Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segfault in Perl_gv_setref: 'sub U::0{}undef*U::;*U::0=sub{}' #15368

p5pRT opened this issue May 27, 2016 · 6 comments

Segfault in Perl_gv_setref: 'sub U::0{}undef*U::;*U::0=sub{}' #15368

p5pRT opened this issue May 27, 2016 · 6 comments


Copy link

p5pRT commented May 27, 2016

Migrated from (status was 'resolved')

Searchable as RT128257$

Copy link

p5pRT commented May 27, 2016

From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers a segfault in the perl interpreter. The testcase is the file below. On normal builds and debug builds with -W, this segfaults.

dcollins@​nightshade64​:~/perldebug$ ./perl -Ilib -e 'sub U​::0{}undef*U​::;*U​::0=sub{}'
dcollins@​nightshade64​:~/perldebug$ ./perl -Ilib -W -e 'sub U​::0{}undef*U​::;*U​::0=sub{}'
Segmentation fault

This testcase *looks* suspiciously like [perl #128254], but it is rather different. This one has nothing to do with ISA or taint mode. It is, however, rather bizarre. It only crashes under -W. Perhaps we're freeing something while it's still on the stack? But if this was a context stack issue, I think it would segfault regardless of whether warnings are enabled.

A bisect was attempted but this behavior has persisted since 5.12.0 at least.


dcollins@​nightshade64​:~/perldebug$ gdb --args ./perl -Ilib -W -e 'sub U​::0{}undef*U​::;*U​::0=sub{}'
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://>
This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see​:
Find the GDB manual and other documentation resources online at​:
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./perl...done.
(gdb) run
Starting program​: /home/dcollins/perldebug/perl -Ilib -W -e sub\ U​::0\{\}undef\*U​::\;\*U​::0=sub\{\}
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".

Program received signal SIGSEGV, Segmentation fault.
0x00000000005dd873 in Perl_gv_setref (dstr=0xab2798, sstr=0xab2780) at sv.c​:4073
4073 report_redefined_cv(
(gdb) bt
#0 0x00000000005dd873 in Perl_gv_setref (dstr=0xab2798, sstr=0xab2780) at sv.c​:4073
#1 0x00000000005e32ef in Perl_sv_setsv_flags (dstr=0xab2798, sstr=0xab2780, flags=1538)
  at sv.c​:4510
#2 0x00000000005a6dd4 in Perl_pp_sassign () at pp_hot.c​:226
#3 0x000000000055a245 in Perl_runops_debug () at dump.c​:2239
#4 0x00000000004623d3 in S_run_body (oldscope=1) at perl.c​:2517
#5 0x00000000004619fe in perl_run (my_perl=0xa9c010) at perl.c​:2440
#6 0x000000000041eae0 in main (argc=5, argv=0x7fffffffe5f8, env=0x7fffffffe628)
  at perlmain.c​:116
(gdb) l
4068 {
4069 SV * const new_const_sv =
4070 CvCONST((const CV *)sref)
4071 ? cv_const_sv((const CV *)sref)
4072 : NULL;
4073 report_redefined_cv(
4074 sv_2mortal(Perl_newSVpvf(aTHX_
4075 "%"HEKf"​::%"HEKf,
4076 HEKfARG(
4077 HvNAME_HEK(GvSTASH((const GV *)dstr))
(gdb) info locals
new_const_sv = 0x0
cv = 0xab2738
sref = 0xab2708
__PRETTY_FUNCTION__ = "Perl_gv_setref"
dref = 0xab2738
intro = 0
location = 0xabc090
import_flag = 128 '\200'
stype = 13


