8abb3d in Perl_vivify_ref /root/perl/pp_hot.c​:4362​:2
  #3 0x9aeb55 in Perl_pp_rv2sv /root/perl/pp.c​:404​:11
  #4 0x7f81fb in Perl_runops_debug /root/perl/dump.c​:2260​:23
  #5 0x5a0ab3 in S_run_body /root/perl/perl.c​:2526​:2
  #6 0x5a0ab3 in perl_run /root/perl/perl.c​:2449
  #7 0x4de6dd in main /root/perl/perlmain.c​:123​:9
  #8 0x7f8d15882b44 in __libc_start_main
/build/glibc-daoqzt/glibc-2.19/csu/libc-start.c​:287
  #9 0x4de34c in _start (/root/perl/perl+0x4de34c)

0x60400000adb0 is located 32 bytes inside of 37-byte region
[0x60400000ad90,0x60400000adb5)
allocated by thread T0 here​:
  #0 0x4c0ccb in malloc (/root/perl/perl+0x4c0ccb)
  #1 0x7fc067 in Perl_safesysmalloc /root/perl/util.c​:153​:21

SUMMARY​: AddressSanitizer​: bad-free ??​:0 __interceptor_free
==20040==ABORTING

Perl 5.20.2 fails under Valgrind like so​:
==22494== Invalid read of size 1
==22494== at 0x4F0DA54​: ??? (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x4F0DBBD​: Perl_sv_unmagic (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x4F0C7DE​: Perl_sv_clear (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x4F0D289​: Perl_sv_free2 (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x4F3943C​: Perl_pp_mapwhile (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x4EFB055​: Perl_runops_standard (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x4E8B73D​: perl_run (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x400E18​: main (in /usr/bin/perl)
==22494== Address 0xff00000012 is not stack'd, malloc'd or (recently)
free'd
==22494==
==22494==
==22494== Process terminating with default action of signal 11 (SIGSEGV)
==22494== Access not within mapped region at address 0xFF00000012
==22494== at 0x4F0DA54​: ??? (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x4F0DBBD​: Perl_sv_unmagic (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x4F0C7DE​: Perl_sv_clear (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x4F0D289​: Perl_sv_free2 (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x4F3943C​: Perl_pp_mapwhile (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x4EFB055​: Perl_runops_standard (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x4E8B73D​: perl_run (in
/usr/lib/x86_64-linux-gnu/libperl.so.5.20.2)
==22494== by 0x400E18​: main (in /usr/bin/perl)
==22494== If you believe this happened as a result of a stack
==22494== overflow in your program's main thread (unlikely but
==22494== possible), you can try to increase the size of the
==22494== main thread stack using the --main-stacksize= flag.
==22494== The main thread stack size used in this run was 8388608.
Segmentation fault

From @geeknik

test557.gz

From @tonycoz

On Mon, 12 Dec 2016 22​:59​:57 -0800, brian.carpenter@​gmail.com wrote​:

Triggered with Perl v5.25.7-98-gdf13534 while fuzzing with AFL.

od -tx1 test557
0000000 6d 61 70 25 00 00 24 5f 3d 20 25 5f 3d 20 25 00
0000020 24 5f 2c 25 3a 3a 04 32 22 6e 6e 3f ff ff e5 bd
0000040 3d 5d 3a 3a 2f 46 ff f5 80 ff 7f 40 48 48 1f 48
0000060 48 48 36 48 48 48 48 48 48 48 64 00 48 48 48 48
0000100 48 48 48 26 48 48 ff ff 80 6e 6e 40 00 fc ed fa
0000120 3a 3a 46 ff ff 80 6e 6e 40 00 ff ff 7f ff ff ff
0000140 f8 af 00 fc ed fa
0000146

I also got​:

$ ./perl ../130336.pl
perl​: sv.c​:6540​: Perl_sv_clear​: Assertion `((svtype)((sv)->sv_flags & 0xff)) != (svtype)0xff' failed.
Aborted

and​:

$ ./perl ../130336.pl

==18473==ERROR​: AddressSanitizer​: attempting double-free on 0x60400000d0f0 in thread T0​:
  #0 0x7f69be81d527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
  #1 0x73e7ab in Perl_safesysfree /home/tony/dev/perl/git/perl/util.c​:388
  #2 0x83a2d7 in Perl_vivify_ref /home/tony/dev/perl/git/perl/pp_hot.c​:4362
  #3 0x923c4a in Perl_pp_rv2sv /home/tony/dev/perl/git/perl/pp.c​:404
  #4 0x73a813 in Perl_runops_debug /home/tony/dev/perl/git/perl/dump.c​:2260
  #5 0x4be8d3 in S_run_body /home/tony/dev/perl/git/perl/perl.c​:2526
  #6 0x4bcc5e in perl_run /home/tony/dev/perl/git/perl/perl.c​:2449
  #7 0x41fa8b in main /home/tony/dev/perl/git/perl/perlmain.c​:123
  #8 0x7f69bd6cbb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
  #9 0x41f808 (/home/tony/dev/perl/git/perl/perl+0x41f808)

0x60400000d0f0 is located 32 bytes inside of 43-byte region [0x60400000d0d0,0x60400000d0fb)
allocated by thread T0 here​:
  #0 0x7f69be81d73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
  #1 0x73e0ee in Perl_safesysmalloc /home/tony/dev/perl/git/perl/util.c​:153
  #2 0x7e33f7 in S_share_hek_flags /home/tony/dev/perl/git/perl/hv.c​:3030
  #3 0x7c95b7 in Perl_hv_common /home/tony/dev/perl/git/perl/hv.c​:819
  #4 0x7c680c in Perl_hv_common_key_len /home/tony/dev/perl/git/perl/hv.c​:333
  #5 0x4f940f in S_parse_gv_stash_name /home/tony/dev/perl/git/perl/gv.c​:1625
  #6 0x507c5b in Perl_gv_fetchpvn_flags /home/tony/dev/perl/git/perl/gv.c​:2324
  #7 0x47876c in Perl_newXS_len_flags /home/tony/dev/perl/git/perl/op.c​:9134
  #8 0x47854b in Perl_newXS_flags /home/tony/dev/perl/git/perl/op.c​:9108
  #9 0xb7ebf4 in Perl_boot_core_UNIVERSAL /home/tony/dev/perl/git/perl/universal.c​:1084
  #10 0x4babf9 in S_parse_body /home/tony/dev/perl/git/perl/perl.c​:2274
  #11 0x4b7f50 in perl_parse /home/tony/dev/perl/git/perl/perl.c​:1689
  #12 0x41fa73 in main /home/tony/dev/perl/git/perl/perlmain.c​:121
  #13 0x7f69bd6cbb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY​: AddressSanitizer​: double-free ??​:0 __interceptor_free
==18473==ABORTING

and​:

$ ./perl ../130336.pl

==18728==ERROR​: AddressSanitizer​: alloc-dealloc-mismatch (INVALID vs free) on 0x60400000c1f0
  #0 0x7f379aace527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
  #1 0x73e7ab in Perl_safesysfree /home/tony/dev/perl/git/perl/util.c​:388
  #2 0x83a2d7 in Perl_vivify_ref /home/tony/dev/perl/git/perl/pp_hot.c​:4362
  #3 0x923c4a in Perl_pp_rv2sv /home/tony/dev/perl/git/perl/pp.c​:404
  #4 0x73a813 in Perl_runops_debug /home/tony/dev/perl/git/perl/dump.c​:2260
  #5 0x4be8d3 in S_run_body /home/tony/dev/perl/git/perl/perl.c​:2526
  #6 0x4bcc5e in perl_run /home/tony/dev/perl/git/perl/perl.c​:2449
  #7 0x41fa8b in main /home/tony/dev/perl/git/perl/perlmain.c​:123
  #8 0x7f379997cb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
  #9 0x41f808 (/home/tony/dev/perl/git/perl/perl+0x41f808)

