From @geeknik

Built v5.21.9 (v5.21.8-286-g534577b) using the following command line​:

./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g && AFL_HARDEN=1 make -j6 test-prep

Bug found with AFL (http​://lcamtuf.coredump.cx/afl). I used afl-tmin to minimize the test case from #123801, which caused this segfault to happen instead of aborting.

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX​: 0x0
RBX​: 0x1221d20 --> 0x0
RCX​: 0x1205d10 --> 0x1
RDX​: 0x4000 ('')
RSI​: 0x12134af --> 0x3334317473657400 ('')
RDI​: 0x696d2d3334317473 ('st143-mi')
RBP​: 0x726f ('or')
RSP​: 0x7fffffffdfc0 --> 0x640121a020
RIP​: 0x668bd8 (<Perl_yyparse+6008>​: mov esi,DWORD PTR [rdi+0x8])
R8 : 0x60 ('`')
R9 : 0x0
R10​: 0x1
R11​: 0x1221d20 --> 0x0
R12​: 0x0
R13​: 0x1222120 ("ntax error at test143-min line 1, near \"/$0{}/\"\n")
R14​: 0x65 ('e')
R15​: 0x0
EFLAGS​: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
  0x668bc6 <Perl_yyparse+5990>​: mov rcx,QWORD PTR [rsp+0x8]
  0x668bcb <Perl_yyparse+5995>​: mov rax,QWORD PTR [rsp+0x10]
  0x668bd0 <Perl_yyparse+6000>​: lea rsp,[rsp+0x98]
=> 0x668bd8 <Perl_yyparse+6008>​: mov esi,DWORD PTR [rdi+0x8]
  0x668bdb <Perl_yyparse+6011>​: cmp esi,0x1
  0x668bde <Perl_yyparse+6014>​: jbe 0x669050 <Perl_yyparse+7152>
  0x668be4 <Perl_yyparse+6020>​: nop DWORD PTR [rax+0x0]
  0x668be8 <Perl_yyparse+6024>​: lea rsp,[rsp-0x98]
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffdfc0 --> 0x640121a020
0008| 0x7fffffffdfc8 --> 0x1221d40 --> 0x0
0016| 0x7fffffffdfd0 --> 0x1221d48 --> 0x1222120 ("ntax error at test143-min line 1, near \"/$0{}/\"\n")
0024| 0x7fffffffdfd8 --> 0x3c ('<')
0032| 0x7fffffffdfe0 --> 0x4
0040| 0x7fffffffdfe8 --> 0x633a3424c350f300
0048| 0x7fffffffdff0 --> 0x7fffffffe3c0 --> 0x7fffffffe63d ("test143-min")
0056| 0x7fffffffdff8 --> 0x1
[------------------------------------------------------------------------------]
Legend​: code, data, rodata, value
Stopped reason​: SIGSEGV
0x0000000000668bd8 in Perl_yyparse ()
gdb-peda$ exploit
Description​: Access violation
Short description​: AccessViolation (21/22)
Hash​: d9722ba607412bb0b0027e58bf5e08e2.d9722ba607412bb0b0027e58bf5e08e2
Exploitability Classification​: UNKNOWN
Explanation​: The target crashed due to an access violation but there is not enough additional information available to determine exploitability.

