FAQ
# New Ticket Created by Dan Collins
# Please include the string: [perl #128238]
# in the subject line of all future correspondence about this issue.
# <URL: https://rt.perl.org/Ticket/Display.html?id=128238 >


Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @@

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers an assert fail in debug buids of the perl interpreter. The testcase is the file below. On normal builds, this throws the expected error. On debug builds, this returns an assert fail.

use re%:=0

dcollins@nightshade64:~/perl$ ./perl -Ilib -e "use re%:=0"
Unknown "re" subpragma '0' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in exists at lib/re.pm line 150.
Use of uninitialized value $s in hash element at lib/re.pm line 152.
Use of uninitialized value $s in string eq at lib/re.pm line 155.
Use of uninitialized value $s in substitution (s///) at lib/re.pm line 180.
Use of uninitialized value $s in concatenation (.) or string at lib/re.pm line 246.
Unknown "re" subpragma '' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
dcollins@nightshade64:~/perl$ cd ../perldebug/
dcollins@nightshade64:~/perldebug$ ./perl -Ilib -e "use re%:=0"
Unknown "re" subpragma '0' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in exists at lib/re.pm line 150.
Use of uninitialized value $s in hash element at lib/re.pm line 152.
Use of uninitialized value $s in string eq at lib/re.pm line 155.
Use of uninitialized value $s in substitution (s///) at lib/re.pm line 180.
Use of uninitialized value $s in concatenation (.) or string at lib/re.pm line 246.
Unknown "re" subpragma '' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
perl: gv.c:2423: Perl_gv_check: Assertion `((stash)->sv_flags & 0x02000000)' failed.
Aborted



Debugging tool output is below. A git bisect was performed and reported the following, which is the commit in which the assert was initially added.

9075437773fb626926ef91a510090f595c08c653 is the first bad commit
commit 9075437773fb626926ef91a510090f595c08c653
Author: David Mitchell <davem@iabyn.com>
Date: Sat Feb 15 16:38:31 2014 +0000

     gv_check(): use aux flag rather than IsCOW

     Currently the SVf_IsCOW flag doesn't have any meaning for HVs,
     except that it is used in the specific case of gv_check() to temporarily
     mark a stash as being scanned. Since stashes will have the HV_AUX fields,
     we can use a flags bit in the new xhv_aux_flags field instead.

     This then potentially frees up the SVf_IsCOW for use as a new general flag
     bit for *all* HVs (including non-stash ones).

:100644 100644 42cd69cb1626c962cf97c9516e254119919d0680 4a10f9b8adf98fe5f2dc72888ab3dcbcd08ef77f M gv.c
:100644 100644 498e6f01f64c6294576e14ee2a4f389a0502e0bf 5ad1459a2e3463cc4fe28f73ae4c5858e31556ac M hv.h
:100644 100644 715b12447fcf2a8e70be4dcb35ea01edb30013a9 a54fd8f55ceb284d743fd1e5d9ed839f9adbdfb6 M sv.h
bisect run success



**GDB**

(gdb) run
Starting program: /home/dcollins/perldebug/perl -Ilib -e use\ re%:=0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Unknown "re" subpragma '0' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in exists at lib/re.pm line 150.
Use of uninitialized value $s in hash element at lib/re.pm line 152.
Use of uninitialized value $s in string eq at lib/re.pm line 155.
Use of uninitialized value $s in substitution (s///) at lib/re.pm line 180.
Use of uninitialized value $s in concatenation (.) or string at lib/re.pm line 246.
Unknown "re" subpragma '' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
perl: gv.c:2423: Perl_gv_check: Assertion `((stash)->sv_flags & 0x02000000)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6cfa8fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff6cf23a7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ffff6cf2452 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x0000000000482322 in Perl_gv_check (stash=0xab2a48) at gv.c:2423
#5 0x000000000048250d in Perl_gv_check (stash=0xa9dff8) at gv.c:2439
#6 0x000000000046152d in S_parse_body (env=0x0, xsinit=0x41e979 <xs_init>) at perl.c:2386
#7 0x000000000045f846 in perl_parse (my_perl=0xa9c010, xsinit=0x41e979 <xs_init>, argc=4, argv=0x7fffffffe628, env=0x0) at perl.c:1681
#8 0x000000000041e8d8 in main (argc=4, argv=0x7fffffffe628, env=0x7fffffffe650) at perlmain.c:114
(gdb) f 4
#4 0x0000000000482322 in Perl_gv_check (stash=0xab2a48) at gv.c:2423
2423 assert(SvOOK(stash));
(gdb) l
2418 PERL_ARGS_ASSERT_GV_CHECK;
2419
2420 if (!HvARRAY(stash))
2421 return;
2422
2423 assert(SvOOK(stash));
2424
2425 for (i = 0; i <= (I32) HvMAX(stash); i++) {
2426 const HE *entry;
2427 /* mark stash is being scanned, to avoid recursing */
(gdb)


