Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SIGBUS Perl_sv_peek (dump.c:367) #15539

Closed
p5pRT opened this issue Aug 21, 2016 · 31 comments
Closed

SIGBUS Perl_sv_peek (dump.c:367) #15539

p5pRT opened this issue Aug 21, 2016 · 31 comments

Comments

@p5pRT
Copy link

p5pRT commented Aug 21, 2016

Migrated from rt.perl.org#129029 (status was 'resolved')

Searchable as RT129029$

@p5pRT
Copy link
Author

p5pRT commented Aug 21, 2016

From @geeknik

The following script triggers a Bus error (SIGBUS) in Perl v5.25.4 (v5.25.3-305-g8c6b0c7) with the -D. Removing it stifles the crash.

#!perl -D2000002
${qq$\x5F$}=q0 and s gggge

Program received signal SIGBUS, Bus error.
0x00000000007d1e64 in Perl_sv_peek (sv=<optimized out>) at dump.c​:367
367 else if (sv == (const SV *)0x55555555 || ((char)SvTYPE(sv)) == 'U') {
(gdb) bt
#0 0x00000000007d1e64 in Perl_sv_peek (sv=<optimized out>) at dump.c​:367
#1 0x0000000000bded28 in S_deb_stack_n (stack_base=0x619000009680, stack_min=<optimized out>, stack_max=3, mark_min=<optimized out>, mark_max=108176)
  at deb.c​:145
#2 0x0000000000bdf95e in Perl_deb_stack_all () at deb.c​:299
#3 0x00000000007f169d in Perl_runops_debug () at dump.c​:2220
#4 0x00000000005a0ff7 in S_run_body (oldscope=<optimized out>) at perl.c​:2524
#5 perl_run (my_perl=<optimized out>) at perl.c​:2447
#6 0x00000000004de68e in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perlmain.c​:123

@p5pRT
Copy link
Author

p5pRT commented Aug 21, 2016

From @cpansprout

On Sat Aug 20 23​:07​:45 2016, brian.carpenter@​gmail.com wrote​:

The following script triggers a Bus error (SIGBUS) in Perl v5.25.4
(v5.25.3-305-g8c6b0c7) with the -D. Removing it stifles the crash.

#!perl -D2000002
${qq$\x5F$}=q0 and s gggge

This one I cannot reproduce.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Aug 21, 2016

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Aug 21, 2016

From @cpansprout

On Sat Aug 20 23​:07​:45 2016, brian.carpenter@​gmail.com wrote​:

The following script triggers a Bus error (SIGBUS) in Perl v5.25.4
(v5.25.3-305-g8c6b0c7) with the -D. Removing it stifles the crash.

#!perl -D2000002
${qq$\x5F$}=q0 and s gggge

This is probably equivalent to​:

#!perl -DvJRTDxms
$_='q0' and s///ge

Being unable to reproduce the crash, I cannot confirm that it is equivalent.

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Aug 21, 2016

From @geeknik

Being unable to reproduce the crash, I cannot confirm that it is equivalent.

I've attached a test case that exhibits this behavior. Give it a try.

@p5pRT
Copy link
Author

p5pRT commented Aug 21, 2016

From @geeknik

test654

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @cpansprout

On Sun Aug 21 15​:12​:21 2016, brian.carpenter@​gmail.com wrote​:

Being unable to reproduce the crash, I cannot confirm that it is
equivalent.

I've attached a test case that exhibits this behavior. Give it a try.

Still no difference (on darwin). I guess my machine is special. :-)

--

Father Chrysostomos

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @geeknik

On Sun Aug 21 17​:23​:39 2016, sprout wrote​:

Still no difference (on darwin). I guess my machine is special. :-)

The machine I'm running my tests on is a Debian 8.5 x64 VM (512MB RAM, 20GB DISK, 1 vCPU). I've only seen 5 or 6 of these Perl `scripts` which trigger this `Bus error` and I've never encountered it while fuzzing other things on similar architectures (PHP, OpenSSL, Ruby, Python, Bash, GCC, CLANG, etc), and before this 48 hour Perl sprint, I hadn't seen it in previous Perl sessions.

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From [Unknown Contact. See original ticket]

On Sun Aug 21 17​:23​:39 2016, sprout wrote​:

Still no difference (on darwin). I guess my machine is special. :-)

The machine I'm running my tests on is a Debian 8.5 x64 VM (512MB RAM, 20GB DISK, 1 vCPU). I've only seen 5 or 6 of these Perl `scripts` which trigger this `Bus error` and I've never encountered it while fuzzing other things on similar architectures (PHP, OpenSSL, Ruby, Python, Bash, GCC, CLANG, etc), and before this 48 hour Perl sprint, I hadn't seen it in previous Perl sessions.

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From zefram@fysh.org

SIGBUS is very little used by the x86 architecture. The usual cause
of SIGBUS (on any architecture) is an unaligned memory access, but
x86 by default permits unaligned access. (Alignment checking *can*
be turned on, via a CPU flag, and will duly generate SIGBUS on Linux.)
Other ways of generating SIGBUS are to clear the segment registers, run
into a memory fault, and that's about it. None of these is an obvious
candidate for your case.

Please show us a register dump and disassembly from the point of the
SIGBUS.

-zefram

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @geeknik

On Sun Aug 21 18​:09​:14 2016, zefram@​fysh.org wrote​:

Please show us a register dump and disassembly from the point of the
SIGBUS.

Program received signal SIGBUS, Bus error.
0x00000000007d20d4 in Perl_sv_peek (sv=<optimized out>) at dump.c​:367
367 else if (sv == (const SV *)0x55555555 || ((char)SvTYPE(sv)) == 'U') {
  0x00000000007d20ab <Perl_sv_peek+251>​: 64 49 63 04 24 movslq %fs​:(%r12),%rax
  0x00000000007d20b0 <Perl_sv_peek+256>​: 48 8b 0d e9 ad 9e 00 mov 0x9eade9(%rip),%rcx # 0x11bcea0 <__afl_area_ptr>
  0x00000000007d20b7 <Perl_sv_peek+263>​: 48 35 29 bf 00 00 xor $0xbf29,%rax
  0x00000000007d20bd <Perl_sv_peek+269>​: fe 04 01 incb (%rcx,%rax,1)
  0x00000000007d20c0 <Perl_sv_peek+272>​: 64 41 c7 04 24 94 5f 00 00 movl $0x5f94,%fs​:(%r12)
  0x00000000007d20c9 <Perl_sv_peek+281>​: 4d 8d 7e 0c lea 0xc(%r14),%r15
  0x00000000007d20cd <Perl_sv_peek+285>​: 4c 89 fd mov %r15,%rbp
  0x00000000007d20d0 <Perl_sv_peek+288>​: 48 c1 ed 03 shr $0x3,%rbp
=> 0x00000000007d20d4 <Perl_sv_peek+292>​: 8a 85 00 80 ff 7f mov 0x7fff8000(%rbp),%al
  0x00000000007d20da <Perl_sv_peek+298>​: 84 c0 test %al,%al
  0x00000000007d20dc <Perl_sv_peek+300>​: 74 14 je 0x7d20f2 <Perl_sv_peek+322>
  0x00000000007d20de <Perl_sv_peek+302>​: 44 89 f9 mov %r15d,%ecx
  0x00000000007d20e1 <Perl_sv_peek+305>​: 83 e1 07 and $0x7,%ecx
  0x00000000007d20e4 <Perl_sv_peek+308>​: 83 c1 03 add $0x3,%ecx
  0x00000000007d20e7 <Perl_sv_peek+311>​: 0f be c0 movsbl %al,%eax
  0x00000000007d20ea <Perl_sv_peek+314>​: 39 c1 cmp %eax,%ecx
  0x00000000007d20ec <Perl_sv_peek+316>​: 0f 8d 36 23 00 00 jge 0x7d4428 <Perl_sv_peek+9336>
  0x00000000007d20f2 <Perl_sv_peek+322>​: 41 0f b6 07 movzbl (%r15),%eax
  0x00000000007d20f6 <Perl_sv_peek+326>​: 83 f8 55 cmp $0x55,%eax
  0x00000000007d20f9 <Perl_sv_peek+329>​: 0f 84 b6 0d 00 00 je 0x7d2eb5 <Perl_sv_peek+3845>

(gdb) info all-registers
rax 0xb949 47433
rbx 0x62100000e7c8 107820859058120
rcx 0x1df7750 31422288
rdx 0x1df7750 31422288
rsi 0xc27c 49788
rdi 0x62100000e7d4 107820859058132
rbp 0x17d7d7d7d7d7d7d9 0x17d7d7d7d7d7d7d9
rsp 0x7fffffffe100 0x7fffffffe100
r8 0x60200007e890 105690555738256
r9 0x62100000e7c8 107820859058120
r10 0x94c433 9749555
r11 0x3 3
r12 0xfffffffffffffff8 -8
r13 0x0 0
r14 0xbebebebebebebebe -4702111234474983746
r15 0xbebebebebebebeca -4702111234474983734
rip 0x7d20d4 0x7d20d4 <Perl_sv_peek+292>
eflags 0x10a02 [ IF OF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x23 35
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x542dd8 5516760
foseg 0x7ffd 32765
fooff 0xf095b900 -258623232
fop 0x0 0
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
ymm0 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm1 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm3 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm4 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x58, 0x1f, 0x5, 0x0, 0x60, 0x60, 0x0, 0x0, 0x1b, 0xee, 0x3b,
  0x0 <repeats 21 times>}, v16_int16 = {0x1f58, 0x5, 0x6060, 0x0, 0xee1b, 0x3b, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x51f58, 0x6060, 0x3bee1b, 0x0,
  0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x606000051f58, 0x3bee1b, 0x0, 0x0}, v2_int128 = {0x00000000003bee1b0000606000051f58, 0x00000000000000000000000000000000}}
ymm5 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x1, 0x0, 0x0, 0x0, 0x2, 0x0, 0x0, 0x0,
  0x3, 0x0 <repeats 19 times>}, v16_int16 = {0x0, 0x0, 0x1, 0x0, 0x2, 0x0, 0x3, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x1, 0x2, 0x3, 0x0, 0x0, 0x0,
  0x0}, v4_int64 = {0x100000000, 0x300000002, 0x0, 0x0}, v2_int128 = {0x00000003000000020000000100000000, 0x00000000000000000000000000000000}}
ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x4, 0x0, 0x0, 0x0, 0x5, 0x0, 0x0, 0x0, 0x6, 0x0, 0x0, 0x0,
  0x7, 0x0 <repeats 19 times>}, v16_int16 = {0x4, 0x0, 0x5, 0x0, 0x6, 0x0, 0x7, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x4, 0x5, 0x6, 0x7, 0x0, 0x0, 0x0,
---Type <return> to continue, or q <return> to quit---
  0x0}, v4_int64 = {0x500000004, 0x700000006, 0x0, 0x0}, v2_int128 = {0x00000007000000060000000500000004, 0x00000000000000000000000000000000}}
ymm7 {v8_float = {0x1, 0x1, 0x1, 0x1, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x80, 0x3f, 0x0, 0x0, 0x80, 0x3f, 0x0, 0x0, 0x80,
  0x3f, 0x0, 0x0, 0x80, 0x3f, 0x0 <repeats 16 times>}, v16_int16 = {0x0, 0x3f80, 0x0, 0x3f80, 0x0, 0x3f80, 0x0, 0x3f80, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {
  0x3f800000, 0x3f800000, 0x3f800000, 0x3f800000, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x3f8000003f800000, 0x3f8000003f800000, 0x0, 0x0}, v2_int128 = {
  0x3f8000003f8000003f8000003f800000, 0x00000000000000000000000000000000}}
ymm8 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0xfd <repeats 16 times>,
  0x0 <repeats 16 times>}, v16_int16 = {0xfdfd, 0xfdfd, 0xfdfd, 0xfdfd, 0xfdfd, 0xfdfd, 0xfdfd, 0xfdfd, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xfdfdfdfd,
  0xfdfdfdfd, 0xfdfdfdfd, 0xfdfdfdfd, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xfdfdfdfdfdfdfdfd, 0xfdfdfdfdfdfdfdfd, 0x0, 0x0}, v2_int128 = {0xfdfdfdfdfdfdfdfdfdfdfdfdfdfdfdfd,
  0x00000000000000000000000000000000}}
ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm10 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0xff <repeats 16 times>,
  0x0 <repeats 16 times>}, v16_int16 = {0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xffffffff,
  0xffffffff, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0}, v2_int128 = {0xffffffffffffffffffffffffffffffff,
  0x00000000000000000000000000000000}}
ymm11 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0xff <repeats 16 times>,
  0x0 <repeats 16 times>}, v16_int16 = {0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xffffffff,
  0xffffffff, 0xffffffff, 0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffffffffffffffff, 0xffffffffffffffff, 0x0, 0x0}, v2_int128 = {0xffffffffffffffffffffffffffffffff,
  0x00000000000000000000000000000000}}
ymm12 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm13 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm14 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm15 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>}, v16_int16 = {0x0 <repeats 16 times>},
  v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From zefram@fysh.org

Brian Carpenter via RT wrote​:

=> 0x00000000007d20d4 <Perl_sv_peek+292>​: 8a 85 00 80 ff 7f mov 0x7fff8000(%rbp),%al
...
ds 0x0 0

There's your proximate problem​: segment register clear for a memory
operation. The mystery is how it got like that. I'd never expect to
see %ds (or %es) clear in normal operation. Your %rbp doesn't look
healthy either, having been derived from a 0xbebebebebebebebe filler
pattern found in %r14. But what's the offset of 0x7fff8000 on that
address about? I don't see what in the source corresponds to that bit.
Maybe your fuzzing compiler generates some funny code? A few instructions
later I can see the SvTYPE(sv) == 'U' check, so the disassembly bears
at least some relation to the source.

-zefram

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @geeknik

3350 lines of debugging output before the Bus error happens.

On Sun, Aug 21, 2016 at 9​:22 PM, Zefram via RT <perlbug-followup@​perl.org>
wrote​:

Brian Carpenter via RT wrote​:

=> 0x00000000007d20d4 <Perl_sv_peek+292>​: 8a 85 00 80 ff 7f
mov 0x7fff8000(%rbp),%al
...
ds 0x0 0

There's your proximate problem​: segment register clear for a memory
operation. The mystery is how it got like that. I'd never expect to
see %ds (or %es) clear in normal operation. Your %rbp doesn't look
healthy either, having been derived from a 0xbebebebebebebebe filler
pattern found in %r14. But what's the offset of 0x7fff8000 on that
address about? I don't see what in the source corresponds to that bit.
Maybe your fuzzing compiler generates some funny code? A few instructions
later I can see the SvTYPE(sv) == 'U' check, so the disassembly bears
at least some relation to the source.

-zefram

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @geeknik

test640-output.txt

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @dcollinsn

Intrigued by some of the triage effort, I pulled out my AFL toolchain from a few months ago. I was still unable to reproduce this, on a Perl built with GCC 6.1.1-4 via AFL 2.13b in a 64 bit Debian VM.

Brian, does this still crash on a non-instrumented Perl? Either way, can we have the output of the `perl -V` of a perl that reproduces this on your VM? I'd love to try to reproduce as closely as possible.

For reference, I failed to reproduce with this perl​:

$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 5) configuration​:
  Commit id​: 92d73bf
  Platform​:
  osname=linux
  osvers=4.6.0-1-amd64
  archname=x86_64-linux-quadmath
  uname='linux nightshade64 4.6.0-1-amd64 #1 smp debian 4.6.1-1 (2016-06-06) x86_64 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=afl-gcc -Uuselongdouble -Duse64bitall -Doptimize=-O3 -g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -Dusequadmath -des'
  hint=recommended
  useposix=true
  d_sigaction=define
  useithreads=undef
  usemultiplicity=undef
  use64bitint=define
  use64bitall=define
  uselongdouble=undef
  usemymalloc=n
  bincompat5005=undef
  Compiler​:
  cc='afl-gcc'
  ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
  optimize='-O3 -g'
  cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion=''
  gccversion='6.1.1 20160519'
  gccosandvers=''
  intsize=4
  longsize=8
  ptrsize=8
  doublesize=8
  byteorder=12345678
  doublekind=3
  d_longlong=define
  longlongsize=8
  d_longdbl=define
  longdblsize=16
  longdblkind=3
  ivtype='long'
  ivsize=8
  nvtype='__float128'
  nvsize=16
  Off_t='off_t'
  lseeksize=8
  alignbytes=16
  prototype=define
  Linker and Libraries​:
  ld='afl-gcc'
  ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/6/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath
  libc=libc-2.22.so
  so=so
  useshrplib=false
  libperl=libperl.a
  gnulibc_version='2.22'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs
  dlext=so
  d_dlsymun=undef
  ccdlflags='-Wl,-E'
  cccdlflags='-fPIC'
  lddlflags='-shared -O3 -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​:
  DEBUGGING
  HAS_TIMES
  PERLIO_LAYERS
  PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
  PERL_MALLOC_WRAP
  PERL_OP_PARENT
  PERL_PRESERVE_IVUV
  PERL_USE_DEVEL
  USE_64_BIT_ALL
  USE_64_BIT_INT
  USE_LARGE_FILES
  USE_LOCALE
  USE_LOCALE_COLLATE
  USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC
  USE_LOCALE_TIME
  USE_PERLIO
  USE_PERL_ATOF
  USE_QUADMATH
  Built under linux
  Compiled at Aug 21 2016 22​:48​:53
  %ENV​:
  PERLBREW_BASHRC_VERSION="0.76"
  PERLBREW_HOME="/home/dcollins/.perlbrew"
  PERLBREW_ROOT="/home/dcollins/toolchain/perl5"
  @​INC​:
  lib
  /usr/local/perl-afl/lib/site_perl/5.25.5/x86_64-linux-quadmath
  /usr/local/perl-afl/lib/site_perl/5.25.5
  /usr/local/perl-afl/lib/5.25.5/x86_64-linux-quadmath
  /usr/local/perl-afl/lib/5.25.5
  .
$ afl-gcc -v
afl-cc 2.13b by <lcamtuf@​google.com>
Using built-in specs.
COLLECT_GCC=gcc-6
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/6/lto-wrapper
Target​: x86_64-linux-gnu
Configured with​: ../src/configure -v --with-pkgversion='Debian 6.1.1-4' --with-bugurl=file​:///usr/share/doc/gcc-6/README.Bugs --enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-6 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-6-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-6-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-6-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model​: posix
gcc version 6.1.1 20160519 (Debian 6.1.1-4)

--
Respectfully,
Dan Collins

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @geeknik

./perl -V
Can't locate Config.pm in @​INC (you may need to install the Config module)
(@​INC contains​: /usr/local/lib/perl5/site_perl/5.25.4/x86_64-linux
/usr/local/lib/perl5/site_perl/5.25.4
/usr/local/lib/perl5/5.25.4/x86_64-linux /usr/local/lib/perl5/5.25.4 .).
BEGIN failed--compilation aborted.

./afl-gcc -v
afl-cc 2.30b by <lcamtuf@​google.com>
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.9/lto-wrapper
Target​: x86_64-linux-gnu
Configured with​: ../src/configure -v --with-pkgversion='Debian 4.9.2-10'
--with-bugurl=file​:///usr/share/doc/gcc-4.9/README.Bugs
--enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr
--program-suffix=-4.9 --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--with-gxx-include-dir=/usr/include/c++/4.9 --libdir=/usr/lib --enable-nls
--with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug
--enable-libstdcxx-time=yes --enable-gnu-unique-object
--disable-vtable-verify --enable-plugin --with-system-zlib
--disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo
--with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64/jre
--enable-java-home
--with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64
--with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.9-amd64
--with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar
--enable-objc-gc --enable-multiarch --with-arch-32=i586 --with-abi=m64
--with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic
--enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu
--target=x86_64-linux-gnu
Thread model​: posix
gcc version 4.9.2 (Debian 4.9.2-10)

On Sun, Aug 21, 2016 at 10​:07 PM, Dan Collins via RT <
perlbug-followup@​perl.org> wrote​:

Intrigued by some of the triage effort, I pulled out my AFL toolchain from
a few months ago. I was still unable to reproduce this, on a Perl built
with GCC 6.1.1-4 via AFL 2.13b in a 64 bit Debian VM.

Brian, does this still crash on a non-instrumented Perl? Either way, can
we have the output of the `perl -V` of a perl that reproduces this on your
VM? I'd love to try to reproduce as closely as possible.

For reference, I failed to reproduce with this perl​:

$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 5) configuration​:
Commit id​: 92d73bf
Platform​:
osname=linux
osvers=4.6.0-1-amd64
archname=x86_64-linux-quadmath
uname='linux nightshade64 4.6.0-1-amd64 #1 smp debian 4.6.1-1
(2016-06-06) x86_64 gnulinux '
config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=afl-gcc
-Uuselongdouble -Duse64bitall -Doptimize=-O3 -g -Uversiononly -Uman1dir
-Uman3dir -DDEBUGGING -DPERL_POISON -Dusequadmath -des'
hint=recommended
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
bincompat5005=undef
Compiler​:
cc='afl-gcc'
ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64'
optimize='-O3 -g'
cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
ccversion=''
gccversion='6.1.1 20160519'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='__float128'
nvsize=16
Off_t='off_t'
lseeksize=8
alignbytes=16
prototype=define
Linker and Libraries​:
ld='afl-gcc'
ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/6/include-fixed
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib
/usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath
libc=libc-2.22.so
so=so
useshrplib=false
libperl=libperl.a
gnulibc_version='2.22'
Dynamic Linking​:
dlsrc=dl_dlopen.xs
dlext=so
d_dlsymun=undef
ccdlflags='-Wl,-E'
cccdlflags='-fPIC'
lddlflags='-shared -O3 -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
Compile-time options​:
DEBUGGING
HAS_TIMES
PERLIO_LAYERS
PERL_COPY_ON_WRITE
PERL_DONT_CREATE_GVSV
PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
PERL_MALLOC_WRAP
PERL_OP_PARENT
PERL_PRESERVE_IVUV
PERL_USE_DEVEL
USE_64_BIT_ALL
USE_64_BIT_INT
USE_LARGE_FILES
USE_LOCALE
USE_LOCALE_COLLATE
USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC
USE_LOCALE_TIME
USE_PERLIO
USE_PERL_ATOF
USE_QUADMATH
Built under linux
Compiled at Aug 21 2016 22​:48​:53
%ENV​:
PERLBREW_BASHRC_VERSION="0.76"
PERLBREW_HOME="/home/dcollins/.perlbrew"
PERLBREW_ROOT="/home/dcollins/toolchain/perl5"
@​INC​:
lib
/usr/local/perl-afl/lib/site_perl/5.25.5/x86_64-linux-quadmath
/usr/local/perl-afl/lib/site_perl/5.25.5
/usr/local/perl-afl/lib/5.25.5/x86_64-linux-quadmath
/usr/local/perl-afl/lib/5.25.5
.
$ afl-gcc -v
afl-cc 2.13b by <lcamtuf@​google.com>
Using built-in specs.
COLLECT_GCC=gcc-6
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/6/lto-wrapper
Target​: x86_64-linux-gnu
Configured with​: ../src/configure -v --with-pkgversion='Debian 6.1.1-4'
--with-bugurl=file​:///usr/share/doc/gcc-6/README.Bugs
--enable-languages=c,ada,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr
--program-suffix=-6 --enable-shared --enable-linker-build-id
--libexecdir=/usr/lib --without-included-gettext --enable-threads=posix
--libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu
--enable-libstdcxx-debug --enable-libstdcxx-time=yes
--with-default-libstdcxx-abi=new --enable-gnu-unique-object
--disable-vtable-verify --enable-libmpx --enable-plugin --with-system-zlib
--disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo
--with-java-home=/usr/lib/jvm/java-1.5.0-gcj-6-amd64/jre
--enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-6-amd64
--with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-6-amd64
--with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar
--enable-objc-gc --enable-multiarch --with-arch-32=i686 --with-a
bi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib
--with-tune=generic --enable-checking=release --build=x86_64-linux-gnu
--host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model​: posix
gcc version 6.1.1 20160519 (Debian 6.1.1-4)

--
Respectfully,
Dan Collins

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @dcollinsn

On Sun Aug 21 20​:13​:04 2016, brian.carpenter@​gmail.com wrote​:

./perl -V
Can't locate Config.pm in @​INC (you may need to install the Config module)
(@​INC contains​: /usr/local/lib/perl5/site_perl/5.25.4/x86_64-linux
/usr/local/lib/perl5/site_perl/5.25.4
/usr/local/lib/perl5/5.25.4/x86_64-linux /usr/local/lib/perl5/5.25.4 .).
BEGIN failed--compilation aborted.

Sorry, you'll need to do `./perl -Ilib -V` if you're running that from the build directory of a perl you haven't installed.

--
Respectfully,
Dan Collins

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From zefram@fysh.org

Brian 'geeknik' Carpenter wrote​:

3350 lines of debugging output before the Bus error happens.

No smoking gun there.

Please try reducing the debugging flags, to find the minimum set that
will cause the SIGBUS. Your -D2000002 (which is decimal) amounts to
eight flags.

-zefram

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @geeknik

./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 5) configuration​:
  Commit id​: 92d73bf
  Platform​:
  osname=linux
  osvers=3.16.0-4-amd64
  archname=x86_64-linux
  uname='linux debian-512mb-nyc3-02 3.16.0-4-amd64 #1 smp debian
3.16.7-ckt25-2+deb8u3 (2016-07-02) x86_64 gnulinux '
  config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O2 -g'
  hint=previous
  useposix=true
  d_sigaction=define
  useithreads=undef
  usemultiplicity=undef
  use64bitint=define
  use64bitall=define
  uselongdouble=undef
  usemymalloc=n
  bincompat5005=undef
  Compiler​:
  cc='afl-clang-fast'
  ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
  optimize='-O2 -g'
  cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
  ccversion=''
  gccversion='4.2.1 Compatible Debian Clang 3.5.0
(tags/RELEASE_350/final)'
  gccosandvers=''
  intsize=4
  longsize=8
  ptrsize=8
  doublesize=8
  byteorder=12345678
  doublekind=3
  d_longlong=define
  longlongsize=8
  d_longdbl=define
  longdblsize=16
  longdblkind=3
  ivtype='long'
  ivsize=8
  nvtype='double'
  nvsize=8
  Off_t='off_t'
  lseeksize=8
  alignbytes=8
  prototype=define
  Linker and Libraries​:
  ld='afl-clang-fast'
  ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/include/x86_64-linux-gnu /usr/lib
/lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib
/lib /usr/local/lib /usr/include/x86_64-linux-gnu /usr/lib /usr/local/lib
/usr/include/x86_64-linux-gnu /usr/lib /usr/local/lib
/usr/include/x86_64-linux-gnu /usr/lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.19.so
  so=so
  useshrplib=false
  libperl=libperl.a
  gnulibc_version='2.19'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs
  dlext=so
  d_dlsymun=undef
  ccdlflags='-Wl,-E'
  cccdlflags='-fPIC'
  lddlflags='-shared -O2 -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​:
  DEBUGGING
  HAS_TIMES
  PERLIO_LAYERS
  PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
  PERL_MALLOC_WRAP
  PERL_OP_PARENT
  PERL_PRESERVE_IVUV
  PERL_USE_DEVEL
  USE_64_BIT_ALL
  USE_64_BIT_INT
  USE_LARGE_FILES
  USE_LOCALE
  USE_LOCALE_COLLATE
  USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC
  USE_LOCALE_TIME
  USE_PERLIO
  USE_PERL_ATOF
  Built under linux
  Compiled at Aug 21 2016 17​:16​:25
  @​INC​:
  lib
  /usr/local/lib/perl5/site_perl/5.25.4/x86_64-linux
  /usr/local/lib/perl5/site_perl/5.25.4
  /usr/local/lib/perl5/5.25.4/x86_64-linux
  /usr/local/lib/perl5/5.25.4

./afl-clang-fast -v
afl-clang-fast 2.30b by <lszekeres@​google.com>
Debian clang version 3.5.0-10 (tags/RELEASE_350/final) (based on LLVM 3.5.0)
Target​: x86_64-pc-linux-gnu
Thread model​: posix
Found candidate GCC installation​: /usr/bin/../lib/gcc/x86_64-linux-gnu/4.8
Found candidate GCC installation​: /usr/bin/../lib/gcc/x86_64-linux-gnu/4.8.4
Found candidate GCC installation​: /usr/bin/../lib/gcc/x86_64-linux-gnu/4.9
Found candidate GCC installation​: /usr/bin/../lib/gcc/x86_64-linux-gnu/4.9.2
Found candidate GCC installation​: /usr/lib/gcc/x86_64-linux-gnu/4.8
Found candidate GCC installation​: /usr/lib/gcc/x86_64-linux-gnu/4.8.4
Found candidate GCC installation​: /usr/lib/gcc/x86_64-linux-gnu/4.9
Found candidate GCC installation​: /usr/lib/gcc/x86_64-linux-gnu/4.9.2
Selected GCC installation​: /usr/bin/../lib/gcc/x86_64-linux-gnu/4.9
Candidate multilib​: .;@​m64
Selected multilib​: .;@​m64
"/usr/bin/ld" --hash-style=both --build-id --eh-frame-hdr -m elf_x86_64
-dynamic-linker /lib64/ld-linux-x86-64.so.2 -o a.out
/usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/../../../x86_64-linux-gnu/crt1.o
/usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/../../../x86_64-linux-gnu/crti.o
/usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/crtbegin.o
-L/usr/bin/../lib/gcc/x86_64-linux-gnu/4.9
-L/usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/../../../x86_64-linux-gnu
-L/lib/x86_64-linux-gnu -L/lib/../lib64 -L/usr/lib/x86_64-linux-gnu
-L/usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/../../..
-L/usr/lib/llvm-3.5/bin/../lib -L/lib -L/usr/lib ./afl-llvm-rt.o -lgcc
--as-needed -lgcc_s --no-as-needed -lc -lgcc --as-needed -lgcc_s
--no-as-needed /usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/crtend.o
/usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/../../../x86_64-linux-gnu/crtn.o
/usr/bin/../lib/gcc/x86_64-linux-gnu/4.9/../../../x86_64-linux-gnu/crt1.o​:
In function `_start'​:
/build/glibc-uPj9cH/glibc-2.19/csu/../sysdeps/x86_64/start.S​:118​: undefined
reference to `main'
clang​: error​: linker command failed with exit code 1 (use -v to see
invocation)

clang --version
Debian clang version 3.5.0-10 (tags/RELEASE_350/final) (based on LLVM 3.5.0)
Target​: x86_64-pc-linux-gnu
Thread model​: posix

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @geeknik

My command line for building Perl never changes either​:

./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O2\
-g && AFL_USE_ASAN=1 make -j2

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @dcollinsn

It's not just Brian, I /can/ reproduce​:

LD_PRELOAD=/home/dcollins/toolchain/afl-2.32b/libdislocator/libdislocator.so ./perl ~/t.pl

libdislocator is available as part of the afl source distribution. Here's a readme​: https://github.com/mirrorer/afl/tree/master/libdislocator

I got it as a one-liner and reduced by hand to the following​:

LD_PRELOAD=/home/dcollins/toolchain/afl-2.32b/libdislocator/libdislocator.so ./perl -Dvs -e '$_="aa"; s///ge'

Removing the preload also removes the crash.

I included some output from a GDB run showing that, as with Brian, the ds register is clear just before the crash. However, I wasn't trivially able to find any point in the program where `ds` had any value in it. Any requests for specific debugging information? Here's some interesting info​:

(gdb) bt
#0 0x00000000004ce268 in Perl_sv_peek (sv=0x4141414141414141) at dump.c​:367
#1 0x00000000005d4dad in S_deb_stack_n (stack_base=0x7ffff7fe3c00,
  stack_min=<optimized out>, stack_max=3, mark_min=<optimized out>,
  mark_max=<optimized out>) at deb.c​:145
#2 0x00000000005d52d2 in Perl_deb_stack_all () at deb.c​:299
#3 0x00000000004d7890 in Perl_runops_debug () at dump.c​:2220
#4 0x0000000000451fe3 in S_run_body (oldscope=1) at perl.c​:2525
#5 perl_run (my_perl=<optimized out>) at perl.c​:2448
#6 0x00000000004208f5 in main (argc=<optimized out>, argv=<optimized out>,
  env=<optimized out>) at perlmain.c​:123
(gdb) f 1
#1 0x00000000005d4dad in S_deb_stack_n (stack_base=0x7ffff7fe3c00,
  stack_min=<optimized out>, stack_max=3, mark_min=<optimized out>,
  mark_max=<optimized out>) at deb.c​:145
145 PerlIO_printf(Perl_debug_log, "%-4s ", SvPEEK(stack_base[i]));
(gdb) p stack_base
$1 = (SV **) 0x7ffff7fe3c00
(gdb) p i
$2 = 3
(gdb) p stack_base[i]
$3 = (SV *) 0x4141414141414141
(gdb) p stack_base[i-1]
$4 = (SV *) 0x7ffff6851d60
(gdb) p *stack_base[i-1]
$5 = {sv_any = 0x7ffff6a41670, sv_refcnt = 2, sv_flags = 272647175, sv_u = {
  svu_pv = 0x7ffff65e4ff6 "aa", svu_iv = 140737326764022,
  svu_uv = 140737326764022, svu_nv = 6.9533478241637082e-310,
  svu_rv = 0x7ffff65e4ff6, svu_rx = 0x7ffff65e4ff6,
  svu_array = 0x7ffff65e4ff6, svu_hash = 0x7ffff65e4ff6,
  svu_gp = 0x7ffff65e4ff6, svu_fp = 0x7ffff65e4ff6}}
(gdb) p *stack_base[i-2]
$6 = {sv_any = 0x0, sv_refcnt = 994, sv_flags = 134283264, sv_u = {
  svu_pv = 0x0, svu_iv = 0, svu_uv = 0, svu_nv = 0, svu_rv = 0x0,
  svu_rx = 0x0, svu_array = 0x0, svu_hash = 0x0, svu_gp = 0x0,
  svu_fp = 0x0}}
(gdb) p stack_max
$7 = 3

%% WITH PRELOAD, RUN AND VALGRIND %%

dcollins@​nightshade64​:~/toolchain/perldebug$ LD_PRELOAD=/home/dcollins/toolchain/afl-2.32b/libdislocator/libdislocator.so ./perl -Dvs -e '$_="aa"; s///ge'

EXECUTING...

STACK 0​: MAIN

STACK 0​: MAIN
  CX 0​: BLOCK =>

STACK 0​: MAIN
  CX 0​: BLOCK =>

STACK 0​: MAIN
  CX 0​: BLOCK => PV("aa"\0)

STACK 0​: MAIN
  CX 0​: BLOCK => PV("aa"\0) UNDEF

STACK 0​: MAIN
  CX 0​: BLOCK => PV("aa"\0)

STACK 0​: MAIN
  CX 0​: BLOCK =>

STACK 0​: MAIN
  CX 0​: BLOCK =>
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => PVMG("aa"\0)
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0)
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0)
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0) Segmentation fault

==51966== at 0x4CE268​: Perl_sv_peek (dump.c​:367)
==51966== by 0x5D4DAC​: S_deb_stack_n (deb.c​:145)
==51966== by 0x5D52D1​: Perl_deb_stack_all (deb.c​:299)
==51966== by 0x4D788F​: Perl_runops_debug (dump.c​:2220)
==51966== by 0x451FE2​: S_run_body (perl.c​:2525)
==51966== by 0x451FE2​: perl_run (perl.c​:2448)
==51966== by 0x4208F4​: main (perlmain.c​:123)
==51966== Address 0x414141414141414d is not stack'd, malloc'd or (recently) free'd
==51966==
==51966==
==51966== Process terminating with default action of signal 11 (SIGSEGV)
==51966== General Protection Fault
==51966== at 0x4CE268​: Perl_sv_peek (dump.c​:367)
==51966== by 0x5D4DAC​: S_deb_stack_n (deb.c​:145)
==51966== by 0x5D52D1​: Perl_deb_stack_all (deb.c​:299)
==51966== by 0x4D788F​: Perl_runops_debug (dump.c​:2220)
==51966== by 0x451FE2​: S_run_body (perl.c​:2525)
==51966== by 0x451FE2​: perl_run (perl.c​:2448)
==51966== by 0x4208F4​: main (perlmain.c​:123)
==51966==
==51966== HEAP SUMMARY​:
==51966== in use at exit​: 0 bytes in 0 blocks
==51966== total heap usage​: 0 allocs, 0 frees, 0 bytes allocated
==51966==
==51966== All heap blocks were freed -- no leaks are possible
==51966==
==51966== For counts of detected and suppressed errors, rerun with​: -v
==51966== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 0 from 0)
Segmentation fault

%% WITHOUT PRELOAD, RUN AND VALGRIND %%

EXECUTING...

STACK 0​: MAIN

STACK 0​: MAIN
  CX 0​: BLOCK =>

STACK 0​: MAIN
  CX 0​: BLOCK =>

STACK 0​: MAIN
  CX 0​: BLOCK => PV("aa"\0)

STACK 0​: MAIN
  CX 0​: BLOCK => PV("aa"\0) UNDEF

STACK 0​: MAIN
  CX 0​: BLOCK => PV("aa"\0)

STACK 0​: MAIN
  CX 0​: BLOCK =>

STACK 0​: MAIN
  CX 0​: BLOCK =>
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => PVMG("aa"\0)
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0)
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0)
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0) ==52640== Conditional jump or move depends on uninitialised value(s)
==52640== at 0x4CE255​: Perl_sv_peek (dump.c​:363)
==52640== by 0x5D4DAC​: S_deb_stack_n (deb.c​:145)
==52640== by 0x5D52D1​: Perl_deb_stack_all (deb.c​:299)
==52640== by 0x4D788F​: Perl_runops_debug (dump.c​:2220)
==52640== by 0x451FE2​: S_run_body (perl.c​:2525)
==52640== by 0x451FE2​: perl_run (perl.c​:2448)
==52640== by 0x4208F4​: main (perlmain.c​:123)
==52640==
VOID
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0) VOID
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => IV(3)

==52640==
==52640== HEAP SUMMARY​:
==52640== in use at exit​: 113,078 bytes in 522 blocks
==52640== total heap usage​: 894 allocs, 372 frees, 153,306 bytes allocated
==52640==
==52640== LEAK SUMMARY​:
==52640== definitely lost​: 0 bytes in 0 blocks
==52640== indirectly lost​: 0 bytes in 0 blocks
==52640== possibly lost​: 0 bytes in 0 blocks
==52640== still reachable​: 113,078 bytes in 522 blocks
==52640== suppressed​: 0 bytes in 0 blocks
==52640== Rerun with --leak-check=full to see details of leaked memory
==52640==
==52640== For counts of detected and suppressed errors, rerun with​: -v
==52640== Use --track-origins=yes to see where uninitialised values come from
==52640== ERROR SUMMARY​: 2 errors from 1 contexts (suppressed​: 0 from 0)

%% WITH PRELOAD, GDB %%

Program received signal SIGSEGV, Segmentation fault.
0x00000000004ce268 in Perl_sv_peek (sv=0x4141414141414141) at dump.c​:367
367 else if (sv == (const SV *)0x55555555 || ((char)SvTYPE(sv)) == 'U') {
(gdb) info all-registers
rax 0x84403 541699
rbx 0x4141414141414141 4702111234474983745
rcx 0x7ffff6468ff6 140737325207542
rdx 0x0 0
rsi 0x619679 6395513
rdi 0x7ffff6468ff6 140737325207542
rbp 0x7ffff6851568 0x7ffff6851568
rsp 0x7fffffffe1a0 0x7fffffffe1a0
r8 0xffffff01 4294967041
r9 0x0 0
r10 0x22 34
r11 0x7ffff6c340d0 140737333379280
r12 0x0 0
r13 0x3 3
r14 0x7ffff7fe3c00 140737354021888
r15 0x7ffff646eff0 140737325232112
rip 0x4ce268 0x4ce268 <Perl_sv_peek+56>
eflags 0x10212 [ AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type <return> to continue, or q <return> to quit---
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
ymm0 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
  0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
---Type <return> to continue, or q <return> to quit---
ymm1 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xa <repeats 16 times>,
  0x0 <repeats 16 times>}, v16_int16 = {0xa0a, 0xa0a, 0xa0a, 0xa0a, 0xa0a,
  0xa0a, 0xa0a, 0xa0a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {
  0xa0a0a0a, 0xa0a0a0a, 0xa0a0a0a, 0xa0a0a0a, 0x0, 0x0, 0x0, 0x0},
  v4_int64 = {0xa0a0a0a0a0a0a0a, 0xa0a0a0a0a0a0a0a, 0x0, 0x0}, v2_int128 = {
  0x0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a, 0x00000000000000000000000000000000}}
ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0, 0xff, 0x0 <repeats 23 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x0,
  0xff, 0x0 <repeats 11 times>}, v8_int32 = {0x0, 0x0, 0xff, 0x0, 0x0, 0x0,
  0x0, 0x0}, v4_int64 = {0x0, 0xff, 0x0, 0x0}, v2_int128 = {
  0x00000000000000ff0000000000000000, 0x00000000000000000000000000000000}}
ymm3 {v8_float = {0x0, 0x0, 0xc, 0xc, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x228282, 0x0, 0x0}, v32_int8 = {0xf0, 0xf1, 0xf2, 0xf3,
  0xf4, 0xf5, 0xf6, 0x10, 0x0, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x0 <repeats 16 times>}, v16_int16 = {0xf1f0, 0xf3f2, 0xf5f4, 0x10f6,
  0x4100, 0x4141, 0x4141, 0x4141, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v8_int32 = {0xf3f2f1f0, 0x10f6f5f4, 0x41414100, 0x41414141, 0x0, 0x0, 0x0,
  0x0}, v4_int64 = {0x10f6f5f4f3f2f1f0, 0x4141414141414100, 0x0, 0x0},
  v2_int128 = {0x414141414141410010f6f5f4f3f2f1f0,
  0x00000000000000000000000000000000}}
ymm4 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
---Type <return> to continue, or q <return> to quit---
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0xff, 0xff, 0xff,
  0x0 <repeats 28 times>}, v16_int16 = {0xff00, 0xffff,
  0x0 <repeats 14 times>}, v8_int32 = {0xffffff00, 0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0}, v4_int64 = {0xffffff00, 0x0, 0x0, 0x0}, v2_int128 = {
  0x000000000000000000000000ffffff00, 0x00000000000000000000000000000000}}
ymm5 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x63, 0x3d, 0x30, 0x30, 0x3b,
  0x33, 0x36, 0x3a, 0x2a, 0x2e, 0x61, 0x75, 0x3d, 0x30, 0x30, 0x3b,
  0x0 <repeats 16 times>}, v16_int16 = {0x3d63, 0x3030, 0x333b, 0x3a36,
  0x2e2a, 0x7561, 0x303d, 0x3b30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v8_int32 = {0x30303d63, 0x3a36333b, 0x75612e2a, 0x3b30303d, 0x0, 0x0, 0x0,
  0x0}, v4_int64 = {0x3a36333b30303d63, 0x3b30303d75612e2a, 0x0, 0x0},
  v2_int128 = {0x3b30303d75612e2a3a36333b30303d63,
  0x00000000000000000000000000000000}}
ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x33, 0x36,
  0x3a, 0x2a, 0x2e, 0x66, 0x6c, 0x61, 0x63, 0x3d, 0x30, 0x30, 0x3b, 0x33,
  0x36, 0x3a, 0x0 <repeats 16 times>}, v16_int16 = {0x3633, 0x2a3a, 0x662e,
  0x616c, 0x3d63, 0x3030, 0x333b, 0x3a36, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0}, v8_int32 = {0x2a3a3633, 0x616c662e, 0x30303d63, 0x3a36333b,
  0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x616c662e2a3a3633, 0x3a36333b30303d63,
  0x0, 0x0}, v2_int128 = {0x3a36333b30303d63616c662e2a3a3633,
  0x00000000000000000000000000000000}}
---Type <return> to continue, or q <return> to quit---
ymm7 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x2a, 0x2e,
  0x6d, 0x34, 0x61, 0x3d, 0x30, 0x30, 0x3b, 0x33, 0x36, 0x3a, 0x2a, 0x2e,
  0x6d, 0x69, 0x0 <repeats 16 times>}, v16_int16 = {0x2e2a, 0x346d, 0x3d61,
  0x3030, 0x333b, 0x3a36, 0x2e2a, 0x696d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0}, v8_int32 = {0x346d2e2a, 0x30303d61, 0x3a36333b, 0x696d2e2a,
  0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x30303d61346d2e2a, 0x696d2e2a3a36333b,
  0x0, 0x0}, v2_int128 = {0x696d2e2a3a36333b30303d61346d2e2a,
  0x00000000000000000000000000000000}}
ymm8 {v8_float = {0xc, 0xc, 0xc, 0xc, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x228282, 0x228282, 0x0, 0x0}, v32_int8 = {
  0x41 <repeats 16 times>, 0x0 <repeats 16 times>}, v16_int16 = {0x4141,
  0x4141, 0x4141, 0x4141, 0x4141, 0x4141, 0x4141, 0x4141, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x41414141, 0x41414141, 0x41414141,
  0x41414141, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x4141414141414141,
  0x4141414141414141, 0x0, 0x0}, v2_int128 = {
  0x41414141414141414141414141414141, 0x00000000000000000000000000000000}}
ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {
  0xff <repeats 16 times>, 0x0 <repeats 16 times>}, v16_int16 = {0xffff,
  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xffffffff, 0xffffffff, 0xffffffff,
  0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffffffffffffffff,
---Type <return> to continue, or q <return> to quit---
  0xffffffffffffffff, 0x0, 0x0}, v2_int128 = {
  0xffffffffffffffffffffffffffffffff, 0x00000000000000000000000000000000}}
ymm10 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0, 0xff, 0xff, 0xff,
  0x0 <repeats 20 times>}, v16_int16 = {0xffff, 0xffff, 0xffff, 0xffff,
  0xff00, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v8_int32 = {0xffffffff, 0xffffffff, 0xffffff00, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_int64 = {0xffffffffffffffff, 0xffffff00, 0x0, 0x0}, v2_int128 = {
  0x00000000ffffff00ffffffffffffffff, 0x00000000000000000000000000000000}}
ymm11 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 12 times>, 0xff,
  0x0 <repeats 19 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff,
  0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 0x0,
  0xff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0xff00000000, 0x0, 0x0},
  v2_int128 = {0x000000ff000000000000000000000000,
  0x00000000000000000000000000000000}}
ymm12 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
  0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 18 times>},
  v16_int16 = {0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0xff00, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0xff0000, 0x0, 0xff00, 0x0,
  0x0, 0x0, 0x0}, v4_int64 = {0xff000000000000, 0xff0000000000, 0x0, 0x0},
---Type <return> to continue, or q <return> to quit---
  v2_int128 = {0x0000ff000000000000ff000000000000,
  0x00000000000000000000000000000000}}
ymm13 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
  0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm14 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
  0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm15 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
  0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
(gdb)
(gdb) disassemble
Dump of assembler code for function Perl_sv_peek​:
  0x00000000004ce230 <+0>​: push %r14
  0x00000000004ce232 <+2>​: push %r13
  0x00000000004ce234 <+4>​: push %r12
  0x00000000004ce236 <+6>​: push %rbp
  0x00000000004ce237 <+7>​: push %rbx
  0x00000000004ce238 <+8>​: mov %rdi,%rbx
  0x00000000004ce23b <+11>​: callq 0x514b50 <Perl_sv_newmortal>
  0x00000000004ce240 <+16>​: xor %edx,%edx
  0x00000000004ce242 <+18>​: mov $0x619679,%esi
  0x00000000004ce247 <+23>​: mov %rax,%rdi
  0x00000000004ce24a <+26>​: mov %rax,%rbp
  0x00000000004ce24d <+29>​: callq 0x5306c0 <Perl_sv_setpvn>
  0x00000000004ce252 <+34>​: test %rbx,%rbx
  0x00000000004ce255 <+37>​: je 0x4cec18 <Perl_sv_peek+2536>
  0x00000000004ce25b <+43>​: cmp $0x55555555,%rbx
  0x00000000004ce262 <+50>​: je 0x4ceb07 <Perl_sv_peek+2263>
=> 0x00000000004ce268 <+56>​: cmpb $0x55,0xc(%rbx)
  0x00000000004ce26c <+60>​: je 0x4ceb07 <Perl_sv_peek+2263>
  0x00000000004ce272 <+66>​: xor %r12d,%r12d
  0x00000000004ce275 <+69>​: nopl (%rax)
  0x00000000004ce278 <+72>​: cmp $0x923e80,%rbx
  0x00000000004ce27f <+79>​: je 0x4ce860 <Perl_sv_peek+1584>
  0x00000000004ce285 <+85>​: cmp $0x924000,%rbx
  0x00000000004ce28c <+92>​: sete %dl
  0x00000000004ce28f <+95>​: cmp $0x924550,%rbx
  0x00000000004ce296 <+102>​: sete %al
  0x00000000004ce299 <+105>​: or %al,%dl
  0x00000000004ce29b <+107>​: jne 0x4ce4d0 <Perl_sv_peek+672>
  0x00000000004ce2a1 <+113>​: cmp $0x923f00,%rbx
  0x00000000004ce2a8 <+120>​: je 0x4ce4d0 <Perl_sv_peek+672>
  0x00000000004ce2ae <+126>​: mov 0x8(%rbx),%edx
  0x00000000004ce2b1 <+129>​: test %edx,%edx
  0x00000000004ce2b3 <+131>​: je 0x4ce718 <Perl_sv_peek+1256>
  0x00000000004ce2b9 <+137>​: mov 0x455e51(%rip),%eax # 0x924110 <PL_debug>
  0x00000000004ce2bf <+143>​: test $0x40000,%eax
  0x00000000004ce2c4 <+148>​: je 0x4ce315 <Perl_sv_peek+229>
  0x00000000004ce2c6 <+150>​: mov 0x453dab(%rip),%rax # 0x922078 <PL_tmps_ix>
  0x00000000004ce2cd <+157>​: test %rax,%rax
  0x00000000004ce2d0 <+160>​: js 0x4ce2fc <Perl_sv_peek+204>
  0x00000000004ce2d2 <+162>​: mov 0x455d77(%rip),%rcx # 0x924050 <PL_tmps_stack>
  0x00000000004ce2d9 <+169>​: cmp %rbx,(%rcx,%rax,8)
  0x00000000004ce2dd <+173>​: jne 0x4ce2f2 <Perl_sv_peek+194>

--
Respectfully,
Dan Collins

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From [Unknown Contact. See original ticket]

It's not just Brian, I /can/ reproduce​:

LD_PRELOAD=/home/dcollins/toolchain/afl-2.32b/libdislocator/libdislocator.so ./perl ~/t.pl

libdislocator is available as part of the afl source distribution. Here's a readme​: https://github.com/mirrorer/afl/tree/master/libdislocator

I got it as a one-liner and reduced by hand to the following​:

LD_PRELOAD=/home/dcollins/toolchain/afl-2.32b/libdislocator/libdislocator.so ./perl -Dvs -e '$_="aa"; s///ge'

Removing the preload also removes the crash.

