Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Assertion failure in Perl_leave_adjust_stacks (pp_hot.c:4653) #16929

Closed
p5pRT opened this issue Apr 5, 2019 · 6 comments
Closed

Assertion failure in Perl_leave_adjust_stacks (pp_hot.c:4653) #16929

p5pRT opened this issue Apr 5, 2019 · 6 comments

Comments

@p5pRT
Copy link

p5pRT commented Apr 5, 2019

Migrated from rt.perl.org#133989 (status was 'pending release')

Searchable as RT133989$

@p5pRT
Copy link
Author

p5pRT commented Apr 5, 2019

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.29.9-63-g2496d8f3f7 built with afl and run
under libdislocator, I found the following program

E{0;readline@​0}

to cause an assertion failure

perl​: pp_hot.c​:4653​: void Perl_leave_adjust_stacks(SV **, SV **, U8,
int)​: Assertion `nargs >= 0' failed.

GDB stack trace is following

#0 __GI_raise (sig=sig@​entry=6) at ../sysdeps/unix/sysv/linux/raise.c​:50
#1 0x00007ffff7c25535 in __GI_abort () at abort.c​:79
#2 0x00007ffff7c2540f in __assert_fail_base (fmt=0x7ffff7d87ee0
"%s%s%s​:%u​: %s%sAssertion `%s' failed.\n%n", assertion=0x555555aaa42a
"nargs >= 0",
  file=0x555555aa86e3 "pp_hot.c", line=4653, function=<optimized
out>) at assert.c​:92
#3 0x00007ffff7c330f2 in __GI___assert_fail (assertion=0x555555aaa42a
"nargs >= 0", file=0x555555aa86e3 "pp_hot.c", line=4653,
  function=0x555555aaae50 <__PRETTY_FUNCTION__.19610>
"Perl_leave_adjust_stacks") at assert.c​:101
#4 0x0000555555776529 in Perl_leave_adjust_stacks
(from_sp=0x555555b50da8, to_sp=0x555555b50da0, gimme=3 '\003', pass=3)
at pp_hot.c​:4653
#5 0x0000555555831c83 in Perl_pp_leave () at pp_ctl.c​:2133
#6 0x000055555570b640 in Perl_runops_debug () at dump.c​:2537
#7 0x00005555555ed560 in S_run_body (oldscope=1) at perl.c​:2716
#8 0x00005555555ecade in perl_run (my_perl=0x555555b4c260) at perl.c​:2639
#9 0x00005555555a114e in main (argc=3, argv=0x7fffffffe1c8,
env=0x7fffffffe1e8) at perlmain.c​:127

This is a regression between 5.22 and 5.24, bisect points to

commit 75bc488
Author​: David Mitchell <davem@​iabyn.com>
Date​: Thu Dec 17 12​:13​:09 2015 +0000

  replace leave_common() with leave_adjust_stacks()

  Make the remaining callers of S_leave_common() use leave_adjust_stacks()
  instead, then delete this static function.

  This brings the benefits of freeing TEMPS on all scope exists that
  has already been introduced on sub exits; uses the optimised code for
  creating mortal copies; and finally unifies all the different 'process
  return args on scope exit' implementations into single function.

Perl Info

Flags:
    category=core
    severity=medium

Site configuration information for perl 5.29.9:

Configured by dur-randir at Wed Feb 27 14:51:01 MSK 2019.

Summary of my perl5 (revision 5 version 29 subversion 9) configuration:
  Commit id: c1e47bad34ce1d9c84ed57c9b8978bcbd5a02e98
  Platform:
    osname=darwin
    osvers=13.4.0
    archname=darwin-thread-multi-2level
    uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0:
mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64
x86_64 '
    config_args='-de -Dusedevel -DDEBUGGING -Dusethreads'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    default_inc_excludes_dot=define
    bincompat5005=undef
  Compiler:
    cc='cc'
    ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include -DPERL_USE_SAFE_PUTENV'
    optimize='-O3 -g'
    cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9
-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector
-I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='cc'
    ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib'
    libpth=/usr/local/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib
/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib
/usr/lib
    libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc
    perllibs=-lpthread -ldl -lm -lutil -lc
    libc=
    so=dylib
    useshrplib=false
    libperl=libperl.a
    gnulibc_version=''
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=bundle
    d_dlsymun=undef
    ccdlflags=' '
    cccdlflags=' '
    lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined
dynamic_lookup -L/usr/local/lib -fstack-protector'