0x60400000c1f0 is located 32 bytes inside of 39-byte region [0x60400000c1d0,0x60400000c1f7)
allocated by thread T0 here​:
  #0 0x7f379aace73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
  #1 0x73e0ee in Perl_safesysmalloc /home/tony/dev/perl/git/perl/util.c​:153
  #2 0x7e33f7 in S_share_hek_flags /home/tony/dev/perl/git/perl/hv.c​:3030
  #3 0x7c95b7 in Perl_hv_common /home/tony/dev/perl/git/perl/hv.c​:819
  #4 0x7c680c in Perl_hv_common_key_len /home/tony/dev/perl/git/perl/hv.c​:333
  #5 0x507d20 in Perl_gv_fetchpvn_flags /home/tony/dev/perl/git/perl/gv.c​:2336
  #6 0x47876c in Perl_newXS_len_flags /home/tony/dev/perl/git/perl/op.c​:9134
  #7 0x47854b in Perl_newXS_flags /home/tony/dev/perl/git/perl/op.c​:9108
  #8 0xb7ebf4 in Perl_boot_core_UNIVERSAL /home/tony/dev/perl/git/perl/universal.c​:1084
  #9 0x4babf9 in S_parse_body /home/tony/dev/perl/git/perl/perl.c​:2274
  #10 0x4b7f50 in perl_parse /home/tony/dev/perl/git/perl/perl.c​:1689
  #11 0x41fa73 in main /home/tony/dev/perl/git/perl/perlmain.c​:121
  #12 0x7f379997cb44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY​: AddressSanitizer​: alloc-dealloc-mismatch ??​:0 __interceptor_free
==18728==HINT​: if you don't care about these warnings you may set ASAN_OPTIONS=alloc_dealloc_mismatch=0
==18728==ABORTING

(which is new to me)

and​:

$ ./perl ../130336b.pl

==18686==ERROR​: AddressSanitizer​: heap-buffer-overflow on address 0x62100001c8f0 at pc 0x839aa3 bp 0x7ffe33854990 sp 0x7ffe33854988
READ of size 8 at 0x62100001c8f0 thread T0
  #0 0x839aa2 in Perl_vivify_ref /home/tony/dev/perl/git/perl/pp_hot.c​:4362
  #1 0x923c4a in Perl_pp_rv2sv /home/tony/dev/perl/git/perl/pp.c​:404
  #2 0x73a813 in Perl_runops_debug /home/tony/dev/perl/git/perl/dump.c​:2260
  #3 0x4be8d3 in S_run_body /home/tony/dev/perl/git/perl/perl.c​:2526
  #4 0x4bcc5e in perl_run /home/tony/dev/perl/git/perl/perl.c​:2449
  #5 0x41fa8b in main /home/tony/dev/perl/git/perl/perlmain.c​:123
  #6 0x7fcdfab1db44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
  #7 0x41f808 (/home/tony/dev/perl/git/perl/perl+0x41f808)

0x62100001c8f0 is located 0 bytes to the right of 4080-byte region [0x62100001b900,0x62100001c8f0)
allocated by thread T0 here​:
  #0 0x7fcdfbc6f73f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
  #1 0x73e0ee in Perl_safesysmalloc /home/tony/dev/perl/git/perl/util.c​:153
  #2 0x8434f3 in S_more_sv /home/tony/dev/perl/git/perl/sv.c​:307
  #3 0x8e3004 in Perl_newSVpvn /home/tony/dev/perl/git/perl/sv.c​:9353
  #4 0x4aff1e in perl_construct /home/tony/dev/perl/git/perl/perl.c​:272
  #5 0x41f9d1 in main /home/tony/dev/perl/git/perl/perlmain.c​:117
  #6 0x7fcdfab1db44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY​: AddressSanitizer​: heap-buffer-overflow /home/tony/dev/perl/git/perl/pp_hot.c​:4362 Perl_vivify_ref
Shadow bytes around the buggy address​:
  0x0c427fffb8c0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb8d0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb8e0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb8f0​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c427fffb900​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c427fffb910​: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa
  0x0c427fffb920​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb930​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb940​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb950​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fffb960​: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes)​:
  Addressable​: 00
  Partially addressable​: 01 02 03 04 05 06 07
  Heap left redzone​: fa
  Heap right redzone​: fb
  Freed heap region​: fd
  Stack left redzone​: f1
  Stack mid redzone​: f2
  Stack right redzone​: f3
  Stack partial redzone​: f4
  Stack after return​: f5
  Stack use after scope​: f8
  Global redzone​: f9
  Global init order​: f6
  Poisoned by user​: f7
  Contiguous container OOB​:fc
  ASan internal​: fe
==18686==ABORTING

which looks familiar.

and occasionally no error at all.