I included some output from a GDB run showing that, as with Brian, the ds register is clear just before the crash. However, I wasn't trivially able to find any point in the program where `ds` had any value in it. Any requests for specific debugging information? Here's some interesting info​:

(gdb) bt
#0 0x00000000004ce268 in Perl_sv_peek (sv=0x4141414141414141) at dump.c​:367
#1 0x00000000005d4dad in S_deb_stack_n (stack_base=0x7ffff7fe3c00,
  stack_min=<optimized out>, stack_max=3, mark_min=<optimized out>,
  mark_max=<optimized out>) at deb.c​:145
#2 0x00000000005d52d2 in Perl_deb_stack_all () at deb.c​:299
#3 0x00000000004d7890 in Perl_runops_debug () at dump.c​:2220
#4 0x0000000000451fe3 in S_run_body (oldscope=1) at perl.c​:2525
#5 perl_run (my_perl=<optimized out>) at perl.c​:2448
#6 0x00000000004208f5 in main (argc=<optimized out>, argv=<optimized out>,
  env=<optimized out>) at perlmain.c​:123
(gdb) f 1
#1 0x00000000005d4dad in S_deb_stack_n (stack_base=0x7ffff7fe3c00,
  stack_min=<optimized out>, stack_max=3, mark_min=<optimized out>,
  mark_max=<optimized out>) at deb.c​:145
145 PerlIO_printf(Perl_debug_log, "%-4s ", SvPEEK(stack_base[i]));
(gdb) p stack_base
$1 = (SV **) 0x7ffff7fe3c00
(gdb) p i
$2 = 3
(gdb) p stack_base[i]
$3 = (SV *) 0x4141414141414141
(gdb) p stack_base[i-1]
$4 = (SV *) 0x7ffff6851d60
(gdb) p *stack_base[i-1]
$5 = {sv_any = 0x7ffff6a41670, sv_refcnt = 2, sv_flags = 272647175, sv_u = {
  svu_pv = 0x7ffff65e4ff6 "aa", svu_iv = 140737326764022,
  svu_uv = 140737326764022, svu_nv = 6.9533478241637082e-310,
  svu_rv = 0x7ffff65e4ff6, svu_rx = 0x7ffff65e4ff6,
  svu_array = 0x7ffff65e4ff6, svu_hash = 0x7ffff65e4ff6,
  svu_gp = 0x7ffff65e4ff6, svu_fp = 0x7ffff65e4ff6}}
(gdb) p *stack_base[i-2]
$6 = {sv_any = 0x0, sv_refcnt = 994, sv_flags = 134283264, sv_u = {
  svu_pv = 0x0, svu_iv = 0, svu_uv = 0, svu_nv = 0, svu_rv = 0x0,
  svu_rx = 0x0, svu_array = 0x0, svu_hash = 0x0, svu_gp = 0x0,
  svu_fp = 0x0}}
(gdb) p stack_max
$7 = 3

%% WITH PRELOAD, RUN AND VALGRIND %%

dcollins@​nightshade64​:~/toolchain/perldebug$ LD_PRELOAD=/home/dcollins/toolchain/afl-2.32b/libdislocator/libdislocator.so ./perl -Dvs -e '$_="aa"; s///ge'

EXECUTING...

STACK 0​: MAIN

STACK 0​: MAIN
  CX 0​: BLOCK =>

STACK 0​: MAIN
  CX 0​: BLOCK =>

STACK 0​: MAIN
  CX 0​: BLOCK => PV("aa"\0)

STACK 0​: MAIN
  CX 0​: BLOCK => PV("aa"\0) UNDEF

STACK 0​: MAIN
  CX 0​: BLOCK => PV("aa"\0)

STACK 0​: MAIN
  CX 0​: BLOCK =>

STACK 0​: MAIN
  CX 0​: BLOCK =>
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => PVMG("aa"\0)
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0)
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0)
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0) Segmentation fault

==51966== at 0x4CE268​: Perl_sv_peek (dump.c​:367)
==51966== by 0x5D4DAC​: S_deb_stack_n (deb.c​:145)
==51966== by 0x5D52D1​: Perl_deb_stack_all (deb.c​:299)
==51966== by 0x4D788F​: Perl_runops_debug (dump.c​:2220)
==51966== by 0x451FE2​: S_run_body (perl.c​:2525)
==51966== by 0x451FE2​: perl_run (perl.c​:2448)
==51966== by 0x4208F4​: main (perlmain.c​:123)
==51966== Address 0x414141414141414d is not stack'd, malloc'd or (recently) free'd
==51966==
==51966==
==51966== Process terminating with default action of signal 11 (SIGSEGV)
==51966== General Protection Fault
==51966== at 0x4CE268​: Perl_sv_peek (dump.c​:367)
==51966== by 0x5D4DAC​: S_deb_stack_n (deb.c​:145)
==51966== by 0x5D52D1​: Perl_deb_stack_all (deb.c​:299)
==51966== by 0x4D788F​: Perl_runops_debug (dump.c​:2220)
==51966== by 0x451FE2​: S_run_body (perl.c​:2525)
==51966== by 0x451FE2​: perl_run (perl.c​:2448)
==51966== by 0x4208F4​: main (perlmain.c​:123)
==51966==
==51966== HEAP SUMMARY​:
==51966== in use at exit​: 0 bytes in 0 blocks
==51966== total heap usage​: 0 allocs, 0 frees, 0 bytes allocated
==51966==
==51966== All heap blocks were freed -- no leaks are possible
==51966==
==51966== For counts of detected and suppressed errors, rerun with​: -v
==51966== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 0 from 0)
Segmentation fault

%% WITHOUT PRELOAD, RUN AND VALGRIND %%

EXECUTING...

STACK 0​: MAIN

STACK 0​: MAIN
  CX 0​: BLOCK =>

STACK 0​: MAIN
  CX 0​: BLOCK =>

STACK 0​: MAIN
  CX 0​: BLOCK => PV("aa"\0)

STACK 0​: MAIN
  CX 0​: BLOCK => PV("aa"\0) UNDEF

STACK 0​: MAIN
  CX 0​: BLOCK => PV("aa"\0)

STACK 0​: MAIN
  CX 0​: BLOCK =>

STACK 0​: MAIN
  CX 0​: BLOCK =>
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => PVMG("aa"\0)
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0)
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0)
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0) ==52640== Conditional jump or move depends on uninitialised value(s)
==52640== at 0x4CE255​: Perl_sv_peek (dump.c​:363)
==52640== by 0x5D4DAC​: S_deb_stack_n (deb.c​:145)
==52640== by 0x5D52D1​: Perl_deb_stack_all (deb.c​:299)
==52640== by 0x4D788F​: Perl_runops_debug (dump.c​:2220)
==52640== by 0x451FE2​: S_run_body (perl.c​:2525)
==52640== by 0x451FE2​: perl_run (perl.c​:2448)
==52640== by 0x4208F4​: main (perlmain.c​:123)
==52640==
VOID
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("aa"\0) VOID
  CX 1​: SUBST =>

STACK 0​: MAIN
  CX 0​: BLOCK => IV(3)

==52640==
==52640== HEAP SUMMARY​:
==52640== in use at exit​: 113,078 bytes in 522 blocks
==52640== total heap usage​: 894 allocs, 372 frees, 153,306 bytes allocated
==52640==
==52640== LEAK SUMMARY​:
==52640== definitely lost​: 0 bytes in 0 blocks
==52640== indirectly lost​: 0 bytes in 0 blocks
==52640== possibly lost​: 0 bytes in 0 blocks
==52640== still reachable​: 113,078 bytes in 522 blocks
==52640== suppressed​: 0 bytes in 0 blocks
==52640== Rerun with --leak-check=full to see details of leaked memory
==52640==
==52640== For counts of detected and suppressed errors, rerun with​: -v
==52640== Use --track-origins=yes to see where uninitialised values come from
==52640== ERROR SUMMARY​: 2 errors from 1 contexts (suppressed​: 0 from 0)

