-
Notifications
You must be signed in to change notification settings - Fork 560
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Segfault in Perl_yyparse with minimized test case from #123801 #14497
Comments
From @geeknikBuilt v5.21.9 (v5.21.8-286-g534577b) using the following command line: ./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g && AFL_HARDEN=1 make -j6 test-prep Bug found with AFL (http://lcamtuf.coredump.cx/afl). I used afl-tmin to minimize the test case from #123801, which caused this segfault to happen instead of aborting. Program received signal SIGSEGV, Segmentation fault. Test case hexdump: Debian 7, Kernel 3.2.65-1+deb7u1 x86_64, libc 3.2.65-1+deb7u1 x86_6, gcc 4.9.2 |
From @geeknik |
From @geeknikValgrind output: ==24607== Invalid read of size 4 |
From @hvdsI'm getting the [perl #123801] assert failure, using the minimized testcase in this ticket: ./miniperl -e '/$0{}/' The assertion is happening inside SvIVX around toke.c:4550 in blead: /* m'foo' still needs to be parsed for possible (?{...}) */ .. where PL_linestr looks like: (gdb) p /x *PL_parser->linestr The assert is complaining that sv is of type PV, so it isn't valid to call SvIVX on it. I've managed to establish that sv isn't coming from a newSV_type() call, but that's as far as I've got so far. Hugo |
The RT System itself - Status changed from 'new' to 'open' |
From @cpansproutOn Fri Feb 13 16:57:12 2015, hv wrote:
This assertion failure is fixed in f4460c6, but I get another one now: $ echo -n '/$0{}/' | ./miniperl This seems to have to do with perly.c not reference-counting PL_compcv correctly. But I could be wrong. -- Father Chrysostomos |
From @hvdsOn Sun Feb 22 16:43:16 2015, sprout wrote:
I think so, I'm seeing similar problems when there's a parse error in a double quoted string or glob: % cat t1 The first fails during the SvREFCNT_dec here: Hugo |
From @cpansproutOn Tue Feb 24 11:58:05 2015, hv wrote:
This seems to have to do with the parser (perly.c) popping scopes on a syntax error, resulting in inner lexing scopes being popped. But somehow the lexer (toke.c) is confused into thinking the inner lexing scope is still active, so it calls the LEAVE in sublex_done, which tries to free the parser stack when the parser is still active. The solution here may be to use LEAVE_SCOPE(ix) in sublex_done, and store the index somewhere. Or maybe sublex_done should be a no-op if there is no inner lexing scope. I’m still digging. -- Father Chrysostomos |
From @cpansproutOn Thu Feb 26 19:59:57 2015, sprout wrote:
I finally finished tracking this down. It’s PL_lex_defer again. So the fix is nearly identical to #123801. See commit 479ae48. -- Father Chrysostomos |
@cpansprout - Status changed from 'open' to 'pending release' |
From @hvdsOn Sat Feb 28 18:29:21 2015, sprout wrote:
Unfortunately I'm still seeing the additional two cases failing; apologies that I didn't clarify before they should not have a trailing newline: % echo -n '"\L\L"' | ./miniperl -c They're both failing at the same place now. (The first was previously crashing at perly.c:423.) Program received signal SIGSEGV, Segmentation fault. I confirmed (against the first) that it does bisect to 7aa8cb0. Hugo |
From @cpansproutOn Sun Mar 01 02:00:47 2015, hv wrote:
It was my mistake not to re-read the ticket before closing it. This is now fixed in 66edcf7. -- Father Chrysostomos |
From @khwilliamsonThank you for submitting this ticket. The issue should now be resolved with the release today of Perl v5.22, which is available at http://www.perl.org/get.html |
@khwilliamson - Status changed from 'pending release' to 'resolved' |
Migrated from rt.perl.org#123802 (status was 'resolved')
Searchable as RT123802$
The text was updated successfully, but these errors were encountered: