op.c:16388: Perl_rpeep: Assertion `oldop->op_type == OP_NEXTSTATE || oldop->op_type == OP_DBSTATE' failed. #17228
Description
This is a bug report for perl from afl@dorothy,
generated with the help of perlbug 1.41 running under perl 5.31.5.
[Please describe your issue here]
While fuzzing perl v5.29.10-23-g7c0d7520a3 built with afl and run
under libdislocator, I found the following program
my($e,$x),(),my($c,$s);foreach({}){}
to cause an assertion failure: op.c:16388: Perl_rpeep: Assertion `oldop->op_type == OP_NEXTSTATE || oldop->op_type == OP_DBSTATE' failed. GDB stack is following:
(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7c24535 in __GI_abort () at abort.c:79
#2 0x00007ffff7c2440f in __assert_fail_base (fmt=0x7ffff7d86ee0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=0x555555934858 "oldop->op_type == OP_NEXTSTATE || oldop->op_type == OP_DBSTATE", file=0x55555592c851 "op.c", line=16388,
function=<optimized out>) at assert.c:92
#3 0x00007ffff7c32102 in __GI___assert_fail (assertion=0x555555934858 "oldop->op_type == OP_NEXTSTATE || oldop->op_type == OP_DBSTATE",
file=0x55555592c851 "op.c", line=16388, function=0x555555936758 <__PRETTY_FUNCTION__.23053> "Perl_rpeep") at assert.c:101
#4 0x00005555555e1a2e in Perl_rpeep (o=0x555555c0c808) at op.c:16387
#5 0x00005555555e3e2b in Perl_peep (o=0x555555c0e088) at op.c:17053
#6 0x00005555555ac62d in S_process_optree (cv=0x0, optree=0x555555c0c730, start=0x555555c0e088) at op.c:3616
#7 0x00005555555b4236 in Perl_newPROG (o=0x555555c0c730) at op.c:5723
#8 0x000055555566c212 in Perl_yyparse (gramtype=258) at perly.y:126
#9 0x00005555555ecda0 in S_parse_body (env=0x0, xsinit=0x5555555a120f <xs_init>) at perl.c:2527
#10 0x00005555555eb072 in perl_parse (my_perl=0x555555be1260, xsinit=0x5555555a120f <xs_init>, argc=3, argv=0x7fffffffe1b8, env=0x0) at perl.c:1818
#11 0x00005555555a114d in main (argc=3, argv=0x7fffffffe1b8, env=0x7fffffffe1d8) at perlmain.c:132
This is a regression between 5.20 and 5.22, bisect points to 5b80755 is the first bad commit
commit 5b807558721d4a1b9a2121285e81b695d4b5025b
Author: Father Chrysostomos <sprout@cpan.org>
Date: Fri Oct 17 13:56:52 2014 -0700
Allow void padrange even without nextstate
This allows the padrange optimisation to happen with code like this:
my ($a, $b), our $c;
[Please do not change anything below this line]
Flags:
category=core
severity=low
Site configuration information for perl 5.31.5:
Configured by root at Fri Oct 18 05:50:54 MSK 2019.
Summary of my perl5 (revision 5 version 31 subversion 5) configuration:
Derived from: 859b78b
Platform:
osname=linux
osvers=4.19.0-6-amd64
archname=x86_64-linux
uname='linux dorothy 4.19.0-6-amd64 #1 smp debian 4.19.67-2+deb10u1 (2019-09-20) x86_64 gnulinux '
config_args='-des -Dusedevel -Dcc=gcc -DDEBUGGING -Doptimize=-O0 -g -ggdb3'
hint=recommended
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler:
cc='gcc'
ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
optimize='-O0 -g -ggdb3'
cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
ccversion=''
gccversion='8.3.0'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='gcc'
ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/8/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
libc=libc-2.28.so
so=so
useshrplib=false
libperl=libperl.a
gnulibc_version='2.28'
Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=so
d_dlsymun=undef
ccdlflags='-Wl,-E'
cccdlflags='-fPIC'
lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'
Characteristics of this binary (from libperl):
Compile-time options:
DEBUGGING
HAS_TIMES
PERLIO_LAYERS
PERL_COPY_ON_WRITE
PERL_DONT_CREATE_GVSV
PERL_MALLOC_WRAP
PERL_OP_PARENT
PERL_PRESERVE_IVUV
PERL_USE_DEVEL
USE_64_BIT_ALL
USE_64_BIT_INT
USE_LARGE_FILES
USE_LOCALE
USE_LOCALE_COLLATE
USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC
USE_LOCALE_TIME
USE_PERLIO
USE_PERL_ATOF
Locally applied patches:
uncommitted-changes
Built under linux
Compiled at Oct 18 2019 06:02:50
%ENV:
PERLBREW_BASHRC_VERSION="0.78"
PERLBREW_HOME="/home/afl/.perlbrew"
PERLBREW_MANPATH="/home/afl/perlbrew/perls/perl-5.20.2/man"
PERLBREW_PATH="/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.20.2/bin"
PERLBREW_PERL="perl-5.20.2"
PERLBREW_ROOT="/home/afl/perlbrew"
PERLBREW_VERSION="0.78"
@inc:
lib
/usr/local/lib/perl5/site_perl/5.31.5/x86_64-linux
/usr/local/lib/perl5/site_perl/5.31.5
/usr/local/lib/perl5/5.31.5/x86_64-linux
/usr/local/lib/perl5/5.31.5