**VALGRIND**

dcollins@nightshade64:~/perldebug$ valgrind ./perl -Ilib -e "use re%:=0"
==45407== Memcheck, a memory error detector
==45407== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==45407== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==45407== Command: ./perl -Ilib -e use\ re%:=0
==45407==
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/ld-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/ld-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/ld-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libnsl-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libnsl-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libnsl-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libdl-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libdl-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libdl-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libm-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libm-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libm-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libcrypt-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libcrypt-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libcrypt-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libutil-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libutil-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libutil-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libc-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libc-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libc-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
Unknown "re" subpragma '0' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in exists at lib/re.pm line 150.
Use of uninitialized value $s in hash element at lib/re.pm line 152.
Use of uninitialized value $s in string eq at lib/re.pm line 155.
Use of uninitialized value $s in substitution (s///) at lib/re.pm line 180.
Use of uninitialized value $s in concatenation (.) or string at lib/re.pm line 246.
Unknown "re" subpragma '' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
perl: gv.c:2423: Perl_gv_check: Assertion `((stash)->sv_flags & 0x02000000)' failed.
==45407==
==45407== Process terminating with default action of signal 6 (SIGABRT)
==45407== at 0x5BD8478: raise (in /lib/x86_64-linux-gnu/libc-2.22.so)
==45407== by 0x5BD98F9: abort (in /lib/x86_64-linux-gnu/libc-2.22.so)
==45407== by 0x5BD13A6: __assert_fail_base (in /lib/x86_64-linux-gnu/libc-2.22.so)
==45407== by 0x5BD1451: __assert_fail (in /lib/x86_64-linux-gnu/libc-2.22.so)
==45407== by 0x482321: Perl_gv_check (gv.c:2423)
==45407== by 0x48250C: Perl_gv_check (gv.c:2439)
==45407== by 0x46152C: S_parse_body (perl.c:2386)
==45407== by 0x45F845: perl_parse (perl.c:1681)
==45407== by 0x41E8D7: main (perlmain.c:114)
==45407==
==45407== HEAP SUMMARY:
==45407== in use at exit: 861,161 bytes in 3,199 blocks
==45407== total heap usage: 9,155 allocs, 5,956 frees, 1,640,397 bytes allocated
==45407==
==45407== LEAK SUMMARY:
==45407== definitely lost: 192 bytes in 1 blocks
==45407== indirectly lost: 2,009 bytes in 22 blocks
==45407== possibly lost: 511,553 bytes in 668 blocks
==45407== still reachable: 347,407 bytes in 2,508 blocks
==45407== of which reachable via heuristic:
==45407== newarray : 3,768 bytes in 118 blocks
==45407== suppressed: 0 bytes in 0 blocks
==45407== Rerun with --leak-check=full to see details of leaked memory
==45407==
==45407== For counts of detected and suppressed errors, rerun with: -v
==45407== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Aborted


**PERL -V**

dcollins@nightshade64:~/perldebug$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 1) configuration:
   Commit id: 9e17953912c0ab4f21dd642345727a44c388a0af
   Platform:
     osname=linux, osvers=4.5.0-2-amd64, archname=x86_64-linux
     uname='linux nightshade64 4.5.0-2-amd64 #1 smp debian 4.5.3-2 (2016-05-08) x86_64 gnulinux '
     config_args='-Dusedevel -Dcc=ccache gcc-6.1 -DDEBUGGING -Doptimize=-g -des'
     hint=recommended, useposix=true, d_sigaction=define
     useithreads=undef, usemultiplicity=undef
     use64bitint=define, use64bitall=define, uselongdouble=undef
     usemymalloc=n, bincompat5005=undef
   Compiler:
     cc='ccache gcc-6.1', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
     optimize='-g',
     cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
     ccversion='', gccversion='6.1.0', gccosandvers=''
     intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
     d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
     ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
     alignbytes=8, prototype=define
   Linker and Libraries:
     ld='ccache gcc-6.1', ldflags =' -fstack-protector-strong -L/usr/local/lib'
     libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/6.1.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
     libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
     perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
     libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
     gnulibc_version='2.22'
   Dynamic Linking:
     dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
     cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'


Characteristics of this binary (from libperl):
   Compile-time options: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
                         PERL_DONT_CREATE_GVSV
                         PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
                         PERL_OP_PARENT PERL_PRESERVE_IVUV PERL_USE_DEVEL
                         USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES
                         USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
                         USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_PERLIO
                         USE_PERL_ATOF
   Built under linux
   Compiled at May 18 2016 19:50:06
   @INC:
     lib
     /usr/local/lib/perl5/site_perl/5.25.1/x86_64-linux
     /usr/local/lib/perl5/site_perl/5.25.1
     /usr/local/lib/perl5/5.25.1/x86_64-linux
     /usr/local/lib/perl5/5.25.1
     .

Search Discussions

  • Father Chrysostomos via RT at May 26, 2016 at 1:11 am

    On Wed May 25 15:58:12 2016, dcollinsn@gmail.com wrote:
    use re%:=0
    Less noisy version:

    use less %: = 0
    A git bisect was performed and
    reported the following, which is the commit in which the assert was
    initially added.

    9075437773fb626926ef91a510090f595c08c653 is the first bad commit
    commit 9075437773fb626926ef91a510090f595c08c653
    Author: David Mitchell <davem@iabyn.com>
    Date: Sat Feb 15 16:38:31 2014 +0000

    gv_check(): use aux flag rather than IsCOW
    The assertion seems to be wrong.

    In fact, it seems that a BEGIN-time require *and* %: assignment are sufficient to trigger it.

    I don’t understand why ‘require’ is affecting it. It happens with re.pm and less.pm, but not utf8.pm, so presumably a line of code common to the first two is helping to trigger this.

    $ ./miniperl -Ilib -e 'BEGIN { require re; %: = 0}'
    Assertion failed: (SvOOK(stash)), function Perl_gv_check, file gv.c, line 2417.
    Abort trap: 6
    $ ./miniperl -Ilib -e 'BEGIN { require utf8; %: = 0}'
    $ ./miniperl -Ilib -e 'BEGIN { require less; %: = 0}'
    Assertion failed: (SvOOK(stash)), function Perl_gv_check, file gv.c, line 2417.
    Abort trap: 6


    --

    Father Chrysostomos


    ---
    via perlbug: queue: perl5 status: new
    https://rt.perl.org/Ticket/Display.html?id=128238
  • Father Chrysostomos via RT at May 26, 2016 at 3:12 am

    On Wed May 25 18:11:15 2016, sprout wrote:
    On Wed May 25 15:58:12 2016, dcollinsn@gmail.com wrote:
    use re%:=0
    Less noisy version:

    use less %: = 0
    A git bisect was performed and
    reported the following, which is the commit in which the assert was
    initially added.

    9075437773fb626926ef91a510090f595c08c653 is the first bad commit
    commit 9075437773fb626926ef91a510090f595c08c653
    Author: David Mitchell <davem@iabyn.com>
    Date: Sat Feb 15 16:38:31 2014 +0000

    gv_check(): use aux flag rather than IsCOW
    The assertion seems to be wrong.

    In fact, it seems that a BEGIN-time require *and* %: assignment are
    sufficient to trigger it.

    I don’t understand why ‘require’ is affecting it. It happens with
    re.pm and less.pm, but not utf8.pm, so presumably a line of code
    common to the first two is helping to trigger this.

    $ ./miniperl -Ilib -e 'BEGIN { require re; %: = 0}'
    Assertion failed: (SvOOK(stash)), function Perl_gv_check, file gv.c,
    line 2417.
    Abort trap: 6
    $ ./miniperl -Ilib -e 'BEGIN { require utf8; %: = 0}'
    $ ./miniperl -Ilib -e 'BEGIN { require less; %: = 0}'
    Assertion failed: (SvOOK(stash)), function Perl_gv_check, file gv.c,
    line 2417.
    Abort trap: 6
    Anything that enables warnings (of course, since without warnings enabled at least somewhere gv_check doesn’t get called).

    $ ./miniperl -Ilib -e 'BEGIN { %: = 0; $^W=1}'
    Assertion failed: (SvOOK(stash)), function Perl_gv_check, file gv.c, line 2417.
    Abort trap: 6



    --

    Father Chrysostomos


    ---
    via perlbug: queue: perl5 status: open
    https://rt.perl.org/Ticket/Display.html?id=128238

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
groupperl5-porters @
categoriesperl
postedMay 25, '16 at 10:58p
activeMay 26, '16 at 3:12a
posts3
users1
websiteperl.org

1 user in discussion

Father Chrysostomos via RT: 3 posts

People

Translate

site design / logo © 2022 Grokbase