From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @@

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers an assert fail in debugging builds of the perl interpreter. The testcase is the file:

00./(?[!()])/

This is related to bug 125805, in fact I didn't file this sooner because I thought it was the same bug. However after that was fixed, this assert still fails on debugging builds. Non-debugging builds emit the warning but exit normally. Valgrind is clean except for the backtrace from the SIGABRT.

Output on debugging perl:

The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE !()])/ at -e line 1.
perl: regcomp.c:13810: S_handle_regex_sets: Assertion `(! ((current)->sv_flags & 0x00000100))' failed.
Aborted

**GDB**

(gdb) run
Starting program: /home/dcollins/perldebug/perl -e 00./$\?\[\!\($\]\)/
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
The regex_sets feature is experimental in regex; marked by <-- HERE in m/(?[ <-- HERE !()])/ at -e line 1.
perl: regcomp.c:13810: S_handle_regex_sets: Assertion `(! ((current)->sv_flags & 0x00000100))' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff6cf4107 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6cf4107 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6cf54e8 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff6ced226 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ffff6ced2d2 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x0000000000727779 in S_handle_regex_sets (pRExC_state=0x7fffffffdaa0, return_invlist=0xbd36, flagp=0x6, depth=4294967295,
oregcomp_parse=0xfefefefefefefe00 <error: Cannot access memory at address 0xfefefefefefefe00>) at regcomp.c:13810
#5 0x00000000006ff63a in S_reg (pRExC_state=0x7fffffffdaa0, paren=48438, flagp=0x7fffffffd60c, depth=4294967295) at regcomp.c:10494
#6 0x000000000072a375 in S_regatom (pRExC_state=0x7fffffffdaa0, flagp=0x7fffffffd79c, depth=4) at regcomp.c:11804
#7 0x000000000073a836 in S_regpiece (depth=<optimized out>, flagp=<optimized out>, pRExC_state=<optimized out>) at regcomp.c:10880
#8 S_regbranch (pRExC_state=0x7fffffffdaa0, flagp=0xbd36, first=-10116, depth=4294967295) at regcomp.c:10805
#9 0x000000000075d007 in S_reg (pRExC_state=0x7fffffffdaa0, flagp=0x7fffffffd96c, depth=<optimized out>, paren=<optimized out>) at regcomp.c:10550
#10 0x000000000079b9a9 in Perl_re_op_compile (patternp=0x1211f78, pat_count=0, expr=0x12080a8, eng=0xffffffffffffffff, old_re=0xe, is_bare_re=0x1211e40, orig_rx_flags=0,
pm_flags=0) at regcomp.c:6953
#11 0x00000000004e7ec2 in Perl_pmruntime (o=0x1211d88, expr=0x1211d48, repl=0x6, isreg=255, floor=7948352) at op.c:5580
#12 0x000000000066f07d in Perl_yyparse (gramtype=18947464) at perly.y:1032
#13 0x000000000053a659 in S_parse_body (env=env@entry=0x0, xsinit=xsinit@entry=0x42c060 <xs_init>) at perl.c:2307
#14 0x00000000005423e3 in perl_parse (my_perl=<optimized out>, xsinit=xsinit@entry=0x42c060 <xs_init>, argc=<optimized out>, argv=<optimized out>, env=env@entry=0x0)
at perl.c:1634
#15 0x000000000042bc88 in main (argc=3, argv=0x7fffffffe338, env=0x7fffffffe358) at perlmain.c:114
(gdb) info locals
No symbol table info available.
(gdb) f 4
#4 0x0000000000727779 in S_handle_regex_sets (pRExC_state=0x7fffffffdaa0, return_invlist=0xbd36, flagp=0x6, depth=4294967295,
oregcomp_parse=0xfefefefefefefe00 <error: Cannot access memory at address 0xfefefefefefefe00>) at regcomp.c:13810
13810 assert(IS_OPERAND(current));
(gdb) info locals
stacked_operator = 0 '\000'
lhs = 0x1208120
rhs = 0x0
current = 0x1208108
start = 0
end = 0
stack = 0x12080d8
len = 0
save_end = 0x100 <error: Cannot access memory at address 0x100>
save_parse = 0x0
re_debug_flags = 0
__PRETTY_FUNCTION__ = "S_handle_regex_sets"
(gdb) print *current
$1 = {sv_any = 0x12080f8, sv_refcnt = 1, sv_flags = 4353, sv_u = {svu_pv = 0x21 <error: Cannot access memory at address 0x21>, svu_iv = 33, svu_uv = 33, svu_rv = 0x21,
svu_rx = 0x21, svu_array = 0x21, svu_hash = 0x21, svu_gp = 0x21, svu_fp = 0x21}}
(gdb)

**PERL -V**

Summary of my perl5 (revision 5 version 23 subversion 4) configuration:
Commit id: a7dba6f
Platform:
osname=linux, osvers=3.16.0-4-amd64, archname=x86_64-linux-ld
uname='linux nightshade64 3.16.0-4-amd64 #1 smp debian 3.16.7-ckt11-1+deb8u4 (2015-09-19) x86_64 gnulinux '
config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DDEBUG_LEAKING_SCALARS -des'
hint=recommended, useposix=true, d_sigaction=define
useithreads=undef, usemultiplicity=undef
use64bitint=define, use64bitall=define, uselongdouble=define
usemymalloc=n, bincompat5005=undef
Compiler:
cc='ccache afl-gcc', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
optimize='-g',
cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
ccversion='', gccversion='4.9.2', gccosandvers=''
intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
alignbytes=16, prototype=define
Linker and Libraries:
ld='ccache afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/4.9/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
libc=libc-2.19.so, so=so, useshrplib=false, libperl=libperl.a
gnulibc_version='2.19'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl):
Compile-time options: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
PERL_DONT_CREATE_GVSV
PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_ALL
USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE
USE_LOCALE_COLLATE USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
USE_PERLIO USE_PERL_ATOF
Built under linux
Compiled at Oct 15 2015 20:45:21
@INC:
/usr/local/perl-afl/lib/site_perl/5.23.4/x86_64-linux-ld
/usr/local/perl-afl/lib/site_perl/5.23.4
/usr/local/perl-afl/lib/5.23.4/x86_64-linux-ld
/usr/local/perl-afl/lib/5.23.4
.

Assert fail with regex_sets error message, related to 125805 #14996

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions