SIGBUS in Perl_leave_adjust_stacks() #16017
Triggered with Perl v5.27.0-97-gd555ed0, compiled with afl-clang-fast on
Program received signal SIGBUS, Bus error.
On Tue, 13 Jun 2017 13:02:33 -0700, firstname.lastname@example.org wrote:
I wasn't able to minimize your test case significantly, but I did track down the cause.
The temps stack entry allocated in pp_aassign:
/* an unrolled sv_2mortal */
wasn't being used, since the value of ix is overwritten by the call to tmps_grow_p().
Removing the assignment per the attached patch prevents the crash (and means the temp is actually freed too.)
I don't have a test for it at this point, I may end up just using the original test case.
 I ran until it crashed, saved the value of the top pointer (which is where the sv value came from), and watchpointed that address in a new run, which was only touched when the temps were reallocated my tmps_grow_p().
From 5a9032e65282dceec6d65ee9a6e3abe2b90b9929 Mon Sep 17 00:00:00 2001 From: Tony Cook <email@example.com> Date: Wed, 21 Jun 2017 15:00:56 +1000 Subject: (perl #131570) don't skip the temps stack entry we just allocated --- pp_hot.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pp_hot.c b/pp_hot.c index 7c98c90..f445fd9 100644 --- a/pp_hot.c +++ b/pp_hot.c @@ -1736,7 +1736,7 @@ PP(pp_aassign) if (UNLIKELY(ix >= PL_tmps_max)) /* speculatively grow enough to cover other * possible refs */ - ix = tmps_grow_p(ix + (lastlelem - lelem)); + (void)tmps_grow_p(ix + (lastlelem - lelem)); PL_tmps_stack[ix] = ref; } -- 2.1.4
Thank you for filing this report. You have helped make Perl better.
With the release yesterday of Perl 5.28.0, this and 185 other issues have been
Perl 5.28.0 may be downloaded via:
If you find that the problem persists, feel free to reopen this ticket.