failed assertion in optimizer.c:945

[rwhitworth]

Hello, I was using American Fuzzy Lop (afl-fuzz) to fuzz input to the parrot program on Linux and I found a failed assertion when using this program as input:

.sub a
$N0=0//0

The file can be executed as ./parrot filename to cause a failed assertion and segmentation fault.

gdb backtrace from the resultant core file:

[New LWP 1320986]
[New LWP 1320989]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Core was generated by `./parrot output/parrot-2/crashes/id:000000,sig:06,src:003148,op:havoc,rep:4'.
Program terminated with signal SIGABRT, Aborted.
#0  0x00007f19dacaa067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
56      ../nptl/sysdeps/unix/sysv/linux/raise.c: No such file or directory.
#0  0x00007f19dacaa067 in __GI_raise (sig=sig@entry=6) at ../nptl/sysdeps/unix/sysv/linux/raise.c:56
#1  0x00007f19dacab448 in __GI_abort () at abort.c:89
#2  0x000000000041a4fc in Parrot_confess (cond=cond@entry=0xa009d8 "pc == eval + op_info->op_count || pc == eval", file=file@entry=0xa00703 "compilers/imcc/optimizer.c", line=line@entry=945) at src/exceptions.c:648
#3  0x00000000009ae624 in eval_ins (imcc=imcc@entry=0x2021fa0, op=op@entry=0x7ffe6164bd40 "fdiv_n_n_n", ops=<optimized out>, r=<optimized out>) at compilers/imcc/optimizer.c:945
#4  0x00000000009b7997 in IMCC_subst_constants (imcc=imcc@entry=0x2021fa0, unit=unit@entry=0x20324a0, name=name@entry=0x7ffe6164c0a0 "fdiv", r=r@entry=0x7ffe6164c020, n=n@entry=4, ok=ok@entry=0x7ffe6164be9c) at compilers/imcc/optimizer.c:1089
#5  0x00000000005ce87b in INS (imcc=imcc@entry=0x2021fa0, unit=0x20324a0, name=0x7ffe6164c0a0 "fdiv", fmt=<optimized out>, r=r@entry=0x7ffe6164c020, n=n@entry=3, keyvec=0, emit=emit@entry=1) at compilers/imcc/parser_util.c:371
#6  0x0000000000957383 in MK_I (imcc=imcc@entry=0x2021fa0, unit=<optimized out>, fmt=<optimized out>, n=3, n=3) at compilers/imcc/imcc.y:451
#7  0x000000000095f604 in yyparse (yyscanner=yyscanner@entry=0x202dca0, imcc=imcc@entry=0x2021fa0) at compilers/imcc/imcc.y:2015
#8  0x00000000009828f9 in imcc_run_compilation (imcc=imcc@entry=0x2021fa0, yyscanner=yyscanner@entry=0x202dca0) at compilers/imcc/imcc.l:1396
#9  0x0000000000982deb in imcc_compile_buffer_safe (imcc=imcc@entry=0x2021fa0, yyscanner=yyscanner@entry=0x202dca0, source=source@entry=0x2021990, is_file=is_file@entry=1, is_pasm_unused=is_pasm_unused@entry=0) at compilers/imcc/imcc.l:1365
#10 0x00000000005c75e7 in imcc_run_compilation_internal (is_pasm=0, is_file=1, source=0x2021990, imcc=0x2021fa0) at compilers/imcc/main.c:546
#11 imcc_run_compilation_reentrant (is_pasm=0, is_file=1, fullname=0x2021990, imcc=0x2021fa0) at compilers/imcc/main.c:497
#12 imcc_compile_file (imcc=imcc@entry=0x2021fa0, fullname=0x2021990, is_pasm=0) at compilers/imcc/main.c:474
#13 0x000000000081c9b9 in Parrot_IMCCompiler_nci_compile_file (interp=0x1f3a060, _self=0x2011e78) at ./src/pmc/imccompiler.pmc:193
#14 0x0000000000830459 in Parrot_NativePCCMethod_invoke (interp=0x1f3a060, _self=<optimized out>, next=0x2023c60) at ./src/pmc/nativepccmethod.pmc:119
#15 0x0000000000509561 in runops_fast_core (interp=0x1f3a060, runcore_unused=<optimized out>, pc=0x2023c48) at src/runcore/cores.c:495
#16 0x000000000050612a in runops_int (interp=interp@entry=0x1f3a060, offset=<optimized out>) at src/runcore/main.c:220
#17 0x000000000049bae2 in runops (interp=interp@entry=0x1f3a060, offs=<optimized out>) at src/call/ops.c:123
#18 0x000000000048a9ee in Parrot_pcc_invoke_from_sig_object (interp=interp@entry=0x1f3a060, sub_obj=sub_obj@entry=0x20288c8, call_object=<optimized out>) at src/call/pcc.c:307
#19 0x000000000068ef8b in Parrot_ext_call (interp=interp@entry=0x1f3a060, sub_pmc=0x20288c8, signature=signature@entry=0x9f3ab3 "P->") at src/extend.c:164
#20 0x00000000009449c4 in Parrot_Task_invoke (interp=0x1f3a060, _self=0x20286e8, next=0x0) at ./src/pmc/task.pmc:175
#21 0x000000000048a767 in Parrot_pcc_invoke_from_sig_object (interp=interp@entry=0x1f3a060, sub_obj=sub_obj@entry=0x20286e8, call_object=0x20288f0) at src/call/pcc.c:299
#22 0x000000000068f0fb in Parrot_ext_call (interp=interp@entry=0x1f3a060, sub_pmc=0x20286e8, signature=signature@entry=0x9f3a6c "->") at src/extend.c:155
#23 0x000000000051f648 in Parrot_cx_next_task (interp=interp@entry=0x1f3a060, scheduler=scheduler@entry=0x2011c48) at src/scheduler.c:231
#24 0x000000000052231d in Parrot_cx_outer_runloop (interp=interp@entry=0x1f3a060) at src/scheduler.c:149
#25 0x00000000005226c4 in Parrot_cx_begin_execution (interp=interp@entry=0x1f3a060, main=main@entry=0x2012580, argv=argv@entry=0x2011ef0) at src/scheduler.c:109
#26 0x000000000054f14f in Parrot_pf_execute_bytecode_program (interp=0x1f3a060, pbc=<optimized out>, args=0x2011ef0) at src/packfile/api.c:2908
#27 0x000000000042bd08 in Parrot_api_run_bytecode (interp_pmc=0x2002e10, pbc=0x20286c0, args=0x2011ef0) at src/embed/bytecode.c:162
#28 0x000000000041fdfc in main (argc=<optimized out>, argv=<optimized out>) at frontend/parrot2/main.c:190

Let me know if I can provide any more information to help narrow down this issue.

[rurban]

parrot_old works fine, correctly erroring with 'Divide by zero'.
The error is with parrot in the constant folder, with eval_ins fdiv_n_n_n
# mk_const '0' N
opt fdiv_x_xc_xc

because the pc (address) of the returned exception handler is something different.
compilers/imcc/optimizer.c:945: failed assertion 'pc == eval + op_info->op_count || pc == eval'
we really need to handle exceptions properly in the pir compiler