@INC for perl 5.29.9:
    lib
    /usr/local/lib/perl5/site_perl/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/site_perl/5.29.9
    /usr/local/lib/perl5/5.29.9/darwin-thread-multi-2level
    /usr/local/lib/perl5/5.29.9


Environment for perl 5.29.9:
    DYLD_LIBRARY_PATH (unset)
    HOME=/Users/dur-randir
    LANG=en_US.UTF-8
    LANGUAGE (unset)
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/texbin
    PERLBREW_HOME=/Users/dur-randir/.perlbrew
    PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/Users/dur-randir/perlbrew
    PERLBREW_SHELLRC_VERSION=0.84
    PERLBREW_VERSION=0.84
    PERL_BADLANG (unset)
    SHELL=/usr/local/bin/zsh

@p5pRT
Copy link
Author

p5pRT commented Jun 12, 2019

From @tonycoz

On Fri, 05 Apr 2019 09​:26​:20 -0700, randir wrote​:

While fuzzing perl v5.29.9-63-g2496d8f3f7 built with afl and run
under libdislocator, I found the following program

E{0;readline@​0}

to cause an assertion failure

perl​: pp_hot.c​:4653​: void Perl_leave_adjust_stacks(SV **, SV **, U8,
int)​: Assertion `nargs >= 0' failed.

Patch attached.

Tony

@p5pRT
Copy link
Author

p5pRT commented Jun 12, 2019

From @tonycoz

0001-perl-133989-scalar-the-argument-to-readline-if-any.patch
From faa0ed849cf1bfe77c4cb9857dc3e8a0db0bfa7a Mon Sep 17 00:00:00 2001
From: Tony Cook <tony@develop-help.com>
Date: Wed, 12 Jun 2019 15:21:47 +1000
Subject: (perl #133989) scalar() the argument to readline, if any

C< readline @foo > would treat @foo as array.  If the array was empty
this would push zero items and readline() would then pop one item,
possibly underflowing the stack.
---
 op.c               | 1 +
 t/lib/croak/pp_sys | 6 ++++++
 2 files changed, 7 insertions(+)

diff --git a/op.c b/op.c
index 6ad192307f..7aa002cadd 100644
--- a/op.c
+++ b/op.c
@@ -12142,6 +12142,7 @@ Perl_ck_readline(pTHX_ OP *o)
     if (o->op_flags & OPf_KIDS) {
 	 OP *kid = cLISTOPo->op_first;
 	 if (kid->op_type == OP_RV2GV) kid->op_private |= OPpALLOW_FAKE;
+         scalar(kid);
     }
     else {
 	OP * const newop
diff --git a/t/lib/croak/pp_sys b/t/lib/croak/pp_sys
index be100da27a..cf9e4ef0ed 100644
--- a/t/lib/croak/pp_sys
+++ b/t/lib/croak/pp_sys
@@ -93,3 +93,9 @@ close $fh;
 END { unlink $file; }
 EXPECT
 syswrite() isn't allowed on :utf8 handles at - line 5.
+########
+# NAME readline() didn't scalar() its argument
+# this would assert rather than failing on the method call
+E{0;readline@0}
+EXPECT
+Can't call method "E" without a package or object reference at - line 2.
-- 
2.11.0

@p5pRT
Copy link
Author

p5pRT commented Jun 12, 2019

The RT System itself - Status changed from 'new' to 'open'

@p5pRT
Copy link
Author

p5pRT commented Jun 17, 2019

From @tonycoz

On Tue, 11 Jun 2019 22​:22​:45 -0700, tonyc wrote​:

On Fri, 05 Apr 2019 09​:26​:20 -0700, randir wrote​:

While fuzzing perl v5.29.9-63-g2496d8f3f7 built with afl and run
under libdislocator, I found the following program

E{0;readline@​0}

to cause an assertion failure

perl​: pp_hot.c​:4653​: void Perl_leave_adjust_stacks(SV **, SV **, U8,
int)​: Assertion `nargs >= 0' failed.

Patch attached.

Applied as a8e0c1f.

Tony

@p5pRT
Copy link
Author

p5pRT commented Jun 17, 2019

@tonycoz - Status changed from 'open' to 'pending release'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

1 participant