This seemds to be controlled by the hash order​:

$ PERL_HASH_SEED=0x00 ./perl ../130336.pl

==18920==ERROR​: AddressSanitizer​: alloc-dealloc-mismatch (INVALID vs free) on 0x60400000c270

$ PERL_HASH_SEED=0x01 ./perl ../130336.pl
perl​: sv.c​:6540​: Perl_sv_clear​: Assertion `((svtype)((sv)->sv_flags & 0xff)) != (svtype)0xff' failed.
Aborted

$ PERL_HASH_SEED=0x02 ./perl ../130336.pl

==18950==ERROR​: AddressSanitizer​: attempting double-free on 0x60400000ae70 in thread T0​:
...

$ PERL_HASH_SEED=0x07 ./perl ../130336.pl

==18984==ERROR​: AddressSanitizer​: attempting free on address which was not malloc()-ed​: 0x60400000adf0 in thread T0

Simplifies​:

$ PERL_HASH_SEED=0x01 ./perl -e 'map%$_= %_= %$_,%​::'

==19013==ERROR​: AddressSanitizer​: attempting free on address which was not malloc()-ed​: 0x60400000ac30 in thread T0
  #0 0x7f19400b6527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527)
  #1 0x73e7ab in Perl_safesysfree /home/tony/dev/perl/git/perl/util.c​:388
  #2 0x83a2d7 in Perl_vivify_ref /home/tony/dev/perl/git/perl/pp_hot.c​:4362
  #3 0x923c4a in Perl_pp_rv2sv /home/tony/dev/perl/git/perl/pp.c​:404
  #4 0x73a813 in Perl_runops_debug /home/tony/dev/perl/git/perl/dump.c​:2260
  #5 0x4be8d3 in S_run_body /home/tony/dev/perl/git/perl/perl.c​:2526
  #6 0x4bcc5e in perl_run /home/tony/dev/perl/git/perl/perl.c​:2449
  #7 0x41fa8b in main /home/tony/dev/perl/git/perl/perlmain.c​:123
  #8 0x7f193ef64b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)
  #9 0x41f808 (/home/tony/dev/perl/git/perl/perl+0x41f808)

0x60400000ac30 is located 32 bytes inside of 37-byte region [0x60400000ac10,0x60400000ac35)
allocated by thread T0 here​:
  #0 0x7f19400b673f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f)
  #1 0x73e0ee in Perl_safesysmalloc /home/tony/dev/perl/git/perl/util.c​:153
  #2 0x7e33f7 in S_share_hek_flags /home/tony/dev/perl/git/perl/hv.c​:3030
  #3 0x7c95b7 in Perl_hv_common /home/tony/dev/perl/git/perl/hv.c​:819
  #4 0x7c680c in Perl_hv_common_key_len /home/tony/dev/perl/git/perl/hv.c​:333
  #5 0x507d20 in Perl_gv_fetchpvn_flags /home/tony/dev/perl/git/perl/gv.c​:2336
  #6 0x4d36b9 in S_init_postdump_symbols /home/tony/dev/perl/git/perl/perl.c​:4360
  #7 0x4bac8b in S_parse_body /home/tony/dev/perl/git/perl/perl.c​:2299
  #8 0x4b7f50 in perl_parse /home/tony/dev/perl/git/perl/perl.c​:1689
  #9 0x41fa73 in main /home/tony/dev/perl/git/perl/perlmain.c​:121
  #10 0x7f193ef64b44 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b44)

SUMMARY​: AddressSanitizer​: bad-free ??​:0 __interceptor_free
==19013==ABORTING

Tony

The RT System itself - Status changed from 'new' to 'open'

From @arc

I have a deterministic reduction to a double-free, omitting one of the assignments and one of the uses of the iteration variable.

I get essentially the same trace regardless of what empty array or hash is on the rhs of the aassign. I suspect this is a stack-not-refcounted issue, tbh.

$ ./miniperl -e 'map %$_ = %_, *​::, $​::{Internals​::}'

==59124==ERROR​: AddressSanitizer​: attempting double-free on 0x611000009780 in thread T0​:
  #0 0x10c868939 in wrap_free (libclang_rt.asan_osx_dynamic.dylib+0x46939)
  #1 0x10c23a66e in Perl_vivify_ref pp_hot.c​:4364
  #2 0x10c2edfa4 in Perl_pp_rv2sv pp.c​:404
  #3 0x10c1c0c46 in Perl_runops_debug dump.c​:2444
  #4 0x10c0107f5 in perl_run perl.c​:2528
  #5 0x10c51fe01 in main miniperlmain.c​:129
  #6 0x7fff928695fc in start (libdyld.dylib+0x35fc)
  #7 0x2 (<unknown module>)