dcollins@​nightshade64​:~/perldebug$ valgrind ./perl -Ilib -W -e 'sub U​::0{}undef*U​::;*U​::0=sub{}'
==47187== Memcheck, a memory error detector
==47187== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==47187== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==47187== Command​: ./perl -Ilib -W -e sub\ U​::0{}undef*U​::;*U​::0=sub{}
==47187== Invalid read of size 4
==47187== at 0x5DD873​: Perl_gv_setref (sv.c​:4073)
==47187== by 0x5E32EE​: Perl_sv_setsv_flags (sv.c​:4510)
==47187== by 0x5A6DD3​: Perl_pp_sassign (pp_hot.c​:226)
==47187== by 0x55A244​: Perl_runops_debug (dump.c​:2239)
==47187== by 0x4623D2​: S_run_body (perl.c​:2517)
==47187== by 0x4619FD​: perl_run (perl.c​:2440)
==47187== by 0x41EADF​: main (perlmain.c​:116)
==47187== Address 0xc is not stack'd, malloc'd or (recently) free'd
==47187== Process terminating with default action of signal 11 (SIGSEGV)
==47187== Access not within mapped region at address 0xC
==47187== at 0x5DD873​: Perl_gv_setref (sv.c​:4073)
==47187== by 0x5E32EE​: Perl_sv_setsv_flags (sv.c​:4510)
==47187== by 0x5A6DD3​: Perl_pp_sassign (pp_hot.c​:226)
==47187== by 0x55A244​: Perl_runops_debug (dump.c​:2239)
==47187== by 0x4623D2​: S_run_body (perl.c​:2517)
==47187== by 0x4619FD​: perl_run (perl.c​:2440)
==47187== by 0x41EADF​: main (perlmain.c​:116)
==47187== If you believe this happened as a result of a stack
==47187== overflow in your program's main thread (unlikely but
==47187== possible), you can try to increase the size of the
==47187== main thread stack using the --main-stacksize= flag.
==47187== The main thread stack size used in this run was 8388608.
==47187== HEAP SUMMARY​:
==47187== in use at exit​: 112,125 bytes in 569 blocks
==47187== total heap usage​: 696 allocs, 127 frees, 132,072 bytes allocated
==47187== LEAK SUMMARY​:
==47187== definitely lost​: 192 bytes in 1 blocks
==47187== indirectly lost​: 2,016 bytes in 22 blocks
==47187== possibly lost​: 1,024 bytes in 2 blocks
==47187== still reachable​: 108,893 bytes in 544 blocks
==47187== suppressed​: 0 bytes in 0 blocks
==47187== Rerun with --leak-check=full to see details of leaked memory
==47187== For counts of detected and suppressed errors, rerun with​: -v
==47187== ERROR SUMMARY​: 1 errors from 1 contexts (suppressed​: 0 from 0)
Segmentation fault

**PERL -V**

dcollins@​nightshade64​:~/perldebug$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 2) configuration​:
  Commit id​: c29dfc6
  osname=linux, osvers=4.5.0-2-amd64, archname=x86_64-linux-ld
  uname='linux nightshade64 4.5.0-2-amd64 #1 smp debian 4.5.3-2 (2016-05-08) x86_64 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache gcc-6.1 -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  cc='ccache gcc-6.1', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='6.1.0', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='ccache gcc-6.1', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/6.1.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc, so=so, useshrplib=false, libperl=libperl.a
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Built under linux
  Compiled at May 26 2016 17​:57​:37

Copy link

p5pRT commented Jul 7, 2016

From @iabyn

On Thu, May 26, 2016 at 06​:29​:06PM -0700, Dan Collins wrote​:

dcollins@​nightshade64​:~/perldebug$ ./perl -Ilib -W -e 'sub U​::0{}undef*U​::;*U​::0=sub{}'
Segmentation fault

Fixed with the following commit​:

  commit fc0fe26
  Author​: David Mitchell <davem@​>
  AuthorDate​: Thu Jul 7 17​:03​:29 2016 +0100
  Commit​: David Mitchell <davem@​>
  CommitDate​: Thu Jul 7 17​:06​:58 2016 +0100

  SEGV in "Subroutine redefined" warning
  RT #128257
  The following SEGVed​:
  sub P​::f{}
  undef *P​::;
  *P​::f =sub{};
  due to the code which generates the "Subroutine STASH​::NAME redefined"
  warning assuming that the GV always has a stash. Make it so that if it
  hasn't, the message changes to "Subroutine NAME redefined" rather than
  just crashing.

No man treats a motor car as foolishly as he treats another human being.
When the car will not go, he does not attribute its annoying behaviour to
sin, he does not say, You are a wicked motorcar, and I shall not give you
any more petrol until you go. He attempts to find out what is wrong and
set it right.
  -- Bertrand Russell,
  Has Religion Made Useful Contributions to Civilization?

Copy link

p5pRT commented Jul 7, 2016

The RT System itself - Status changed from 'new' to 'open'

Copy link

p5pRT commented Jul 8, 2016

@iabyn - Status changed from 'open' to 'pending release'

Copy link

p5pRT commented May 30, 2017

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been

Perl 5.26.0 may be downloaded via​:

If you find that the problem persists, feel free to reopen this ticket.

Copy link

p5pRT commented May 30, 2017

@khwilliamson - Status changed from 'pending release' to 'resolved'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

1 participant