Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

op.c:13088: void S_maybe_multideref(OP *, OP *, UV, U8): Assertion `!(o->op_flags & ~(3|128))' failed. #16029

Open
p5pRT opened this issue Jun 22, 2017 · 3 comments
Open

op.c:13088: void S_maybe_multideref(OP *, OP *, UV, U8): Assertion `!(o->op_flags & ~(3|128))' failed. #16029

p5pRT opened this issue Jun 22, 2017 · 3 comments
Labels
type-core

Comments

@p5pRT
Copy link

p5pRT commented Jun 22, 2017

Migrated from rt.perl.org#131627 (status was 'open')

Searchable as RT131627$
@p5pRT
Copy link
Author

p5pRT commented Jun 22, 2017

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.27.1-37-g4c95ee9f29 built with afl and run
under libdislocator, I found the following program

m!$0{qw/0/->@​*}!

to cause an assertion failure, even when run under -c for a syntax
check. GDB info about the crash location is​:

gdb$ bt
#0 __GI_raise (sig=sig@​entry=0x6) at ../sysdeps/unix/sysv/linux/raise.c​:51
#1 0x00007f581c96c3fa in __GI_abort () at abort.c​:89
#2 0x00007f581c963e37 in __assert_fail_base (fmt=<optimized out>,
assertion=assertion@​entry=0x564edf332d0e "!(o->op_flags & ~(3|128))",
file=file@​entry=0x564edf32cf2e "op.c", line=line@​entry=0x3320,
function=function@​entry=0x564edf3348a0 <__PRETTY_FUNCTION__.19849>
"S_maybe_multideref") at assert.c​:92
#3 0x00007f581c963ee2 in __GI___assert_fail (assertion=0x564edf332d0e
"!(o->op_flags & ~(3|128))", file=0x564edf32cf2e "op.c", line=0x3320,
function=0x564edf3348a0 <__PRETTY_FUNCTION__.19849>
"S_maybe_multideref") at assert.c​:101
#4 0x0000564edf00b36f in S_maybe_multideref (start=0x564edf7e07b8,
orig_o=0x564edf7e0738, orig_action=0xd, hints=0x0) at op.c​:13088
#5 0x0000564edf00c97c in Perl_rpeep (o=0x564edf7e07b8) at op.c​:13798
#6 0x0000564edf00fedf in Perl_peep (o=0x564edf7e0b50) at op.c​:14819
#7 0x0000564edefda649 in S_process_optree (cv=0x0,
optree=0x564edf7e0b88, start=0x564edf7e0b50) at op.c​:2475
#8 0x0000564edefe173f in Perl_newPROG (o=0x564edf7e0b88) at op.c​:4303
#9 0x0000564edf09760c in Perl_yyparse (gramtype=0x102) at perly.y​:124
#10 0x0000564edf018d4c in S_parse_body (env=0x0, xsinit=0x564edefd1fe8
<xs_init>) at perl.c​:2401
#11 0x0000564edf0170b1 in perl_parse (my_perl=0x564edf7b6010,
xsinit=0x564edefd1fe8 <xs_init>, argc=0x2, argv=0x7ffff1567488,
env=0x0) at perl.c​:1719
#12 0x0000564edefd1f26 in main (argc=0x2, argv=0x7ffff1567488,
env=0x7ffff15674a0) at perlmain.c​:121
gdb$ up 4
#4 0x0000564edf00b36f in S_maybe_multideref (start=0x564edf7e07b8,
orig_o=0x564edf7e0738, orig_action=0xd, hints=0x0) at op.c​:13088
13088 ASSUME(!(o->op_flags & ~(OPf_WANT|OPf_SPECIAL)));
gdb$ p o->op_flags
$1 = 0xa

Perl Info 

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.27.1:

Configured by root at Sun May 28 01:44:41 MSK 2017.

Summary of my perl5 (revision 5 version 26 subversion 0) configuration:
  Derived from: 4c95ee9f298c2edfc1382d540ff89288790e78b6
  Platform:
    osname=linux
    osvers=4.9.0-3-amd64
    archname=x86_64-linux
    uname='linux dorothy 4.9.0-3-amd64 #1 smp debian 4.9.25-1
(2017-05-02) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3 -fno-omit-frame-pointer'
    hint=previous
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3 -fno-omit-frame-pointer'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -fno-omit-frame-pointer
-L/usr/local/lib -fstack-protector-strong'

Locally applied patches:
    uncommitted-changes


@INC for perl 5.27.1:
    lib
    /usr/local/lib/perl5/site_perl/5.26.0/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.26.0
    /usr/local/lib/perl5/5.26.0/x86_64-linux
    /usr/local/lib/perl5/5.26.0


Environment for perl 5.27.1:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LC_CTYPE=en_US.UTF-8
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.24.1-dbg/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.24.1-dbg/bin
    PERLBREW_PERL=perl-5.24.1-dbg
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Jun 22, 2017

From @ilmari

Sergey Aleynikov (via RT) <perlbug-followup@​perl.org> writes​:

While fuzzing perl v5.27.1-37-g4c95ee9f29 built with afl and run
under libdislocator, I found the following program

m!$0{qw/0/->@​*}!
[…]
#4 0x0000564edf00b36f in S_maybe_multideref (start=0x564edf7e07b8,
orig_o=0x564edf7e0738, orig_action=0xd, hints=0x0) at op.c​:13088
13088 ASSUME(!(o->op_flags & ~(OPf_WANT|OPf_SPECIAL)));
gdb$ p o->op_flags
$1 = 0xa

The offending flag is OPf_PARENS, which is to indicate that the OP_GV
came from a qw() rather than a plain scalar value. Including that flag
in the ASSUME() and in the below test for OPf_WANT_SCALAR not only fixes
this assert, but allows multideref to do its thing with this (which I
added as a test)​:

  @​x = (10..12);
  $i = 1;

  is $x[qw(i)-&gt;$*], 11, 'RT #131627​: $a[qw(i)-&gt;$*]';

Pushed as commit e13dc88.

The fact that the above works under strict 'refs' is a separate bug,
which I intend to address shortly unless someone feels like beating me
to it.

--
"The surreality of the universe tends towards a maximum" -- Skud's Law
"Never formulate a law or axiom that you're not prepared to live with
the consequences of." -- Skud's Meta-Law

@p5pRT
Copy link
Author

p5pRT commented Jun 22, 2017

The RT System itself - Status changed from 'new' to 'open'

@xenu xenu removed the affects-5.27 label Nov 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xenu @p5pRT