Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sv.c:6545: void Perl_sv_clear(SV *const): Assertion `SvTYPE(sv) != (svtype)SVTYPEMASK' failed #15847

Open
p5pRT opened this issue Jan 29, 2017 · 3 comments
Open

sv.c:6545: void Perl_sv_clear(SV *const): Assertion `SvTYPE(sv) != (svtype)SVTYPEMASK' failed #15847

p5pRT opened this issue Jan 29, 2017 · 3 comments
Labels
type-core

Comments

@p5pRT
Copy link

p5pRT commented Jan 29, 2017

Migrated from rt.perl.org#130667 (status was 'open')

Searchable as RT130667$
@p5pRT
Copy link
Author

p5pRT commented Jan 29, 2017

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.25.9-35-g32207c637b built with afl and run
under libdislocator, I found the following program

a{%0=local$0,%0=0}

to cause an assertion failure on debugging builds and crash on regular builds.
This is a regression in blead, bisect points to

8b0c337 is the first bad commit
commit 8b0c337
Author​: David Mitchell <davem@​iabyn.com>
Date​: Wed Oct 5 10​:10​:56 2016 +0100

  Better optimise array and hash assignment

  [perl #127999] Slowdown in split + list assign

GDB info about the crash location​:

(gdb) bt
#0 __GI_raise (sig=sig@​entry=6) at ../sysdeps/unix/sysv/linux/raise.c​:58
#1 0x00007f96ae90f40a in __GI_abort () at abort.c​:89
#2 0x00007f96ae906e47 in __assert_fail_base (fmt=<optimized out>,
assertion=assertion@​entry=0x7f96b07d8530 "SvTYPE(sv) !=
(svtype)SVTYPEMASK",
  file=file@​entry=0x7f96b07d7196 "sv.c", line=line@​entry=6545,
function=function@​entry=0x7f96b07e5308 <__PRETTY_FUNCTION__.19252>
"Perl_sv_clear")
  at assert.c​:92
#3 0x00007f96ae906ef2 in __GI___assert_fail
(assertion=assertion@​entry=0x7f96b07d8530 "SvTYPE(sv) !=
(svtype)SVTYPEMASK",
  file=file@​entry=0x7f96b07d7196 "sv.c", line=line@​entry=6545,
function=function@​entry=0x7f96b07e5308 <__PRETTY_FUNCTION__.19252>
"Perl_sv_clear")
  at assert.c​:101
#4 0x00007f96b01a1c87 in Perl_sv_clear
(orig_sv=orig_sv@​entry=0x7f96b1d75510) at sv.c​:6545
#5 0x00007f96b01a1f3c in Perl_sv_free2 (sv=0x7f96b1d75510,
rc=<optimized out>) at sv.c​:7061
#6 0x00007f96b037144d in S_SvREFCNT_dec_NN (sv=<optimized out>) at inline.h​:200
#7 Perl_free_tmps () at scope.c​:207
#8 0x00007f96afd66dc5 in perl_run (my_perl=<optimized out>) at perl.c​:2456
#9 0x00007f96afc52814 in main (argc=<optimized out>, argv=<optimized
out>, env=<optimized out>) at perlmain.c​:123

Perl Info 

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.25.9:

Configured by root at Sat Jan 14 02:25:05 MSK 2017.

Summary of my perl5 (revision 5 version 25 subversion 9) configuration:
  Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0
  Platform:
    osname=linux
    osvers=3.16.0-4-amd64
    archname=x86_64-linux
    uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'



@INC for perl 5.25.9:
    lib
    /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.25.9
    /usr/local/lib/perl5/5.25.9/x86_64-linux
    /usr/local/lib/perl5/5.25.9


Environment for perl 5.25.9:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Jan 30, 2017

From @iabyn

On Sun, Jan 29, 2017 at 03​:16​:24AM -0800, Sergey Aleynikov wrote​:

While fuzzing perl v5.25.9-35-g32207c637b built with afl and run
under libdislocator, I found the following program

a{%0=local$0,%0=0}

to cause an assertion failure on debugging builds and crash on regular builds.
This is a regression in blead, bisect points to

8b0c337 is the first bad commit
commit 8b0c337
Author​: David Mitchell <davem@​iabyn.com>
Date​: Wed Oct 5 10​:10​:56 2016 +0100

Better optimise array and hash assignment

\[perl \#127999\] Slowdown in split \+ list assign

Its a stack-not-refcounted issue.

The code can be simplified to

  @​a = (((%h) = ("k",1)), %h = ("k",2));

at the start of the second assignment to %h, %h is cleared, leaving the
'1' SV on the stack as a freed value. Whether perl assert fails or not
just depends on whether that freed SV happens to get reallocated before it
gets accessed as a stack value in a place that checks it for being a valid
SV. Before that commit, printing "[@​a]\n" gives​:

  [k 2 k 2]

which shows that the SV gets reallocated and has '2' assigned to it; on
blead, you get

  [k k 2]

meaning it hasn't been reallocated because the newer pp_assign() code
is better at skipping unnecessary copying.

--
The crew of the Enterprise encounter an alien life form which is
surprisingly neither humanoid nor made from pure energy.
  -- Things That Never Happen in "Star Trek" #22

@p5pRT
Copy link
Author

p5pRT commented Jan 30, 2017

The RT System itself - Status changed from 'new' to 'open'

@xenu xenu removed the affects-5.25 label Nov 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type-core
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@xenu @p5pRT