%% WITH PRELOAD, GDB %%

Program received signal SIGSEGV, Segmentation fault.
0x00000000004ce268 in Perl_sv_peek (sv=0x4141414141414141) at dump.c​:367
367 else if (sv == (const SV *)0x55555555 || ((char)SvTYPE(sv)) == 'U') {
(gdb) info all-registers
rax 0x84403 541699
rbx 0x4141414141414141 4702111234474983745
rcx 0x7ffff6468ff6 140737325207542
rdx 0x0 0
rsi 0x619679 6395513
rdi 0x7ffff6468ff6 140737325207542
rbp 0x7ffff6851568 0x7ffff6851568
rsp 0x7fffffffe1a0 0x7fffffffe1a0
r8 0xffffff01 4294967041
r9 0x0 0
r10 0x22 34
r11 0x7ffff6c340d0 140737333379280
r12 0x0 0
r13 0x3 3
r14 0x7ffff7fe3c00 140737354021888
r15 0x7ffff646eff0 140737325232112
rip 0x4ce268 0x4ce268 <Perl_sv_peek+56>
eflags 0x10212 [ AF IF RF ]
cs 0x33 51
ss 0x2b 43
ds 0x0 0
es 0x0 0
fs 0x0 0
---Type <return> to continue, or q <return> to quit---
gs 0x0 0
st0 0 (raw 0x00000000000000000000)
st1 0 (raw 0x00000000000000000000)
st2 0 (raw 0x00000000000000000000)
st3 0 (raw 0x00000000000000000000)
st4 0 (raw 0x00000000000000000000)
st5 0 (raw 0x00000000000000000000)
st6 0 (raw 0x00000000000000000000)
st7 0 (raw 0x00000000000000000000)
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
mxcsr 0x1fa0 [ PE IM DM ZM OM UM PM ]
ymm0 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
  0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
---Type <return> to continue, or q <return> to quit---
ymm1 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0xa <repeats 16 times>,
  0x0 <repeats 16 times>}, v16_int16 = {0xa0a, 0xa0a, 0xa0a, 0xa0a, 0xa0a,
  0xa0a, 0xa0a, 0xa0a, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {
  0xa0a0a0a, 0xa0a0a0a, 0xa0a0a0a, 0xa0a0a0a, 0x0, 0x0, 0x0, 0x0},
  v4_int64 = {0xa0a0a0a0a0a0a0a, 0xa0a0a0a0a0a0a0a, 0x0, 0x0}, v2_int128 = {
  0x0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a0a, 0x00000000000000000000000000000000}}
ymm2 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0, 0xff, 0x0 <repeats 23 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x0,
  0xff, 0x0 <repeats 11 times>}, v8_int32 = {0x0, 0x0, 0xff, 0x0, 0x0, 0x0,
  0x0, 0x0}, v4_int64 = {0x0, 0xff, 0x0, 0x0}, v2_int128 = {
  0x00000000000000ff0000000000000000, 0x00000000000000000000000000000000}}
ymm3 {v8_float = {0x0, 0x0, 0xc, 0xc, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x228282, 0x0, 0x0}, v32_int8 = {0xf0, 0xf1, 0xf2, 0xf3,
  0xf4, 0xf5, 0xf6, 0x10, 0x0, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41, 0x41,
  0x0 <repeats 16 times>}, v16_int16 = {0xf1f0, 0xf3f2, 0xf5f4, 0x10f6,
  0x4100, 0x4141, 0x4141, 0x4141, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v8_int32 = {0xf3f2f1f0, 0x10f6f5f4, 0x41414100, 0x41414141, 0x0, 0x0, 0x0,
  0x0}, v4_int64 = {0x10f6f5f4f3f2f1f0, 0x4141414141414100, 0x0, 0x0},
  v2_int128 = {0x414141414141410010f6f5f4f3f2f1f0,
  0x00000000000000000000000000000000}}
ymm4 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
---Type <return> to continue, or q <return> to quit---
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0xff, 0xff, 0xff,
  0x0 <repeats 28 times>}, v16_int16 = {0xff00, 0xffff,
  0x0 <repeats 14 times>}, v8_int32 = {0xffffff00, 0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0}, v4_int64 = {0xffffff00, 0x0, 0x0, 0x0}, v2_int128 = {
  0x000000000000000000000000ffffff00, 0x00000000000000000000000000000000}}
ymm5 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x63, 0x3d, 0x30, 0x30, 0x3b,
  0x33, 0x36, 0x3a, 0x2a, 0x2e, 0x61, 0x75, 0x3d, 0x30, 0x30, 0x3b,
  0x0 <repeats 16 times>}, v16_int16 = {0x3d63, 0x3030, 0x333b, 0x3a36,
  0x2e2a, 0x7561, 0x303d, 0x3b30, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v8_int32 = {0x30303d63, 0x3a36333b, 0x75612e2a, 0x3b30303d, 0x0, 0x0, 0x0,
  0x0}, v4_int64 = {0x3a36333b30303d63, 0x3b30303d75612e2a, 0x0, 0x0},
  v2_int128 = {0x3b30303d75612e2a3a36333b30303d63,
  0x00000000000000000000000000000000}}
ymm6 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0x33, 0x36,
  0x3a, 0x2a, 0x2e, 0x66, 0x6c, 0x61, 0x63, 0x3d, 0x30, 0x30, 0x3b, 0x33,
  0x36, 0x3a, 0x0 <repeats 16 times>}, v16_int16 = {0x3633, 0x2a3a, 0x662e,
  0x616c, 0x3d63, 0x3030, 0x333b, 0x3a36, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0}, v8_int32 = {0x2a3a3633, 0x616c662e, 0x30303d63, 0x3a36333b,
  0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x616c662e2a3a3633, 0x3a36333b30303d63,
  0x0, 0x0}, v2_int128 = {0x3a36333b30303d63616c662e2a3a3633,
  0x00000000000000000000000000000000}}
---Type <return> to continue, or q <return> to quit---
ymm7 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {0x2a, 0x2e,
  0x6d, 0x34, 0x61, 0x3d, 0x30, 0x30, 0x3b, 0x33, 0x36, 0x3a, 0x2a, 0x2e,
  0x6d, 0x69, 0x0 <repeats 16 times>}, v16_int16 = {0x2e2a, 0x346d, 0x3d61,
  0x3030, 0x333b, 0x3a36, 0x2e2a, 0x696d, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0}, v8_int32 = {0x346d2e2a, 0x30303d61, 0x3a36333b, 0x696d2e2a,
  0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x30303d61346d2e2a, 0x696d2e2a3a36333b,
  0x0, 0x0}, v2_int128 = {0x696d2e2a3a36333b30303d61346d2e2a,
  0x00000000000000000000000000000000}}
ymm8 {v8_float = {0xc, 0xc, 0xc, 0xc, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x228282, 0x228282, 0x0, 0x0}, v32_int8 = {
  0x41 <repeats 16 times>, 0x0 <repeats 16 times>}, v16_int16 = {0x4141,
  0x4141, 0x4141, 0x4141, 0x4141, 0x4141, 0x4141, 0x4141, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x41414141, 0x41414141, 0x41414141,
  0x41414141, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x4141414141414141,
  0x4141414141414141, 0x0, 0x0}, v2_int128 = {
  0x41414141414141414141414141414141, 0x00000000000000000000000000000000}}
ymm9 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x8000000000000000, 0x8000000000000000, 0x0, 0x0}, v32_int8 = {
  0xff <repeats 16 times>, 0x0 <repeats 16 times>}, v16_int16 = {0xffff,
  0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0xffffffff, 0xffffffff, 0xffffffff,
  0xffffffff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0xffffffffffffffff,
---Type <return> to continue, or q <return> to quit---
  0xffffffffffffffff, 0x0, 0x0}, v2_int128 = {
  0xffffffffffffffffffffffffffffffff, 0x00000000000000000000000000000000}}
ymm10 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x8000000000000000, 0x0, 0x0, 0x0}, v32_int8 = {0xff, 0xff,
  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x0, 0xff, 0xff, 0xff,
  0x0 <repeats 20 times>}, v16_int16 = {0xffff, 0xffff, 0xffff, 0xffff,
  0xff00, 0xffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v8_int32 = {0xffffffff, 0xffffffff, 0xffffff00, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_int64 = {0xffffffffffffffff, 0xffffff00, 0x0, 0x0}, v2_int128 = {
  0x00000000ffffff00ffffffffffffffff, 0x00000000000000000000000000000000}}
ymm11 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 12 times>, 0xff,
  0x0 <repeats 19 times>}, v16_int16 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff,
  0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0x0, 0x0,
  0xff, 0x0, 0x0, 0x0, 0x0}, v4_int64 = {0x0, 0xff00000000, 0x0, 0x0},
  v2_int128 = {0x000000ff000000000000000000000000,
  0x00000000000000000000000000000000}}
ymm12 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0,
  0xff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0xff, 0x0 <repeats 18 times>},
  v16_int16 = {0x0, 0x0, 0x0, 0xff, 0x0, 0x0, 0xff00, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0, 0x0, 0x0}, v8_int32 = {0x0, 0xff0000, 0x0, 0xff00, 0x0,
  0x0, 0x0, 0x0}, v4_int64 = {0xff000000000000, 0xff0000000000, 0x0, 0x0},
---Type <return> to continue, or q <return> to quit---
  v2_int128 = {0x0000ff000000000000ff000000000000,
  0x00000000000000000000000000000000}}
ymm13 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
  0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm14 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
  0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
ymm15 {v8_float = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0},
  v4_double = {0x0, 0x0, 0x0, 0x0}, v32_int8 = {0x0 <repeats 32 times>},
  v16_int16 = {0x0 <repeats 16 times>}, v8_int32 = {0x0, 0x0, 0x0, 0x0, 0x0,
  0x0, 0x0, 0x0}, v4_int64 = {0x0, 0x0, 0x0, 0x0}, v2_int128 = {
  0x00000000000000000000000000000000, 0x00000000000000000000000000000000}}
(gdb)
(gdb) disassemble
Dump of assembler code for function Perl_sv_peek​:
  0x00000000004ce230 <+0>​: push %r14
  0x00000000004ce232 <+2>​: push %r13
  0x00000000004ce234 <+4>​: push %r12
  0x00000000004ce236 <+6>​: push %rbp
  0x00000000004ce237 <+7>​: push %rbx
  0x00000000004ce238 <+8>​: mov %rdi,%rbx
  0x00000000004ce23b <+11>​: callq 0x514b50 <Perl_sv_newmortal>
  0x00000000004ce240 <+16>​: xor %edx,%edx
  0x00000000004ce242 <+18>​: mov $0x619679,%esi
  0x00000000004ce247 <+23>​: mov %rax,%rdi
  0x00000000004ce24a <+26>​: mov %rax,%rbp
  0x00000000004ce24d <+29>​: callq 0x5306c0 <Perl_sv_setpvn>
  0x00000000004ce252 <+34>​: test %rbx,%rbx
  0x00000000004ce255 <+37>​: je 0x4cec18 <Perl_sv_peek+2536>
  0x00000000004ce25b <+43>​: cmp $0x55555555,%rbx
  0x00000000004ce262 <+50>​: je 0x4ceb07 <Perl_sv_peek+2263>
=> 0x00000000004ce268 <+56>​: cmpb $0x55,0xc(%rbx)
  0x00000000004ce26c <+60>​: je 0x4ceb07 <Perl_sv_peek+2263>
  0x00000000004ce272 <+66>​: xor %r12d,%r12d
  0x00000000004ce275 <+69>​: nopl (%rax)
  0x00000000004ce278 <+72>​: cmp $0x923e80,%rbx
  0x00000000004ce27f <+79>​: je 0x4ce860 <Perl_sv_peek+1584>
  0x00000000004ce285 <+85>​: cmp $0x924000,%rbx
  0x00000000004ce28c <+92>​: sete %dl
  0x00000000004ce28f <+95>​: cmp $0x924550,%rbx
  0x00000000004ce296 <+102>​: sete %al
  0x00000000004ce299 <+105>​: or %al,%dl
  0x00000000004ce29b <+107>​: jne 0x4ce4d0 <Perl_sv_peek+672>
  0x00000000004ce2a1 <+113>​: cmp $0x923f00,%rbx
  0x00000000004ce2a8 <+120>​: je 0x4ce4d0 <Perl_sv_peek+672>
  0x00000000004ce2ae <+126>​: mov 0x8(%rbx),%edx
  0x00000000004ce2b1 <+129>​: test %edx,%edx
  0x00000000004ce2b3 <+131>​: je 0x4ce718 <Perl_sv_peek+1256>
  0x00000000004ce2b9 <+137>​: mov 0x455e51(%rip),%eax # 0x924110 <PL_debug>
  0x00000000004ce2bf <+143>​: test $0x40000,%eax
  0x00000000004ce2c4 <+148>​: je 0x4ce315 <Perl_sv_peek+229>
  0x00000000004ce2c6 <+150>​: mov 0x453dab(%rip),%rax # 0x922078 <PL_tmps_ix>
  0x00000000004ce2cd <+157>​: test %rax,%rax
  0x00000000004ce2d0 <+160>​: js 0x4ce2fc <Perl_sv_peek+204>
  0x00000000004ce2d2 <+162>​: mov 0x455d77(%rip),%rcx # 0x924050 <PL_tmps_stack>
  0x00000000004ce2d9 <+169>​: cmp %rbx,(%rcx,%rax,8)
  0x00000000004ce2dd <+173>​: jne 0x4ce2f2 <Perl_sv_peek+194>

