Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Perl_yylex: Assertion `PL_valid_types_IVX[((svtype)((_svivx)->sv_flags & 0xff)) & 0xf]' failed (toke.c:4550) #14496

Closed
p5pRT opened this issue Feb 11, 2015 · 15 comments
Labels

Comments

@p5pRT
Copy link
Collaborator

@p5pRT p5pRT commented Feb 11, 2015

Migrated from rt.perl.org#123801 (status was 'resolved')

Searchable as RT123801$

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 11, 2015

From @geeknik

Built v5.21.9 (v5.21.8-286-g534577b) using the following command line​:

./Configure -des -Dusedevel -DDEBUGGING -Dcc=afl-gcc -Doptimize=-O2\ -g && AFL_HARDEN=1 make -j6 test-prep

Bug found with AFL (http​://lcamtuf.coredump.cx/afl)

GDB output​:
Program terminated with signal 6, Aborted.
#0 0x00007fce68ad7165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c​:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c​: No such file or directory.
gdb-peda$ bt
#0 0x00007fce68ad7165 in *__GI_raise (sig=<optimized out>) at ../nptl/sysdeps/unix/sysv/linux/raise.c​:64
#1 0x00007fce68ada3e0 in *__GI_abort () at abort.c​:92
#2 0x00007fce68ad0311 in *__GI___assert_fail (assertion=0xefc430 "PL_valid_types_IVX[((svtype)((_svivx)->sv_flags & 0xff)) & 0xf]", file=<optimized out>, line=0x11c6, function=0xf3b150 "Perl_yylex") at assert.c​:81
#3 0x0000000000611aa1 in Perl_yylex () at toke.c​:4550
#4 0x0000000000669685 in Perl_yyparse ()
#5 0x00000000005399a5 in S_parse_body ()
#6 0x0000000000541537 in perl_parse ()
#7 0x000000000042b63c in main () at perlmain.c​:114
#8 0x00007fce68ac3ead in __libc_start_main (main=<optimized out>, argc=<optimized out>, ubp_av=<optimized out>, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffaf9e2678) at libc-start.c​:244
#9 0x000000000042b955 in _start ()
gdb-peda$ i r
rax 0x0 0x0
rbx 0x7fffaf9e3631 0x7fffaf9e3631
rcx 0xffffffffffffffff 0xffffffffffffffff
rdx 0x6 0x6
rsi 0xe632 0xe632
rdi 0xe632 0xe632
rbp 0x7fce68bf1a07 0x7fce68bf1a07
rsp 0x7fffaf9e1b18 0x7fffaf9e1b18
r8 0x7fce69d26700 0x7fce69d26700
r9 0x67616c665f76733e 0x67616c665f76733e
r10 0x8 0x8
r11 0x202 0x202
r12 0xefc430 0xefc430
r13 0xf3b150 0xf3b150
r14 0x7fce68bf1a07 0x7fce68bf1a07
r15 0x11c6 0x11c6
rip 0x7fce68ad7165 0x7fce68ad7165 <*__GI_raise+53>
eflags 0x202 [ IF ]
cs 0x33 0x33
ss 0x2b 0x2b
ds 0x0 0x0
es 0x0 0x0
fs 0x0 0x0
gs 0x0 0x0

Debian 7, Kernel 3.2.65-1+deb7u1 x86_64, libc 3.2.65-1+deb7u1 x86_6, gcc 4.9.2

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 11, 2015

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 11, 2015

From @geeknik

#123802 is related to this bug. In #123802 I used a minimized test case to produce a sigsegv, whereas the test case in this report produces a sigabrt.

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 11, 2015

From [Unknown Contact. See original ticket]

#123802 is related to this bug. In #123802 I used a minimized test case to produce a sigsegv, whereas the test case in this report produces a sigabrt.

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 13, 2015

From @geeknik

A minimized test case that triggers this assertion is attached.

Hexdump​:
0000000 7d73 3024 307b 7d7d 490a 7420
000000c

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 13, 2015

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 18, 2015

From @geeknik

Slightly different test case points to a different line # in toke.c​:

geeknik@​deb7fuzz​:/tmp$ ~/perl/perl -e 's##[}#e'
perl​: toke.c​:4551​: Perl_yylex​: Assertion `PL_valid_types_IVX[((svtype)((_svivx)->sv_flags & 0xff)) & 0xf]' failed.

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 23, 2015

From @cpansprout

On Tue Feb 17 17​:10​:30 2015, brian.carpenter@​gmail.com wrote​:

Slightly different test case points to a different line # in toke.c​:

geeknik@​deb7fuzz​:/tmp$ ~/perl/perl -e 's##[}#e'
perl​: toke.c​:4551​: Perl_yylex​: Assertion
`PL_valid_types_IVX[((svtype)((_svivx)->sv_flags & 0xff)) & 0xf]'
failed.

On non-debugging builds, that example crashes for me in bleadperl, but not 5.20.1.

I have fixed it in f4460c6.

The case in #123802 is not fixed yet.

--

Father Chrysostomos

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 23, 2015

The RT System itself - Status changed from 'new' to 'open'

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 23, 2015

@cpansprout - Status changed from 'open' to 'pending release'

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 23, 2015

From @geeknik

I don't believe this issue to be fixed as changing the [ in the below test
case to { causes this in blead (it gets more interesting towards the end
and also explains the attachment)​:

==15506== Invalid read of size 4
==15506== at 0x64B8BC​: Perl_yyparse (perly.c​:523)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506== Address 0x5ed623c is 172 bytes inside a block of size 6,400
free'd
==15506== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==15506== by 0xA98995​: Perl_leave_scope (scope.c​:1241)
==15506== by 0x6436DC​: S_sublex_done (toke.c​:2483)
==15506== by 0x5F6AE8​: Perl_yylex (toke.c​:4548)
==15506== by 0x64C2BC​: Perl_yyparse (perly.c​:322)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506==
==15506== Invalid read of size 2
==15506== at 0x64B93C​: Perl_yyparse (perly.c​:524)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506== Address 0x5ed6238 is 168 bytes inside a block of size 6,400
free'd
==15506== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==15506== by 0xA98995​: Perl_leave_scope (scope.c​:1241)
==15506== by 0x6436DC​: S_sublex_done (toke.c​:2483)
==15506== by 0x5F6AE8​: Perl_yylex (toke.c​:4548)
==15506== by 0x64C2BC​: Perl_yyparse (perly.c​:322)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506==
==15506== Invalid read of size 8
==15506== at 0x64B990​: Perl_yyparse (perly.c​:524)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506== Address 0x5ed6230 is 160 bytes inside a block of size 6,400
free'd
==15506== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==15506== by 0xA98995​: Perl_leave_scope (scope.c​:1241)
==15506== by 0x6436DC​: S_sublex_done (toke.c​:2483)
==15506== by 0x5F6AE8​: Perl_yylex (toke.c​:4548)
==15506== by 0x64C2BC​: Perl_yyparse (perly.c​:322)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506==
==15506== Invalid read of size 8
==15506== at 0x64BC1C​: Perl_yyparse (perly.c​:532)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506== Address 0x5ed6240 is 176 bytes inside a block of size 6,400
free'd
==15506== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==15506== by 0xA98995​: Perl_leave_scope (scope.c​:1241)
==15506== by 0x6436DC​: S_sublex_done (toke.c​:2483)
==15506== by 0x5F6AE8​: Perl_yylex (toke.c​:4548)
==15506== by 0x64C2BC​: Perl_yyparse (perly.c​:322)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506==
==15506== Invalid read of size 2
==15506== at 0x64BCF6​: Perl_yyparse (perly.c​:533)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506== Address 0x5ed6218 is 136 bytes inside a block of size 6,400
free'd
==15506== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==15506== by 0xA98995​: Perl_leave_scope (scope.c​:1241)
==15506== by 0x6436DC​: S_sublex_done (toke.c​:2483)
==15506== by 0x5F6AE8​: Perl_yylex (toke.c​:4548)
==15506== by 0x64C2BC​: Perl_yyparse (perly.c​:322)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506==
==15506== Invalid write of size 2
==15506== at 0x64C013​: Perl_yyparse (perly.c​:545)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506== Address 0x5ed6238 is 168 bytes inside a block of size 6,400
free'd
==15506== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==15506== by 0xA98995​: Perl_leave_scope (scope.c​:1241)
==15506== by 0x6436DC​: S_sublex_done (toke.c​:2483)
==15506== by 0x5F6AE8​: Perl_yylex (toke.c​:4548)
==15506== by 0x64C2BC​: Perl_yyparse (perly.c​:322)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506==
==15506== Invalid write of size 8
==15506== at 0x64C01F​: Perl_yyparse (perly.c​:546)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506== Address 0x5ed6230 is 160 bytes inside a block of size 6,400
free'd
==15506== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==15506== by 0xA98995​: Perl_leave_scope (scope.c​:1241)
==15506== by 0x6436DC​: S_sublex_done (toke.c​:2483)
==15506== by 0x5F6AE8​: Perl_yylex (toke.c​:4548)
==15506== by 0x64C2BC​: Perl_yyparse (perly.c​:322)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506==
==15506== Invalid read of size 2
==15506== at 0x64C065​: Perl_yyparse (inline.h​:143)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506== Address 0x5ed6238 is 168 bytes inside a block of size 6,400
free'd
==15506== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==15506== by 0xA98995​: Perl_leave_scope (scope.c​:1241)
==15506== by 0x6436DC​: S_sublex_done (toke.c​:2483)
==15506== by 0x5F6AE8​: Perl_yylex (toke.c​:4548)
==15506== by 0x64C2BC​: Perl_yyparse (perly.c​:322)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506==
==15506== Invalid write of size 8
==15506== at 0x64C0AB​: Perl_yyparse (perly.c​:547)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506== Address 0x5ed6240 is 176 bytes inside a block of size 6,400
free'd
==15506== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==15506== by 0xA98995​: Perl_leave_scope (scope.c​:1241)
==15506== by 0x6436DC​: S_sublex_done (toke.c​:2483)
==15506== by 0x5F6AE8​: Perl_yylex (toke.c​:4548)
==15506== by 0x64C2BC​: Perl_yyparse (perly.c​:322)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506==
==15506== Invalid write of size 8
==15506== at 0x64C0AF​: Perl_yyparse (perly.c​:550)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506== Address 0x5ed6248 is 184 bytes inside a block of size 6,400
free'd
==15506== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==15506== by 0xA98995​: Perl_leave_scope (scope.c​:1241)
==15506== by 0x6436DC​: S_sublex_done (toke.c​:2483)
==15506== by 0x5F6AE8​: Perl_yylex (toke.c​:4548)
==15506== by 0x64C2BC​: Perl_yyparse (perly.c​:322)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506==
==15506== Invalid write of size 4
==15506== at 0x64C0B7​: Perl_yyparse (perly.c​:548)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506== Address 0x5ed623c is 172 bytes inside a block of size 6,400
free'd
==15506== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==15506== by 0xA98995​: Perl_leave_scope (scope.c​:1241)
==15506== by 0x6436DC​: S_sublex_done (toke.c​:2483)
==15506== by 0x5F6AE8​: Perl_yylex (toke.c​:4548)
==15506== by 0x64C2BC​: Perl_yyparse (perly.c​:322)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506==
==15506== Invalid read of size 8
==15506== at 0x64AD1E​: Perl_yyparse (perly.c​:408)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506== Address 0x5ed6230 is 160 bytes inside a block of size 6,400
free'd
==15506== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==15506== by 0xA98995​: Perl_leave_scope (scope.c​:1241)
==15506== by 0x6436DC​: S_sublex_done (toke.c​:2483)
==15506== by 0x5F6AE8​: Perl_yylex (toke.c​:4548)
==15506== by 0x64C2BC​: Perl_yyparse (perly.c​:322)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506==
==15506== Invalid read of size 8
==15506== at 0x64B12B​: Perl_yyparse (perly.c​:423)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506== Address 0x5ed6240 is 176 bytes inside a block of size 6,400
free'd
==15506== at 0x4C27D4E​: free (vg_replace_malloc.c​:427)
==15506== by 0xA98995​: Perl_leave_scope (scope.c​:1241)
==15506== by 0x6436DC​: S_sublex_done (toke.c​:2483)
==15506== by 0x5F6AE8​: Perl_yylex (toke.c​:4548)
==15506== by 0x64C2BC​: Perl_yyparse (perly.c​:322)
==15506== by 0x526468​: S_parse_body (perl.c​:2277)
==15506== by 0x52C15E​: perl_parse (perl.c​:1611)
==15506== by 0x42C8F7​: main (perlmain.c​:114)
==15506==
perl​: sv.c​:6536​: Perl_sv_clear​: Assertion `((svtype)((sv)->sv_flags &
0xff)) != (svtype)0xff' failed.
Aborted

gdb-peda$ file ~/perl/perl
gdb-peda$ set args test
gdb-peda$ r
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
perl​: sv.c​:6536​: Perl_sv_clear​: Assertion `((svtype)((sv)->sv_flags &
0xff)) != (svtype)0xff' failed.

Program received signal SIGABRT, Aborted.
[----------------------------------registers-----------------------------------]
RAX​: 0x0
RBX​: 0x7fffffffee1d --> 0x736574006c726570 ('perl')
RCX​: 0xffffffffffffffff
RDX​: 0x6
RSI​: 0x4885
RDI​: 0x4885
RBP​: 0x7ffff6ea9a07 --> 0x257325732500203a ('​: ')
RSP​: 0x7fffffffe598 --> 0x7ffff6d923e0 (<*__GI_abort+384>​: mov
rdx,QWORD PTR fs​:0x10)
RIP​: 0x7ffff6d8f165 (<*__GI_raise+53>​: cmp rax,0xfffffffffffff000)
R8 : 0x7ffff7ff0700 (0x00007ffff7ff0700)
R9 : 0x2965707974767328 ('(svtype)')
R10​: 0x8
R11​: 0x202
R12​: 0xec9df0 ("((svtype)((sv)->sv_flags & 0xff)) != (svtype)0xff")
R13​: 0xede2b0 ("Perl_sv_clear")
R14​: 0x7ffff6ea9a07 --> 0x257325732500203a ('​: ')
R15​: 0x1988
EFLAGS​: 0x202 (carry parity adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
  0x7ffff6d8f15b <*__GI_raise+43>​: movsxd rdi,eax
  0x7ffff6d8f15e <*__GI_raise+46>​: mov eax,0xea
  0x7ffff6d8f163 <*__GI_raise+51>​: syscall
=> 0x7ffff6d8f165 <*__GI_raise+53>​: cmp rax,0xfffffffffffff000
  0x7ffff6d8f16b <*__GI_raise+59>​: ja 0x7ffff6d8f182
<*__GI_raise+82>
  0x7ffff6d8f16d <*__GI_raise+61>​: repz ret
  0x7ffff6d8f16f <*__GI_raise+63>​: nop
  0x7ffff6d8f170 <*__GI_raise+64>​: test eax,eax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe598 --> 0x7ffff6d923e0 (<*__GI_abort+384>​: mov
rdx,QWORD PTR fs​:0x10)
0008| 0x7fffffffe5a0 --> 0xec9df0 ("((svtype)((sv)->sv_flags & 0xff)) !=
(svtype)0xff")
0016| 0x7fffffffe5a8 --> 0x7ffff6eab9c1 --> 0x706c6568007325 ('%s')
0024| 0x7fffffffe5b0 --> 0x7fffffffe5d0 --> 0x3000000018
0032| 0x7fffffffe5b8 --> 0x1988
0040| 0x7fffffffe5c0 --> 0x7fffffffe6c0 --> 0x7fffffffee1d -->
0x736574006c726570 ('perl')
0048| 0x7fffffffe5c8 --> 0x7ffff6dc3fe6 (<__fxprintf+310>​: lea
rsp,[rbp-0x20])
0056| 0x7fffffffe5d0 --> 0x3000000018
[------------------------------------------------------------------------------]
Legend​: code, data, rodata, value
Stopped reason​: SIGABRT
0x00007ffff6d8f165 in *__GI_raise (sig=<optimized out>) at
../nptl/sysdeps/unix/sysv/linux/raise.c​:64
64 ../nptl/sysdeps/unix/sysv/linux/raise.c​: No such file or directory.

Now if we expand that test case out to the original size, we get something
completely different (this is the testcase attached to this email)​:

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX​: 0x0
RBX​: 0x1160360 --> 0x0
RCX​: 0x67235d2d40646e61 ('and@​-]#g')
RDX​: 0x2c32 ('2,')
RSI​: 0x0
RDI​: 0x2f29445c287d7d31 ('1}}(\\D)/')
RBP​: 0x1160780 (";$&​:($&x2,'',do{1}}(\\D)/;$,&' '|$1})[r\177nd@​nd
4]-1+index$_=QWERTYUIOP0ASDFGHJKL000ZXCVBNM,uc($,=$&)]}}(\\D)/;$,&'
'|$1})[rand@​-]#ge0\"\n")
RSP​: 0x7fffffffe7d0 --> 0x7ffff7ff06a8 --> 0x0
RIP​: 0x64bc64 (<Perl_yyparse+5948>​: mov esi,DWORD PTR [rdi+0x8])
R8 : 0x1160748 ("syntax error at test00 line 1, near
\"s#((\\pL)|.)#rand>.1;$&​:($&x2,'',do{1}}(\\D)/;$,&' '|$1})[r\177nd@​nd
4]-1+index$_=QWERTYUIOP0ASDFGHJKL000ZXCVBNM,uc($,=$&)]}}(\\D)/;$,&'
'|$1})[rand@​-]#ge0\"\n")
R9 : 0x65 ('e')
R10​: 0x124
R11​: 0x1160360 --> 0x0
R12​: 0x90
R13​: 0x0
R14​: 0x1160780 (";$&​:($&x2,'',do{1}}(\\D)/;$,&' '|$1})[r\177nd@​nd
4]-1+index$_=QWERTYUIOP0ASDFGHJKL000ZXCVBNM,uc($,=$&)]}}(\\D)/;$,&'
'|$1})[rand@​-]#ge0\"\n")
R15​: 0x60 ('`')
EFLAGS​: 0x10202 (carry parity adjust zero sign trap INTERRUPT direction
overflow)
[-------------------------------------code-------------------------------------]
  0x64bc53 <Perl_yyparse+5931>​: mov rcx,QWORD PTR [rsp+0x8]
  0x64bc58 <Perl_yyparse+5936>​: mov rdx,QWORD PTR [rsp]
  0x64bc5c <Perl_yyparse+5940>​: lea rsp,[rsp+0x98]
=> 0x64bc64 <Perl_yyparse+5948>​: mov esi,DWORD PTR [rdi+0x8]
  0x64bc67 <Perl_yyparse+5951>​: cmp esi,0x1
  0x64bc6a <Perl_yyparse+5954>​: jbe 0x6534f1 <Perl_yyparse+36809>
  0x64bc70 <Perl_yyparse+5960>​: lea rsp,[rsp-0x98]
  0x64bc78 <Perl_yyparse+5968>​: mov QWORD PTR [rsp],rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffe7d0 --> 0x7ffff7ff06a8 --> 0x0
0008| 0x7fffffffe7d8 --> 0x1159460 --> 0x1145f40 --> 0x95
0016| 0x7fffffffe7e0 --> 0x0
0024| 0x7fffffffe7e8 --> 0x85b2f7a60a082300
0032| 0x7fffffffe7f0 --> 0x6301159430
0040| 0x7fffffffe7f8 --> 0x1160380 --> 0x0
0048| 0x7fffffffe800 --> 0x1160388 --> 0x0
0056| 0x7fffffffe808 --> 0x3c ('<')
[------------------------------------------------------------------------------]
Legend​: code, data, rodata, value
Stopped reason​: SIGSEGV
S_SvREFCNT_dec (sv=0x2f29445c287d7d31) at inline.h​:162
162 U32 rc = SvREFCNT(sv);

inline.h? Interesting indeed.

On Sun, Feb 22, 2015 at 6​:41 PM, Father Chrysostomos via RT <
perlbug-followup@​perl.org> wrote​:

On Tue Feb 17 17​:10​:30 2015, brian.carpenter@​gmail.com wrote​:

Slightly different test case points to a different line # in toke.c​:

geeknik@​deb7fuzz​:/tmp$ ~/perl/perl -e 's##[}#e'
perl​: toke.c​:4551​: Perl_yylex​: Assertion
`PL_valid_types_IVX[((svtype)((_svivx)->sv_flags & 0xff)) & 0xf]'
failed.

On non-debugging builds, that example crashes for me in bleadperl, but not
5.20.1.

I have fixed it in f4460c6.

The case in #123802 is not fixed yet.

--

Father Chrysostomos

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Feb 23, 2015

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Mar 1, 2015

From @cpansprout

On Sun Feb 22 20​:26​:54 2015, brian.carpenter@​gmail.com wrote​:

I don't believe this issue to be fixed as changing the [ in the below
test
case to { causes this in blead (it gets more interesting towards the
end
and also explains the attachment)​:

All the examples you gave in your last message are failing similarly. Reference counting on the parser stack is getting muddled up. I believe I have fixed all these now with commit 479ae48.

--

Father Chrysostomos

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 2, 2015

From @khwilliamson

Thank you for submitting this ticket.

The issue should now be resolved with the release today of Perl v5.22, which is available at http​://www.perl.org/get.html
--
Karl Williamson for the Perl 5 team

@p5pRT

This comment has been minimized.

Copy link
Collaborator Author

@p5pRT p5pRT commented Jun 2, 2015

@khwilliamson - Status changed from 'pending release' to 'resolved'

@p5pRT p5pRT closed this Jun 2, 2015
@p5pRT p5pRT added the Severity Low label Oct 19, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.