0x611000009780 is located 0 bytes inside of 248-byte region [0x611000009780,0x611000009878)
freed by thread T0 here​:
  #0 0x10c868939 in wrap_free (libclang_rt.asan_osx_dynamic.dylib+0x46939)
  #1 0x10c2aca40 in Perl_sv_clear sv.c​:6770
  #2 0x10c2b0d1f in Perl_sv_free2 sv.c​:7072
  #3 0x10c34b83a in Perl_free_tmps .inline.h​:200
  #4 0x10c00c847 in S_parse_body perl.c​:2401
  #5 0x10c006c43 in perl_parse perl.c​:1691
  #6 0x10c51fdf5 in main miniperlmain.c​:127
  #7 0x7fff928695fc in start (libdyld.dylib+0x35fc)
  #8 0x2 (<unknown module>)

previously allocated by thread T0 here​:
  #0 0x10c868b07 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib+0x46b07)
  #1 0x10c1c4659 in Perl_safesysrealloc util.c​:274
  #2 0x10c26ebb8 in Perl_sv_grow sv.c​:1598
  #3 0x10c2d9ab9 in Perl_sv_vcatpvfn_flags sv.c​:13026
  #4 0x10c2c5219 in Perl_sv_vsetpvfn sv.c​:10945
  #5 0x10c1c8846 in Perl_vform util.c​:1364
  #6 0x10c1c875f in Perl_form util.c​:1354
  #7 0x10c0098c1 in S_parse_body perl.c​:3753
  #8 0x10c006c43 in perl_parse perl.c​:1691
  #9 0x10c51fdf5 in main miniperlmain.c​:127
  #10 0x7fff928695fc in start (libdyld.dylib+0x35fc)
  #11 0x2 (<unknown module>)

SUMMARY​: AddressSanitizer​: double-free (libclang_rt.asan_osx_dynamic.dylib+0x46939) in wrap_free
==59124==ABORTING
Abort trap​: 6

--
Aaron Crane ** http​://aaroncrane.co.uk/

From @iabyn

On Sat, Jan 28, 2017 at 09​:01​:10AM -0800, Aaron Crane via RT wrote​:

I have a deterministic reduction to a double-free, omitting one of the
assignments and one of the uses of the iteration variable.

I get essentially the same trace regardless of what empty array or hash
is on the rhs of the aassign. I suspect this is a stack-not-refcounted
issue, tbh.

$ ./miniperl -e 'map %$_ = %_, *​::, $​::{Internals​::}'

The first part is equivalent to

  map %$_ = (), *​::

which aliases $_ to *​::, then the hash %$_ is actually %​::, and assigning
() to it empties the main stash. After that, anything left on the stack
which gets processed, such as $​::{Internals​::}, has already been freed.

So it is indeed another stack-not-refcounted bug.

As with #130321 and #130332, , I propose that the ticket be moved to the
public queue, added to the 'stack not ref counted' meta ticket, then
ignored until such time as we fix that wider issue.

--
Modern art​:
  "That's easy, I could have done that!"
  "Ah, but you didn't!"

From @iabyn

On Mon, Feb 20, 2017 at 03​:14​:35PM +0000, Dave Mitchell wrote​:

On Sat, Jan 28, 2017 at 09​:01​:10AM -0800, Aaron Crane via RT wrote​:

I have a deterministic reduction to a double-free, omitting one of the
assignments and one of the uses of the iteration variable.

I get essentially the same trace regardless of what empty array or hash
is on the rhs of the aassign. I suspect this is a stack-not-refcounted
issue, tbh.

$ ./miniperl -e 'map %$_ = %_, *​::, $​::{Internals​::}'

The first part is equivalent to

map %$\_ = \(\)\, \*​::

which aliases $_ to *​::, then the hash %$_ is actually %​::, and assigning
() to it empties the main stash. After that, anything left on the stack
which gets processed, such as $​::{Internals​::}, has already been freed.

So it is indeed another stack-not-refcounted bug.

As with #130321 and #130332, , I propose that the ticket be moved to the
public queue, added to the 'stack not ref counted' meta ticket, then
ignored until such time as we fix that wider issue.

which I am now doing.

--
In England there is a special word which means the last sunshine
of the summer. That word is "spring".