--
Respectfully,
Dan Collins

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @tonycoz

On Sun Aug 21 20​:19​:48 2016, zefram@​fysh.org wrote​:

Brian 'geeknik' Carpenter wrote​:

3350 lines of debugging output before the Bus error happens.

No smoking gun there.

Please try reducing the debugging flags, to find the minimum set that
will cause the SIGBUS. Your -D2000002 (which is decimal) amounts to
eight flags.

I reduced the -D flags to -Dsv and FatherC's simplification also
reproduces the problem​:

#!perl -Dsv
$_='q0' and s///ge

tony@​mars​:.../git/perl$ LD_PRELOAD=/home/tony/local/afl-2.32b/lib/afl/libdislocator.so gdb --args ./perl ../129029b.pl
...
STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("q0"\0)
Program received signal SIGSEGV, Segmentation fault.
0x0000000000544f5c in Perl_sv_peek (sv=0x4141414141414141) at dump.c​:367
367 else if (sv == (const SV *)0x55555555 || ((char)SvTYPE(sv)) == 'U') {
(gdb) bt
#0 0x0000000000544f5c in Perl_sv_peek (sv=0x4141414141414141) at dump.c​:367
#1 0x00000000006fd776 in S_deb_stack_n (stack_base=0x7ffff7fe4c00,
  stack_min=0, stack_max=3, mark_min=0, mark_max=0) at deb.c​:145
#2 0x00000000006fdb37 in Perl_deb_stack_all () at deb.c​:299
#3 0x0000000000558fbf in Perl_runops_debug () at dump.c​:2220
#4 0x0000000000462a95 in S_run_body (oldscope=1) at perl.c​:2525
#5 0x00000000004620c0 in perl_run (my_perl=0x7ffff7ff4fff) at perl.c​:2448
#6 0x000000000041efde in main (argc=2, argv=0x7fffffffe838,
  env=0x7fffffffe850) at perlmain.c​:123

valgrind reports​:

...
STACK 0​: MAIN
  CX 0​: BLOCK => SV_UNDEF PVMG("q0"\0) ==13721== Conditional jump or move depends on uninitialised value(s)
==13721== at 0x544F2D​: Perl_sv_peek (dump.c​:363)
==13721== by 0x6FD775​: S_deb_stack_n (deb.c​:145)
==13721== by 0x6FDB36​: Perl_deb_stack_all (deb.c​:299)
==13721== by 0x558FBE​: Perl_runops_debug (dump.c​:2220)
==13721== by 0x462A94​: S_run_body (perl.c​:2525)
==13721== by 0x4620BF​: perl_run (perl.c​:2448)
==13721== by 0x41EFDD​: main (perlmain.c​:123)
==13721==
VOID
  CX 1​: SUBST =>
...

Tony

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @tonycoz

On Sun Aug 21 23​:09​:44 2016, tonyc wrote​:

On Sun Aug 21 20​:19​:48 2016, zefram@​fysh.org wrote​:

Brian 'geeknik' Carpenter wrote​:

3350 lines of debugging output before the Bus error happens.

No smoking gun there.

Please try reducing the debugging flags, to find the minimum set that
will cause the SIGBUS. Your -D2000002 (which is decimal) amounts to
eight flags.

I reduced the -D flags to -Dsv and FatherC's simplification also
reproduces the problem​:

I forgot to say, this was uninstrumented, not even -fsanitize, just​:

config_args='-des -Dusedevel -DDEBUGGING -Doptimize=-g -O0'

Tony

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From @geeknik

From the author of AFL (Michal Zalewski)​:

"From the non-optimized stack trace near the end​:

0x0000000000544f5c in Perl_sv_peek (sv=0x4141414141414141) at dump.c​:367

0x41 is a pattern used by libdislocator.so to initialize any memory
returned by malloc(). In short, malloc() is not guaranteed to return
zero-initialized memory, and libdislocator.so tries to improve the
odds of finding bugs by making sure that it *never* returns zeroed
data =) The same logic kicks in for realloc() for padding any upsized
buffers.

Of course, it's possible that there's a bug in libdisloctor.so, too..."

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From [Unknown Contact. See original ticket]

From the author of AFL (Michal Zalewski)​:

"From the non-optimized stack trace near the end​:

0x0000000000544f5c in Perl_sv_peek (sv=0x4141414141414141) at dump.c​:367

0x41 is a pattern used by libdislocator.so to initialize any memory
returned by malloc(). In short, malloc() is not guaranteed to return
zero-initialized memory, and libdislocator.so tries to improve the
odds of finding bugs by making sure that it *never* returns zeroed
data =) The same logic kicks in for realloc() for padding any upsized
buffers.

Of course, it's possible that there's a bug in libdisloctor.so, too..."

@p5pRT
Copy link
Author

p5pRT commented Aug 22, 2016

From zefram@fysh.org

Dan Collins via RT wrote​:

However, I wasn't trivially able to find any point in the program
where `ds` had any value in it.

It seems I was wrong about that bit. I know about x86, but not so
much specifically about x86_64. Turns out it's normal to have %ds et
al clear. I'm not sure what determines the segment, but %ds being clear
isn't the problem.

In your case, the cause of the crash is clear. You have
0x4141414141414141 ('AAAAAAAA') as a pointer value, and you try to read
through it. This causes the expected SIGSEGV, for reading unmapped
memory. Brian's pointer was also wild. Experimentally, if I try reads
with the exact pointer values and offsets that the two of you show,
I get SIGSEGV in both cases.

-zefram

@p5pRT
Copy link
Author

p5pRT commented Aug 25, 2016

From @iabyn

On Sun, Aug 21, 2016 at 11​:09​:44PM -0700, Tony Cook via RT wrote​:

On Sun Aug 21 20​:19​:48 2016, zefram@​fysh.org wrote​:

Brian 'geeknik' Carpenter wrote​:

3350 lines of debugging output before the Bus error happens.

No smoking gun there.

Please try reducing the debugging flags, to find the minimum set that
will cause the SIGBUS. Your -D2000002 (which is decimal) amounts to
eight flags.

I reduced the -D flags to -Dsv and FatherC's simplification also
reproduces the problem​:

#!perl -Dsv
$_='q0' and s///ge

tony@​mars​:.../git/perl$ LD_PRELOAD=/home/tony/local/afl-2.32b/lib/afl/libdislocator.so gdb --args ./perl ../129029b.pl
...
STACK 0​: MAIN
CX 0​: BLOCK => SV_UNDEF PVMG("q0"\0)
Program received signal SIGSEGV, Segmentation fault.
0x0000000000544f5c in Perl_sv_peek (sv=0x4141414141414141) at dump.c​:367
367 else if (sv == (const SV *)0x55555555 || ((char)SvTYPE(sv)) == 'U') {
(gdb) bt
#0 0x0000000000544f5c in Perl_sv_peek (sv=0x4141414141414141) at dump.c​:367
#1 0x00000000006fd776 in S_deb_stack_n (stack_base=0x7ffff7fe4c00,
stack_min=0, stack_max=3, mark_min=0, mark_max=0) at deb.c​:145
#2 0x00000000006fdb37 in Perl_deb_stack_all () at deb.c​:299
#3 0x0000000000558fbf in Perl_runops_debug () at dump.c​:2220
#4 0x0000000000462a95 in S_run_body (oldscope=1) at perl.c​:2525
#5 0x00000000004620c0 in perl_run (my_perl=0x7ffff7ff4fff) at perl.c​:2448
#6 0x000000000041efde in main (argc=2, argv=0x7fffffffe838,
env=0x7fffffffe850) at perlmain.c​:123

Now fixed with​:

commit 5ef7108
Author​: David Mitchell <davem@​iabyn.com>
AuthorDate​: Wed Aug 24 16​:28​:00 2016 +0100
Commit​: David Mitchell <davem@​iabyn.com>
CommitDate​: Thu Aug 25 16​:03​:16 2016 +0100

  Perl_deb_stack_all() - handle CXt_SUBST better
 
  RT #129029
 
  There's a loop which skips CXt_SUBST context entries - but it
  wasn't checking that the *current* cx is that type, but instead
  was always checking the base cx and was effectively a noop
 
  Also fixup a few code comments in that function.

--
"Strange women lying in ponds distributing swords is no basis for a system
of government. Supreme executive power derives from a mandate from the
masses, not from some farcical aquatic ceremony."
  -- Dennis, "Monty Python and the Holy Grail"

@p5pRT
Copy link
Author

p5pRT commented Aug 26, 2016

@iabyn - Status changed from 'open' to 'pending release'

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

@p5pRT
Copy link
Author

p5pRT commented May 30, 2017

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant