Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

sv.c:2612: Perl_sv_2nv_flags: Assertion `SvTYPE(sv) != SVt_PVAV && SvTYPE(sv) != SVt_PVHV && SvTYPE(sv) != SVt_PVFM' failed #15849

Open
p5pRT opened this issue Jan 29, 2017 · 7 comments

Comments

@p5pRT
Copy link

p5pRT commented Jan 29, 2017

Migrated from rt.perl.org#130669 (status was 'open')

Searchable as RT130669$

@p5pRT
Copy link
Author

p5pRT commented Jan 22, 2017

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.25.8-216-gfbceb79751 built with afl and run
under libdislocator, I found the following program

printf my(%c)​:_

to cause an assertion failure, even when run under -c for a syntax
check. This is a regression between v5.14.0 and v5.16.0,
bisect points to

69974ce is the first bad commit
commit 69974ce
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Sat Dec 31 23​:24​:57 2011 -0800

  [perl #103492] Give lvalue cx to (s)printf args

  Or potential lvalue context, like function calls.

  The %n format code’s existence renders these two very much like func-
  tion calls, as they can modify their arguments.

  This allows sprintf("...%n", substr ...) to work.

GDB info about the crash location​:

(gdb) bt
#0 __GI_raise (sig=sig@​entry=6) at ../sysdeps/unix/sysv/linux/raise.c​:58
#1 0x00007f27fd71c40a in __GI_abort () at abort.c​:89
#2 0x00007f27fd713e47 in __assert_fail_base (fmt=<optimized out>,
assertion=assertion@​entry=0x7f27feda5f70 "(o->op_flags & OPf_WANT) !=
OPf_WANT_VOID",
  file=file@​entry=0x7f27feda452e "op.c", line=line@​entry=2877,
function=function@​entry=0x7f27fedaaab0 <__PRETTY_FUNCTION__.15847>
"Perl_op_lvalue_flags")
  at assert.c​:92
#3 0x00007f27fd713ef2 in __GI___assert_fail (assertion=0x7f27feda5f70
"(o->op_flags & OPf_WANT) != OPf_WANT_VOID", file=0x7f27feda452e
"op.c", line=2877,
  function=0x7f27fedaaab0 <__PRETTY_FUNCTION__.15847>
"Perl_op_lvalue_flags") at assert.c​:101
#4 0x00007f27fea5b5e7 in Perl_op_lvalue_flags (o=0x7f27fff48a30,
type=239, flags=0) at op.c​:2877
#5 0x00007f27fea59c9b in S_modkids (o=0x7f27fff47350, type=239) at op.c​:2369
#6 0x00007f27fea80ffa in Perl_ck_listiob (o=0x7f27fff47350) at op.c​:10468
#7 0x00007f27fea63357 in Perl_op_convert_list (type=239, flags=0,
o=0x7f27fff47350) at op.c​:4802
#8 0x00007f27feb16156 in Perl_yyparse (gramtype=258) at perly.y​:883
#9 0x00007f27fea9733a in S_parse_body (env=0x0, xsinit=0x7f27fea52de8
<xs_init>) at perl.c​:2376
#10 0x00007f27fea9569f in perl_parse (my_perl=0x7f27fff26010,
xsinit=0x7f27fea52de8 <xs_init>, argc=3, argv=0x7fffbd27a108, env=0x0)
at perl.c​:1691
#11 0x00007f27fea52d26 in main (argc=3, argv=0x7fffbd27a108,
env=0x7fffbd27a128) at perlmain.c​:121

Perl Info

Flags:
    category=core
    severity=low

Site configuration information for perl 5.25.9:

Configured by root at Sat Jan 14 02:25:05 MSK 2017.

Summary of my perl5 (revision 5 version 25 subversion 9) configuration:
  Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0
  Platform:
    osname=linux
    osvers=3.16.0-4-amd64
    archname=x86_64-linux
    uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.25.9:
    lib
    /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.25.9
    /usr/local/lib/perl5/5.25.9/x86_64-linux
    /usr/local/lib/perl5/5.25.9


Environment for perl 5.25.9:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Jan 29, 2017

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.25.9-35-g32207c637b built with afl and run
under libdislocator, I found the following program

$INC{'attributes.pm'} = 1, eval q!-my(%c)​:_!

to cause an assertion failure. GDB info about the crash location​:

(gdb) bt
#0 __GI_raise (sig=sig@​entry=6) at ../sysdeps/unix/sysv/linux/raise.c​:58
#1 0x00007f6cdecf840a in __GI_abort () at abort.c​:89
#2 0x00007f6cdecefe47 in __assert_fail_base (fmt=<optimized out>,
  assertion=assertion@​entry=0x7f6ce0bc1910 "SvTYPE(sv) != SVt_PVAV
&& SvTYPE(sv) != SVt_PVHV && SvTYPE(sv) != SVt_PVFM",
  file=file@​entry=0x7f6ce0bc0196 "sv.c", line=line@​entry=2612,
function=function@​entry=0x7f6ce0bce860 <__PRETTY_FUNCTION__.16836>
"Perl_sv_2nv_flags")
  at assert.c​:92
#3 0x00007f6cdecefef2 in __GI___assert_fail (
  assertion=assertion@​entry=0x7f6ce0bc1910 "SvTYPE(sv) != SVt_PVAV
&& SvTYPE(sv) != SVt_PVHV && SvTYPE(sv) != SVt_PVFM",
  file=file@​entry=0x7f6ce0bc0196 "sv.c", line=line@​entry=2612,
function=function@​entry=0x7f6ce0bce860 <__PRETTY_FUNCTION__.16836>
"Perl_sv_2nv_flags")
  at assert.c​:101
#4 0x00007f6ce059dac3 in Perl_sv_2nv_flags
(sv=sv@​entry=0x7f6ce26db6d0, flags=flags@​entry=0) at sv.c​:2611
#5 0x00007f6ce06d6f1a in Perl_pp_negate () at pp.c​:2584
#6 0x00007f6ce03f45a3 in Perl_runops_debug () at dump.c​:2444
#7 0x00007f6ce01502b5 in S_run_body (oldscope=1) at perl.c​:2528
#8 perl_run (my_perl=<optimized out>) at perl.c​:2451
#9 0x00007f6ce003b814 in main (argc=<optimized out>, argv=<optimized
out>, env=<optimized out>) at perlmain.c​:123

Perl Info

Flags:
    category=core
    severity=low

Site configuration information for perl 5.25.9:

Configured by root at Sat Jan 14 02:25:05 MSK 2017.

Summary of my perl5 (revision 5 version 25 subversion 9) configuration:
  Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0
  Platform:
    osname=linux
    osvers=3.16.0-4-amd64
    archname=x86_64-linux
    uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.25.9:
    lib
    /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.25.9
    /usr/local/lib/perl5/5.25.9/x86_64-linux
    /usr/local/lib/perl5/5.25.9


Environment for perl 5.25.9:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Jan 30, 2017

From @iabyn

On Sun, Jan 29, 2017 at 07​:26​:25AM -0800, Sergey Aleynikov wrote​:

While fuzzing perl v5.25.9-35-g32207c637b built with afl and run
under libdislocator, I found the following program

$INC{'attributes.pm'} = 1, eval q!-my(%c)​:_!

to cause an assertion failure. GDB info about the crash location​:

This can be simplified to

  package Foo;
  use attributes;
  sub MODIFY_HASH_ATTRIBUTES { () }

  -(my %c : someattr);

The problem is that

  my %c : someattr;

gets compiled as

  my %c;
  attributes->import('Foo', \%c, 'someattr);

but the code which injects all those extra entersub etc ops doesn't seem
to be able to cope with that code not being in void context. So

  -(my %c : someattr);

gets compiled as something a bit like

  -( my %c, attributes->import('Foo', \%c, 'someattr));

except that the first padhv[%c] is compiled in void rather than scalar context,
which causes the HV to be pushed on the stack rather than its key count.

I'm not sure whether the attribute-handling code in op.c should be fixed
to handle non-void context, or whether lexical var attributes should be
illegal in non-void context. I suspect the former.

--
Never do today what you can put off till tomorrow.

@p5pRT
Copy link
Author

p5pRT commented Jan 30, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Mar 1, 2017

From @tonycoz

On Sun, 22 Jan 2017 14​:53​:01 -0800, randir wrote​:

While fuzzing perl v5.25.8-216-gfbceb79751 built with afl and run
under libdislocator, I found the following program

printf my(%c)​:_

to cause an assertion failure, even when run under -c for a syntax
check. This is a regression between v5.14.0 and v5.16.0,
bisect points to

69974ce is the first bad commit
commit 69974ce
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Sat Dec 31 23​:24​:57 2011 -0800

This might be related to 130669.

Tony

@p5pRT
Copy link
Author

p5pRT commented Mar 1, 2017

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Mar 29, 2017

From @iabyn

On Tue, Feb 28, 2017 at 07​:35​:52PM -0800, Tony Cook via RT wrote​:

On Sun, 22 Jan 2017 14​:53​:01 -0800, randir wrote​:

While fuzzing perl v5.25.8-216-gfbceb79751 built with afl and run
under libdislocator, I found the following program

printf my(%c)​:_

to cause an assertion failure, even when run under -c for a syntax
check. This is a regression between v5.14.0 and v5.16.0,
bisect points to

69974ce is the first bad commit
commit 69974ce
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Sat Dec 31 23​:24​:57 2011 -0800

This might be related to 130669.

Yes, it looks to be the same underlying issue. I'll merge the tickets.

--
print+qq&$}$"$/$s$,$a$d$g$s$@​$.$q$,$​:$.$q$^$,$@​$a$$;$.$q$m&if+map{m,^\d{0\,},,${$​::{$'}}=chr($"+=$&amp;||1)}q&10m22,42}6​:17a22.3@​3;^2dg3q/s"&=~m*\d\*.*g

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants