From @dur-randir

Created by @dur-randir

While fuzzing perl v5.29.8-21-gde59f38ed9 built with afl and run
under libdislocator, I found the following program

s,(?{$$=t;$$$=qr{(?{})}})@0(??{$$$$=qr{$$$]}}),,

to cause an assertion failure

perl​: inline.h​:182​: S_ReANY​: Assertion `isREGEXP(re)' failed.

GDB stack trace is following​:

#0 __GI_raise (sig=sig@​entry=6) at ../sysdeps/unix/sysv/linux/raise.c​:50
#1 0x00007ffff7c25535 in __GI_abort () at abort.c​:79
#2 0x00007ffff7c2540f in __assert_fail_base (fmt=0x7ffff7d87ee0
"%s%s%s​:%u​: %s%sAssertion `%s' failed.\n%n", assertion=0x555555ac4937
"isREGEXP(re)",
  file=0x555555ac4811 "inline.h", line=182, function=<optimized
out>) at assert.c​:92
#3 0x00007ffff7c330f2 in __GI___assert_fail (assertion=0x555555ac4937
"isREGEXP(re)", file=0x555555ac4811 "inline.h", line=182,
  function=0x555555ad7ce8 <__PRETTY_FUNCTION__.17420> "S_ReANY") at
assert.c​:101
#4 0x000055555588377b in S_ReANY (re=0x555555b47ef0) at inline.h​:182
#5 0x00005555558a6a07 in S_regmatch (reginfo=0x7fffffffdb90,
startpos=0x555555a9174b "", prog=0x555555b547dc) at regexec.c​:7184
#6 0x0000555555899bd9 in S_regtry (reginfo=0x7fffffffdb90,
startposp=0x7fffffffd958) at regexec.c​:3928
#7 0x0000555555899559 in Perl_regexec_flags (rx=0x555555b2d8f0,
stringarg=0x555555a9174b "", strend=0x555555a9174b "",
strbeg=0x555555a9174b "", minend=0,
  sv=0x555555b47d70, data=0x0, flags=1) at regexec.c​:3791
#8 0x000055555575eb1b in Perl_pp_subst () at pp_hot.c​:4231
#9 0x00005555556f6ff4 in Perl_runops_debug () at dump.c​:2537
#10 0x00005555555da157 in S_run_body (oldscope=1) at perl.c​:2692
#11 0x00005555555d96d5 in perl_run (my_perl=0x555555b2b260) at perl.c​:2615
#12 0x000055555558e14e in main (argc=3, argv=0x7fffffffe1a8,
env=0x7fffffffe1c8) at perlmain.c​:127

Flags:
    category=core
    severity=low

Site configuration information for perl 5.29.9:

Configured by dur-randir at Wed Feb 27 14:51:01 MSK 2019.

Summary of my perl5 (revision 5 version 29 subversion 9) configuration:
  Commit id: c1e47bad34ce1d9c84ed57c9b8978bcbd5a02e98
  Platform:
    osname=darwin
    osvers=13.4.0
    archname=darwin-thread-multi-2level
    uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0:
mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64
x86_64 '
    config_args='-de -Dusedevel -DDEBUGGING -Dusethreads'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='cc'
    ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -DPERL_USE_SAFE_PUTENV'
    optimize='-O3 -g'
    cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib
/usr/lib
    libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
    perllibs=-lpthread -ldl -lm -lutil -lc
    libc=
    so=dylib
    useshrplib=false
    libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=bundle
    d_dlsymun=undef
    ccdlflags=' '
    cccdlflags=' '
    lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined
dynamic_lookup -L/usr/local/lib -fstack-protector'



@INC for perl 5.29.9:
    lib
    /usr/local/lib/perl5/site_perl/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/site_perl/5.29.9
    /usr/local/lib/perl5/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/5.29.9


Environment for perl 5.29.9:
    DYLD_LIBRARY_PATH (unset)
    HOME=/Users/dur-randir
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/texbin
    PERLBREW_HOME=/Users/dur-randir/.perlbrew
    PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/Users/dur-randir/perlbrew
    PERLBREW_SHELLRC_VERSION=0.84
    PERLBREW_VERSION=0.84
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/zsh

From @khwilliamson

On Thu, 07 Mar 2019 15​:45​:00 -0800, randir wrote​:

This is a bug report for perl from sergey.aleynikov@​gmail.com,
generated with the help of perlbug 1.41 running under perl 5.29.9.

-----------------------------------------------------------------
[Please describe your issue here]

While fuzzing perl v5.29.8-21-gde59f38ed9 built with afl and run
under libdislocator, I found the following program

s,(?{$$=t;$$$=qr{(?{})}})@​0(??{$$$$=qr{$$$]}}),,

to cause an assertion failure

perl​: inline.h​:182​: S_ReANY​: Assertion `isREGEXP(re)' failed.

GDB stack trace is following​:

#0 __GI_raise (sig=sig@​entry=6) at
../sysdeps/unix/sysv/linux/raise.c​:50
#1 0x00007ffff7c25535 in __GI_abort () at abort.c​:79
#2 0x00007ffff7c2540f in __assert_fail_base (fmt=0x7ffff7d87ee0
"%s%s%s​:%u​: %s%sAssertion `%s' failed.\n%n", assertion=0x555555ac4937
"isREGEXP(re)",
file=0x555555ac4811 "inline.h", line=182, function=<optimized
out> ) at assert.c​:92
#3 0x00007ffff7c330f2 in __GI___assert_fail (assertion=0x555555ac4937
"isREGEXP(re)", file=0x555555ac4811 "inline.h", line=182,
function=0x555555ad7ce8 <__PRETTY_FUNCTION__.17420> "S_ReANY") at
assert.c​:101
#4 0x000055555588377b in S_ReANY (re=0x555555b47ef0) at inline.h​:182
#5 0x00005555558a6a07 in S_regmatch (reginfo=0x7fffffffdb90,
startpos=0x555555a9174b "", prog=0x555555b547dc) at regexec.c​:7184
#6 0x0000555555899bd9 in S_regtry (reginfo=0x7fffffffdb90,
startposp=0x7fffffffd958) at regexec.c​:3928
#7 0x0000555555899559 in Perl_regexec_flags (rx=0x555555b2d8f0,
stringarg=0x555555a9174b "", strend=0x555555a9174b "",
strbeg=0x555555a9174b "", minend=0,
sv=0x555555b47d70, data=0x0, flags=1) at regexec.c​:3791
#8 0x000055555575eb1b in Perl_pp_subst () at pp_hot.c​:4231
#9 0x00005555556f6ff4 in Perl_runops_debug () at dump.c​:2537
#10 0x00005555555da157 in S_run_body (oldscope=1) at perl.c​:2692
#11 0x00005555555d96d5 in perl_run (my_perl=0x555555b2b260) at
perl.c​:2615
#12 0x000055555558e14e in main (argc=3, argv=0x7fffffffe1a8,
env=0x7fffffffe1c8) at perlmain.c​:127

Here's what 're' looks like at the point where the assertion fails

SV = PVMG(0x555555e1c8c8) at 0x555555e29770
  REFCNT = 4
  FLAGS = (OBJECT,ROK)
  IV = 0
  NV = 0
  RV = 0x555555e29998
  SV = REGEXP(0x555555e270a8) at 0x555555e29998
  REFCNT = 2
  FLAGS = (OBJECT,POK,FAKE,pPOK)
  PV = 0x555555e2b328 "(?^​:(?^​:(?{}))])"
  CUR = 16
  LEN = 0
  STASH = 0x555555e09bf8 "Regexp"
  COMPFLAGS = 0x0 ()
  EXTFLAGS = 0x620000 (EVAL_SEEN,USE_INTUIT_NOML,USE_INTUIT_ML)
  ENGINE = 0x555555dc5480 (STANDARD)
  INTFLAGS = 0x0 ()
  NPARENS = 0
  LASTPAREN = 0
  LASTCLOSEPAREN = 0
  MINLEN = 1
  MINLENRET = 1
  GOFS = 0
  PRE_PREFIX = 4
  SUBLEN = 0
  SUBOFFSET = 0
  SUBCOFFSET = 0
  SUBBEG = 0x0
  MOTHER_RE = 0x555555e29818
  SV = REGEXP(0x555555e26fe0) at 0x555555e29818
  REFCNT = 3
  FLAGS = (POK,pPOK)
  PV = 0x555555e2b328 "(?^​:(?^​:(?{}))])"
  CUR = 16
  LEN = 18
  COMPFLAGS = 0x0 ()
  EXTFLAGS = 0x620000 (EVAL_SEEN,USE_INTUIT_NOML,USE_INTUIT_ML)
  ENGINE = 0x555555dc5480 (STANDARD)
  INTFLAGS = 0x0 ()
  NPARENS = 0
  LASTPAREN = 0
  LASTCLOSEPAREN = 0
  MINLEN = 1
  MINLENRET = 1
  GOFS = 0
  PRE_PREFIX = 4
  SUBLEN = 0
  SUBOFFSET = 0
  SUBCOFFSET = 0
  SUBBEG = 0x0
  MOTHER_RE = 0x0
  PAREN_NAMES = 0x0
  SUBSTRS = 0x555555e21c28
  PPRIVATE = 0x555555e2b5f8
  OFFS = 0x555555e2b578
  QR_ANONCV = 0x0
  SAVED_COPY = 0x0
  PAREN_NAMES = 0x0
  SUBSTRS = 0x555555e2bb88
  PPRIVATE = 0x555555e2b5f8
  OFFS = 0x555555e2c3a8
  QR_ANONCV = 0x0
  SAVED_COPY = 0x0
  PV = 0x555555e29998 "\250p\342UUU\0\0\2\0"
  CUR = 10
  LEN = 0
  STASH = 0x555555e09bf8 "Regexp"

--
Karl Williamson

The RT System itself - Status changed from 'new' to 'open'

@khwilliamson thoughts on a fix?

Since this involves code blocks which @iabyn understands much better than I, I'm hoping he will look at it.

FWIW I've not been able to reproduce this, can we unravel the code a bit to make clearer what's in play? Eg, can we replace $$ with $x, or replace $$ with a literal t (and then elide the $$=t)? Can we replace @0 with something less magical, or remove it?

I tried with 3 of my standard builds: gcc, clang + sanitize=address, clang + sanitize=undefined; in each case built with DEBUGGING and otherwise standard options. (clang is: 6.0.0-1ubuntu2). If you have a build recipe for reproducing it, that would be useful too.

@xsawyerx, this is a regression before 5.18, I don't think it's too important

@hvds, either copy from the original RT ticket (looks like it was broken in transition), or this is a hex dump of it, DDEBUGGING build is enough:

00000000 73 2c 28 3f 7b 24 24 3d 74 3b 24 24 24 3d 71 72 |s,(?{$$=t;$$$=qr|
00000010 7b 28 3f 7b 7d 29 7d 7d 29 40 30 28 3f 3f 7b 24 |{(?{})}})@0(??{$|
00000020 24 24 24 3d 71 72 7b 24 24 24 5d 7d 7d 29 2c 2c |$$$=qr{$$$]}}),,|

@hvds, either copy from the original RT ticket (looks like it was broken in transition), or this is a hex dump of it, DDEBUGGING build is enough

Thanks, looks like there was an additional HTML-escaped character in there; I've taken the liberty of editing the converted post to replace the escaping with literal code.

It simplifies at least to: ./miniperl -e '$t = qr{(?{ })}; /(??{ $$t = qr{$t-} })/'.

I'd be tempted to make the assert a mandatory panic, but I agree it doesn't seem urgent.