Test case hexdump​:
0000000 242f 7b30 2f7d
0000006

Debian 7, Kernel 3.2.65-1+deb7u1 x86_64, libc 3.2.65-1+deb7u1 x86_6, gcc 4.9.2

From @geeknik

test143-min

From @geeknik

Valgrind output​:
Valgrind output

==24607== Invalid read of size 4
==24607== at 0x668818​: Perl_yyparse (perly.c​:523)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607== Address 0x5ed8c1c is 172 bytes inside a block of size 6,400 free'd
==24607== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==24607== by 0xB23A55​: Perl_leave_scope (scope.c​:1241)
==24607== by 0x65EC04​: S_sublex_done (toke.c​:2481)
==24607== by 0x603C30​: Perl_yylex (toke.c​:4547)
==24607== by 0x669684​: Perl_yyparse (perly.c​:322)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607==
==24607== Invalid read of size 2
==24607== at 0x668898​: Perl_yyparse (perly.c​:524)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607== Address 0x5ed8c18 is 168 bytes inside a block of size 6,400 free'd
==24607== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==24607== by 0xB23A55​: Perl_leave_scope (scope.c​:1241)
==24607== by 0x65EC04​: S_sublex_done (toke.c​:2481)
==24607== by 0x603C30​: Perl_yylex (toke.c​:4547)
==24607== by 0x669684​: Perl_yyparse (perly.c​:322)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607==
==24607== Invalid read of size 8
==24607== at 0x6688F0​: Perl_yyparse (perly.c​:524)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607== Address 0x5ed8c10 is 160 bytes inside a block of size 6,400 free'd
==24607== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==24607== by 0xB23A55​: Perl_leave_scope (scope.c​:1241)
==24607== by 0x65EC04​: S_sublex_done (toke.c​:2481)
==24607== by 0x603C30​: Perl_yylex (toke.c​:4547)
==24607== by 0x669684​: Perl_yyparse (perly.c​:322)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607==
==24607== Invalid read of size 8
==24607== at 0x668B90​: Perl_yyparse (perly.c​:532)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607== Address 0x5ed8c20 is 176 bytes inside a block of size 6,400 free'd
==24607== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==24607== by 0xB23A55​: Perl_leave_scope (scope.c​:1241)
==24607== by 0x65EC04​: S_sublex_done (toke.c​:2481)
==24607== by 0x603C30​: Perl_yylex (toke.c​:4547)
==24607== by 0x669684​: Perl_yyparse (perly.c​:322)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607==
==24607== Invalid read of size 2
==24607== at 0x668C6E​: Perl_yyparse (perly.c​:534)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607== Address 0x5ed8bf8 is 136 bytes inside a block of size 6,400 free'd
==24607== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==24607== by 0xB23A55​: Perl_leave_scope (scope.c​:1241)
==24607== by 0x65EC04​: S_sublex_done (toke.c​:2481)
==24607== by 0x603C30​: Perl_yylex (toke.c​:4547)
==24607== by 0x669684​: Perl_yyparse (perly.c​:322)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607==
==24607== Invalid write of size 2
==24607== at 0x668F97​: Perl_yyparse (perly.c​:545)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607== Address 0x5ed8c18 is 168 bytes inside a block of size 6,400 free'd
==24607== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==24607== by 0xB23A55​: Perl_leave_scope (scope.c​:1241)
==24607== by 0x65EC04​: S_sublex_done (toke.c​:2481)
==24607== by 0x603C30​: Perl_yylex (toke.c​:4547)
==24607== by 0x669684​: Perl_yyparse (perly.c​:322)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607==
==24607== Invalid write of size 8
==24607== at 0x668FA3​: Perl_yyparse (perly.c​:546)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607== Address 0x5ed8c10 is 160 bytes inside a block of size 6,400 free'd
==24607== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==24607== by 0xB23A55​: Perl_leave_scope (scope.c​:1241)
