Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @@

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers an assert fail in debug buids of the perl interpreter. The testcase is the file below. On normal builds, this runs normally. On debug builds, this returns an assert fail.

dcollins@nightshade64:~/perldebug$ ./perl -Ilib -e '{tell$0;i${^LAST_FH}}'
perl: mg.c:964: Perl_magic_get: Assertion `((((PL_last_in_gv)->sv_flags & (0x00004000|0x00008000)) == 0x00008000) && (((svtype)((PL_last_in_gv)->sv_flags & 0xff)) == SVt_PVGV || ((svtype)((PL_last_in_gv)->sv_flags & 0xff)) == SVt_PVLV))' failed.

Debugging tool output is below. A git bisect was performed and reported the following, which is presumably the commit where the assert was initially added.

8561ea1dd1a3357825e765e1df4f883e53f89a9d is the first bad commit
commit 8561ea1dd1a3357825e765e1df4f883e53f89a9d
Author: Father Chrysostomos <sprout@cpan.org>
Date: Mon Sep 17 23:18:08 2012 -0700


     This was brought up in ticket #96672.

     This variable gives access to the last-read filehandle that Perl uses
     when it appends ", <STDIN> line 1" to a warning or error message.

:100644 100644 55666f44cc99fb578eb299e45dc6c2b534094a96 08d41db074a06015b595273e07c4e11603544f22 M gv.c
:100644 100644 26cabbe62790425030531b111ae6fc0433363697 cbae42135884ed699c254aca1685fe728902dba5 M mg.c
:040000 040000 5562f9bc7ca8edc3abd731fecdc93c5a59d68230 653ba43ff406d65ff5fa01c522d0140b244b21cf M pod
:040000 040000 f6638536166828af1bf573afebb12ab50d924b24 21a91ab3598eac7dff8e7d4d9b20e8f04231190c M t
bisect run success


(gdb) run
Starting program: /home/dcollins/perldebug/miniperl -Ilib -e \{tell\$0\;i\$\{\^LAST_FH\}\}
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
miniperl: mg.c:964: Perl_magic_get: Assertion `((((PL_last_in_gv)->sv_flags & (0x00004000|0x00008000)) == 0x00008000) && (((svtype)((PL_last_in_gv)->sv_flags & 0xff)) == SVt_PVGV || ((svtype)((PL_last_in_gv)->sv_flags & 0xff)) == SVt_PVLV))' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6cfa8fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff6cf23a7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ffff6cf2452 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x0000000000555c52 in Perl_magic_get (sv=0xa95a50, mg=0xa86400) at mg.c:964
#5 0x00000000005532eb in Perl_mg_get (sv=0xa95a50) at mg.c:197
#6 0x00000000005a71c9 in S_opmethod_stash (meth=0xa95ab0) at pp_hot.c:4150
#7 0x00000000005a80cf in Perl_pp_method_named () at pp_hot.c:4258
#8 0x000000000053fac1 in Perl_runops_debug () at dump.c:2239
#9 0x00000000004482ec in S_run_body (oldscope=1) at perl.c:2517
#10 0x0000000000447917 in perl_run (my_perl=0xa7f010) at perl.c:2440
#11 0x000000000072760b in main (argc=4, argv=0x7fffffffe618, env=0x7fffffffe640)
     at miniperlmain.c:122


No reported memory management errors.

**PERL -V**

dcollins@nightshade64:~/perldebug$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 2) configuration:
   Commit id: c29dfc6a6c45f86648c51f961304254cc3c449b9
     osname=linux, osvers=4.5.0-2-amd64, archname=x86_64-linux-ld
     uname='linux nightshade64 4.5.0-2-amd64 #1 smp debian 4.5.3-2 (2016-05-08) x86_64 gnulinux '
     config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache gcc-6.1 -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'
     hint=recommended, useposix=true, d_sigaction=define
     useithreads=undef, usemultiplicity=undef
     use64bitint=define, use64bitall=define, uselongdouble=define
     usemymalloc=n, bincompat5005=undef
     cc='ccache gcc-6.1', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
     cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
     ccversion='', gccversion='6.1.0', gccosandvers=''
     intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
     d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
     ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
     alignbytes=16, prototype=define
   Linker and Libraries:
     ld='ccache gcc-6.1', ldflags =' -fstack-protector-strong -L/usr/local/lib'
     libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/6.1.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
     libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
     perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
     libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
   Dynamic Linking:
     dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
     cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl):
                         USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES
                         USE_PERLIO USE_PERL_ATOF
   Built under linux
   Compiled at May 26 2016 17:57:37

