From @geeknik

Triggered with Perl v5.25.7-98-gdf13534 while fuzzing with AFL.

./perl test575
Operator or semicolon missing before *T at test575 line 1.
Ambiguous use of * resolved as operator * at test575 line 1.
perl​: sv.c​:10056​: char *Perl_sv_pvn_force_flags(SV *const, STRLEN *const,
const I32)​: Assertion `PL_valid_types_PVX[((svtype)((_svpvx)->sv_flags &
0xff)) & 0xf]' failed.
Aborted

It only seems to fail like that once every 10-15 executions, otherwise I
see messages like these​:
Operator or semicolon missing before *T at test575 line 1.
Ambiguous use of * resolved as operator * at test575 line 1.
Attempt to free unreferenced scalar​: SV 0x62100001bd68 at test575 line 1.
Modification of a read-only value attempted at test575 line 1.

od -tx1 test575
0000000 6d 61 70 40 4f 3d 73 00 0e 40 48 75 6c 74 3c 54
0000020 2c 25 5f 3d 44 2e 2a 00 20 54 2c 2a 5f 4c 44 2e
0000040 2e 00 20 2a 54 2c 25 5f 3d 64 2e 2e 00 20 54 2c
0000060 2a 3a 3d 2a 5f 39 35 35 35 35 35 35 55 3d 44 2e
0000100 2a 54 2c 25 5f 3d 44 2e 2e 00 20 54 2c 2a 3a 3d
0000120 2a 5f 39 50 35 35 35 35 35 35 35 35 35 39 2e 35
0000140 2e 35 35 1a 35 35 2e 35 35 35 35 35 1a 35 35 35
0000160 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26
*
0000220 26 26 26 26 26 26 2e 35 35 1a 35 35 2e 35 35 35
0000240 35 35 1a 35 35 35 26 26 26 26 26 26 26 26 26 26
0000260 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26 26
*
0000340 26 26 26 26 26 26 26 26 26 26 26 26 26 06 26 26
0000360 26 26 26 26 26 26 26 26 26 26 26 26 43 39 39 4a
0000400 39 2a 39 ae 40 00 23 00 00 00 01 00 44 41 49 35
0000420 35 35 4f ff 75 6c 6c 7a 20 01 71 71 71 85 39 39
0000440 39 e8 44 4f 49 54 2c 0a 20 e8
0000452

From @geeknik

test575.gz

From @hvds

On Mon, 12 Dec 2016 23​:07​:17 -0800, brian.carpenter@​gmail.com wrote​:

It only seems to fail like that once every 10-15 executions

Brian, please note that in almost all cases we've seen so far such variability is down to hash ordering. If you set the environment variable PERL_HASH_SEED to a fixed value for fuzzing, you'll get more reliable results - and I expect minimization will also work better.

(If you do set this, please make sure the value is mentioned in the bug reports, of course. :)

Hugo

The RT System itself - Status changed from 'new' to 'open'

From @iabyn

On Mon, Dec 12, 2016 at 11​:07​:17PM -0800, Brian Carpenter wrote​:

./perl test575
Operator or semicolon missing before *T at test575 line 1.
Ambiguous use of * resolved as operator * at test575 line 1.
perl​: sv.c​:10056​: char *Perl_sv_pvn_force_flags(SV *const, STRLEN *const,
const I32)​: Assertion `PL_valid_types_PVX[((svtype)((_svpvx)->sv_flags &
0xff)) & 0xf]' failed.
Aborted

Can be reduced to​:
  map
  1,
  %x = (a => 1, b => undef),
  %x = (Y => 'Z'),

It's another stack-not-refcounted issue.

--
The warp engines start playing up a bit, but seem to sort themselves out
after a while without any intervention from boy genius Wesley Crusher.
  -- Things That Never Happen in "Star Trek" #17