==24607== by 0x65EC04​: S_sublex_done (toke.c​:2481)
==24607== by 0x603C30​: Perl_yylex (toke.c​:4547)
==24607== by 0x669684​: Perl_yyparse (perly.c​:322)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607==
==24607== Invalid read of size 2
==24607== at 0x668FEE​: Perl_yyparse (inline.h​:143)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607== Address 0x5ed8c18 is 168 bytes inside a block of size 6,400 free'd
==24607== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==24607== by 0xB23A55​: Perl_leave_scope (scope.c​:1241)
==24607== by 0x65EC04​: S_sublex_done (toke.c​:2481)
==24607== by 0x603C30​: Perl_yylex (toke.c​:4547)
==24607== by 0x669684​: Perl_yyparse (perly.c​:322)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607==
==24607== Invalid write of size 8
==24607== at 0x669036​: Perl_yyparse (perly.c​:547)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607== Address 0x5ed8c20 is 176 bytes inside a block of size 6,400 free'd
==24607== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==24607== by 0xB23A55​: Perl_leave_scope (scope.c​:1241)
==24607== by 0x65EC04​: S_sublex_done (toke.c​:2481)
==24607== by 0x603C30​: Perl_yylex (toke.c​:4547)
==24607== by 0x669684​: Perl_yyparse (perly.c​:322)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607==
==24607== Invalid write of size 8
==24607== at 0x66903A​: Perl_yyparse (perly.c​:550)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607== Address 0x5ed8c28 is 184 bytes inside a block of size 6,400 free'd
==24607== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==24607== by 0xB23A55​: Perl_leave_scope (scope.c​:1241)
==24607== by 0x65EC04​: S_sublex_done (toke.c​:2481)
==24607== by 0x603C30​: Perl_yylex (toke.c​:4547)
==24607== by 0x669684​: Perl_yyparse (perly.c​:322)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607==
==24607== Invalid write of size 4
==24607== at 0x669042​: Perl_yyparse (perly.c​:548)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607== Address 0x5ed8c1c is 172 bytes inside a block of size 6,400 free'd
==24607== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==24607== by 0xB23A55​: Perl_leave_scope (scope.c​:1241)
==24607== by 0x65EC04​: S_sublex_done (toke.c​:2481)
==24607== by 0x603C30​: Perl_yylex (toke.c​:4547)
==24607== by 0x669684​: Perl_yyparse (perly.c​:322)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607==
==24607== Invalid read of size 8
==24607== at 0x667C7A​: Perl_yyparse (perly.c​:408)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607== Address 0x5ed8c10 is 160 bytes inside a block of size 6,400 free'd
==24607== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==24607== by 0xB23A55​: Perl_leave_scope (scope.c​:1241)
==24607== by 0x65EC04​: S_sublex_done (toke.c​:2481)
==24607== by 0x603C30​: Perl_yylex (toke.c​:4547)
==24607== by 0x669684​: Perl_yyparse (perly.c​:322)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607==
==24607== Invalid read of size 8
==24607== at 0x668113​: Perl_yyparse (perly.c​:423)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607== Address 0x5ed8c20 is 176 bytes inside a block of size 6,400 free'd
==24607== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==24607== by 0xB23A55​: Perl_leave_scope (scope.c​:1241)
==24607== by 0x65EC04​: S_sublex_done (toke.c​:2481)
==24607== by 0x603C30​: Perl_yylex (toke.c​:4547)
==24607== by 0x669684​: Perl_yyparse (perly.c​:322)
==24607== by 0x5399A4​: S_parse_body (perl.c​:2273)
==24607== by 0x541536​: perl_parse (perl.c​:1607)
==24607== by 0x42B63B​: main (perlmain.c​:114)
==24607==
perl​: sv.c​:6536​: Perl_sv_clear​: Assertion `((svtype)((sv)->sv_flags & 0xff)) != (svtype)0xff' failed.
Aborted

From @hvds

I'm getting the [perl #123801] assert failure, using the minimized testcase in this ticket​:

./miniperl -e '/$0{}/'

The assertion is happening inside SvIVX around toke.c​:4550 in blead​:

  /* m'foo' still needs to be parsed for possible (?{...}) */
  if (SvIVX(PL_linestr) == '\'' && !PL_lex_inpat) {

.. where PL_linestr looks like​:

(gdb) p /x *PL_parser->linestr
$3 = {sv_any = 0xa42ef0, sv_refcnt = 0x1, sv_flags = 0x4403, sv_u = {
  svu_pv = 0xa5f820, svu_iv = 0xa5f820, svu_uv = 0xa5f820, svu_nv = 0x0,
  svu_rv = 0xa5f820, svu_rx = 0xa5f820, svu_array = 0xa5f820,
  svu_hash = 0xa5f820, svu_gp = 0xa5f820, svu_fp = 0xa5f820}}

The assert is complaining that sv is of type PV, so it isn't valid to call SvIVX on it.

I've managed to establish that sv isn't coming from a newSV_type() call, but that's as far as I've got so far.

Hugo

The RT System itself - Status changed from 'new' to 'open'

From @cpansprout

On Fri Feb 13 16​:57​:12 2015, hv wrote​:

I'm getting the [perl #123801] assert failure, using the minimized
testcase in this ticket​:

./miniperl -e '/$0{}/'

The assertion is happening inside SvIVX around toke.c​:4550 in blead​:

/* m'foo' still needs to be parsed for possible (?{...}) */
if (SvIVX(PL_linestr) == '\'' && !PL_lex_inpat) {

.. where PL_linestr looks like​:

(gdb) p /x *PL_parser->linestr
$3 = {sv_any = 0xa42ef0, sv_refcnt = 0x1, sv_flags = 0x4403, sv_u = {
svu_pv = 0xa5f820, svu_iv = 0xa5f820, svu_uv = 0xa5f820, svu_nv =
0x0,
svu_rv = 0xa5f820, svu_rx = 0xa5f820, svu_array = 0xa5f820,
svu_hash = 0xa5f820, svu_gp = 0xa5f820, svu_fp = 0xa5f820}}

The assert is complaining that sv is of type PV, so it isn't valid to
call SvIVX on it.

I've managed to establish that sv isn't coming from a newSV_type()
call, but that's as far as I've got so far.

This assertion failure is fixed in f4460c6, but I get another one now​:

$ echo -n '/$0{}/' | ./miniperl
Assertion failed​: (SvTYPE(sv) != (svtype)SVTYPEMASK), function Perl_sv_clear, file sv.c, line 6536.
Abort trap​: 6

This seems to have to do with perly.c not reference-counting PL_compcv correctly. But I could be wrong.

--

Father Chrysostomos

From @hvds

On Sun Feb 22 16​:43​:16 2015, sprout wrote​:

This assertion failure is fixed in f4460c6, but I get another one
now​:

$ echo -n '/$0{}/' | ./miniperl
Assertion failed​: (SvTYPE(sv) != (svtype)SVTYPEMASK), function
Perl_sv_clear, file sv.c, line 6536.
Abort trap​: 6

This seems to have to do with perly.c not reference-counting PL_compcv
correctly. But I could be wrong.

I think so, I'm seeing similar problems when there's a parse error in a double quoted string or glob​:

% cat t1
"\L\L"
% ./miniperl -c t1
Segmentation fault (core dumped)
% cat t2
<\U\U>
% ./miniperl -c t2
Segmentation fault (core dumped)
%

The first fails during the SvREFCNT_dec here​:
#7 0x00000000004b82a6 in Perl_yyparse (gramtype=258) at perly.c​:423
.. and the second just after grabbing a compcv here​:
#0 0x00000000004b8938 in Perl_yyparse (gramtype=258) at perly.c​:528

Hugo

From @cpansprout

On Tue Feb 24 11​:58​:05 2015, hv wrote​:

On Sun Feb 22 16​:43​:16 2015, sprout wrote​:

This assertion failure is fixed in f4460c6, but I get another one
now​:

$ echo -n '/$0{}/' | ./miniperl
Assertion failed​: (SvTYPE(sv) != (svtype)SVTYPEMASK), function
Perl_sv_clear, file sv.c, line 6536.
Abort trap​: 6

This seems to have to do with perly.c not reference-counting
PL_compcv
correctly. But I could be wrong.

I think so, I'm seeing similar problems when there's a parse error in
a double quoted string or glob​:

% cat t1
"\L\L"
% ./miniperl -c t1
Segmentation fault (core dumped)
% cat t2
<\U\U>
% ./miniperl -c t2
Segmentation fault (core dumped)
%

The first fails during the SvREFCNT_dec here​:
#7 0x00000000004b82a6 in Perl_yyparse (gramtype=258) at perly.c​:423
.. and the second just after grabbing a compcv here​:
#0 0x00000000004b8938 in Perl_yyparse (gramtype=258) at perly.c​:528

This seems to have to do with the parser (perly.c) popping scopes on a syntax error, resulting in inner lexing scopes being popped. But somehow the lexer (toke.c) is confused into thinking the inner lexing scope is still active, so it calls the LEAVE in sublex_done, which tries to free the parser stack when the parser is still active.

The solution here may be to use LEAVE_SCOPE(ix) in sublex_done, and store the index somewhere. Or maybe sublex_done should be a no-op if there is no inner lexing scope. I’m still digging.

--

Father Chrysostomos

From @cpansprout

On Thu Feb 26 19​:59​:57 2015, sprout wrote​:

On Tue Feb 24 11​:58​:05 2015, hv wrote​:

On Sun Feb 22 16​:43​:16 2015, sprout wrote​:

This assertion failure is fixed in f4460c6, but I get another
one
now​:

$ echo -n '/$0{}/' | ./miniperl
Assertion failed​: (SvTYPE(sv) != (svtype)SVTYPEMASK), function
Perl_sv_clear, file sv.c, line 6536.
Abort trap​: 6

This seems to have to do with perly.c not reference-counting
PL_compcv
correctly. But I could be wrong.

I think so, I'm seeing similar problems when there's a parse error in
a double quoted string or glob​:

% cat t1
"\L\L"
% ./miniperl -c t1
Segmentation fault (core dumped)
% cat t2
<\U\U>
% ./miniperl -c t2
Segmentation fault (core dumped)
%

The first fails during the SvREFCNT_dec here​:
#7 0x00000000004b82a6 in Perl_yyparse (gramtype=258) at perly.c​:423
.. and the second just after grabbing a compcv here​:
#0 0x00000000004b8938 in Perl_yyparse (gramtype=258) at perly.c​:528

This seems to have to do with the parser (perly.c) popping scopes on a
syntax error, resulting in inner lexing scopes being popped. But
somehow the lexer (toke.c) is confused into thinking the inner lexing
scope is still active, so it calls the LEAVE in sublex_done, which
tries to free the parser stack when the parser is still active.

The solution here may be to use LEAVE_SCOPE(ix) in sublex_done, and
store the index somewhere. Or maybe sublex_done should be a no-op if
there is no inner lexing scope. I’m still digging.

I finally finished tracking this down. It’s PL_lex_defer again. So the fix is nearly identical to #123801. See commit 479ae48.

--

Father Chrysostomos

@cpansprout - Status changed from 'open' to 'pending release'

From @hvds

On Sat Feb 28 18​:29​:21 2015, sprout wrote​:

I finally finished tracking this down. It’s PL_lex_defer again. So
the fix is nearly identical to #123801. See commit 479ae48.

Unfortunately I'm still seeing the additional two cases failing; apologies that I didn't clarify before they should not have a trailing newline​:

% echo -n '"\L\L"' | ./miniperl -c
Segmentation fault (core dumped)
% echo -n '<\L\L>' | ./miniperl -c
Segmentation fault (core dumped)
%

They're both failing at the same place now. (The first was previously crashing at perly.c​:423.)

Program received signal SIGSEGV, Segmentation fault.
S_SvREFCNT_dec (sv=0xa22) at inline.h​:162
162 U32 rc = SvREFCNT(sv);
(gdb) where
#0 S_SvREFCNT_dec (sv=0xa22) at inline.h​:162
#1 Perl_yyparse (gramtype=gramtype@​entry=258) at perly.c​:532
#2 0x000000000040fa4b in S_parse_body (xsinit=0x43fda0 <xs_init>, env=0x0)
  at perl.c​:2277
#3 perl_parse (my_perl=<optimized out>,
  xsinit=xsinit@​entry=0x43fda0 <xs_init>, argc=<optimized out>,
  argv=<optimized out>, env=env@​entry=0x0) at perl.c​:1611
#4 0x00000000004066c0 in main (argc=3, argv=0x7fffffffe638,
  env=0x7fffffffe658) at miniperlmain.c​:120
(gdb)

I confirmed (against the first) that it does bisect to 7aa8cb0.

Hugo

From @cpansprout

On Sun Mar 01 02​:00​:47 2015, hv wrote​:

On Sat Feb 28 18​:29​:21 2015, sprout wrote​:

I finally finished tracking this down. It’s PL_lex_defer again. So
the fix is nearly identical to #123801. See commit 479ae48.

Unfortunately I'm still seeing the additional two cases failing;
apologies that I didn't clarify before they should not have a trailing
newline​:

% echo -n '"\L\L"' | ./miniperl -c
Segmentation fault (core dumped)
% echo -n '<\L\L>' | ./miniperl -c
Segmentation fault (core dumped)
%

They're both failing at the same place now. (The first was previously
crashing at perly.c​:423.)

It was my mistake not to re-read the ticket before closing it.

This is now fixed in 66edcf7.

--

Father Chrysostomos

From @khwilliamson

Thank you for submitting this ticket.

The issue should now be resolved with the release today of Perl v5.22, which is available at http​://www.perl.org/get.html
--
Karl Williamson for the Perl 5 team

@khwilliamson - Status changed from 'pending release' to 'resolved'