From @dur-randir

Created by @dur-randir

While fuzzing perl v5.25.8-207-gcbe2fc5001 built with afl and run
under libdislocator, I found the following program

@​0=s//0/;
@​0=sort(0,@​t00=0,@​t00=0,@​0=s///);

to crash. This is a regression in blead since v5.24. Bisect points to

commit 8b0c337
Author​: David Mitchell <davem@​iabyn.com>
Date​: Wed Oct 5 10​:10​:56 2016 +0100

  Better optimise array and hash assignment

  [perl #127999] Slowdown in split + list assign

GDB info about the crash location​:

(gdb) bt
#0 __memcmp_sse4_1 () at ../sysdeps/x86_64/multiarch/memcmp-sse4.S​:62
#1 0x00007f26ea232fff in Perl_sv_cmp_flags (sv1=0x7f26ea9a7e88,
sv2=0x7f26ea9a74e0, flags=2) at sv.c​:7954
#2 0x00007f26ea232bbd in Perl_sv_cmp (sv1=0x7f26ea9a7e88,
sv2=0x7f26ea9a74e0) at sv.c​:7902
#3 0x00007f26ea3842c1 in dynprep (list1=0x7f26ea995b58,
list2=0x7ffd596044d0, nmemb=4, cmp=0x7f26ea232b95 <Perl_sv_cmp>) at
pp_sort.c​:197
#4 0x00007f26ea384741 in S_mergesortsv (base=0x7f26ea995b58, nmemb=4,
cmp=0x7f26ea232b95 <Perl_sv_cmp>, flags=0) at pp_sort.c​:379
#5 0x00007f26ea386bfa in Perl_sortsv_flags (array=0x7f26ea995b58,
nmemb=4, cmp=0x7f26ea232b95 <Perl_sv_cmp>, flags=0) at pp_sort.c​:1464
#6 0x00007f26ea389279 in Perl_pp_sort () at pp_sort.c​:1713
#7 0x00007f26ea189b57 in Perl_runops_debug () at dump.c​:2260
#8 0x00007f26ea0840fd in S_run_body (oldscope=1) at perl.c​:2528
#9 0x00007f26ea08367b in perl_run (my_perl=0x7f26ea991010) at perl.c​:2451
#10 0x00007f26ea03ed3e in main (argc=2, argv=0x7ffd59605148,
env=0x7ffd59605160) at perlmain.c​:123
(gdb) f 1
#1 0x00007f26ea232fff in Perl_sv_cmp_flags (sv1=0x7f26ea9a7e88,
sv2=0x7f26ea9a74e0, flags=2) at sv.c​:7954
7954 const I32 retval = memcmp((const void*)pv1,
(gdb) l
7949 STRLEN shortest_len = cur1 < cur2 ? cur1 : cur2;
7950
7951 #ifdef EBCDIC
7952 if (! DO_UTF8(sv1)) {
7953 #endif
7954 const I32 retval = memcmp((const void*)pv1,
7955 (const void*)pv2,
7956 shortest_len);
7957 if (retval) {
7958 cmp = retval < 0 ? -1 : 1;
(gdb) p pv2
$1 = 0x0

Flags:
    category=core
    severity=high

Site configuration information for perl 5.25.9:

Configured by root at Sat Jan 14 02:25:05 MSK 2017.

Summary of my perl5 (revision 5 version 25 subversion 9) configuration:
  Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0
  Platform:
    osname=linux
    osvers=3.16.0-4-amd64
    archname=x86_64-linux
    uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.25.9:
    lib
    /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.25.9
    /usr/local/lib/perl5/5.25.9/x86_64-linux
    /usr/local/lib/perl5/5.25.9


Environment for perl 5.25.9:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

From @tonycoz

On Sat, 14 Jan 2017 14​:44​:54 -0800, randir wrote​:

While fuzzing perl v5.25.8-207-gcbe2fc5001 built with afl and run
under libdislocator, I found the following program

@​0=s//0/;
@​0=sort(0,@​t00=0,@​t00=0,@​0=s///);

to crash. This is a regression in blead since v5.24. Bisect points to

commit 8b0c337
Author​: David Mitchell <davem@​iabyn.com>
Date​: Wed Oct 5 10​:10​:56 2016 +0100

Better optimise array and hash assignment

The crash is new, unfortunately the brokenness isn't​:

$ ./miniperl -le '@​0=s//0/; @​0=sort(2,@​t00=3,@​t00=4,@​0=s///); print join(",", @​0)'
1,2,4,4
$ git describe
v5.25.6-77-gbeb8db2

which is immediately before Dave's commit.

So this at base is a stack-not-refcounted issue, but why is pv2 NULL?

I tried a watchpoint on the address of the pv in the SV head that was failing​:

(gdb) watch *(IV*)0x621000010990
Hardware watchpoint 1​: *(IV*)0x621000010990
(gdb) r
Starting program​: /home/tony/dev/perl/git/perl/miniperl -e @​0=s//0/\;\ @​0=sort\(3,@​t00=1,@​t00=2,@​0=s///\)
...
(gdb) c
Continuing.
Hardware watchpoint 1​: *(IV*)0x621000010990

Old value = 105690555275376
New value = 0
Perl_pp_subst () at pp_hot.c​:3435
3435 SPAGAIN;
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
__memcmp_ssse3 () at ../sysdeps/x86_64/multiarch/memcmp-ssse3.S​:1810
1810 ../sysdeps/x86_64/multiarch/memcmp-ssse3.S​: No such file or directory.
(gdb) up 2
#2 0x00000000008b4c5e in Perl_sv_cmp_flags (sv1=0x6210000113e8,
  sv2=0x621000010980, flags=2) at sv.c​:7889
7889 const I32 retval = memcmp((const void*)pv1,
(gdb) p &(sv2->sv_u)
$4 = (union {...} *) 0x621000010990

So that SV has its PV being set to zero by this code​:

  SvCUR_set(TARG, SvCUR(dstr));
  SvLEN_set(TARG, SvLEN(dstr));
  SvFLAGS(TARG) |= SvUTF8(dstr);
  SvPV_set(dstr, NULL); <<== here

  SPAGAIN;

The dstr SV is a temp and normally shouldn't be in use anywhere else,
but due to the stack refcounting bug it's re-using the SV slot of an SV on the stack.

When Perl_sv_cmp() then SvPV()'s that SV on the stack it receives the NULL pointer and we crash.

Which might be better than returning the rubbish it returned before.

Tony

The RT System itself - Status changed from 'new' to 'open'