Front page | perl.perl5.porters |
Postings from October 2015
[perl #126482] Assert fail w/o other symptoms - op.c:7750Perl_cv_const_sv_or_av
From:
Dan Collins
Date:
October 29, 2015 02:59
Subject:
[perl #126482] Assert fail w/o other symptoms - op.c:7750Perl_cv_const_sv_or_av
Message ID:
rt-4.0.18-9619-1446087550-488.126482-75-0@perl.org
# New Ticket Created by Dan Collins
# Please include the string: [perl #126482]
# in the subject line of all future correspondence about this issue.
# <URL: https://rt.perl.org/Ticket/Display.html?id=126482 >
Greetings Porters,
I have compiled bleadperl with the afl-gcc compiler using:
./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -des
AFL_HARDEN=1 make && make test
And then fuzzed the resulting binary using:
AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @@
After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers an assert fail in DEBUGGING perls without any other symptoms in the normal perl interpreter. The testcase is the file:
sub(){sub ub(){0}ub ub
This is indeed a rather odd thing to do, as it couldn't conceivably be expected to do anything but error, but since normal perls error properly, I suspect that this assert fail could be a sign that a more complex program could cause a more complex error state even in normal perls, or that normal perls could break down the line.
dcollins@nightshade64:/usr/local/perl-afl$ ./bin/perl -e 'sub(){sub ub(){0}ub ub'
perl: op.c:7750: Perl_cv_const_sv_or_av: Assertion `((svtype)((cv)->sv_flags & 0xff)) == SVt_PVCV || ((svtype)((cv)->sv_flags & 0xff)) == SVt_PVFM' failed.
Aborted
The output with a normal perl is the expected error:
dcollins@nightshade64:/usr/local/perl-afl$ ~/perl/perl -e 'sub(){sub ub(){0}ub ub'
Too many arguments for main::ub at -e line 1, at EOF
Missing right curly or square bracket at -e line 1, at end of line
syntax error at -e line 1, at EOF
Execution of -e aborted due to compilation errors.
**GDB**
(gdb) run
Starting program: /usr/local/perl-afl/bin/perl -e sub\(\)\{sub\ ub\(\)\{0\}ub\ ub
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
perl: op.c:7750: Perl_cv_const_sv_or_av: Assertion `((svtype)((cv)->sv_flags & 0xff)) == SVt_PVCV || ((svtype)((cv)->sv_flags & 0xff)) == SVt_PVFM' failed.
Program received signal SIGABRT, Aborted.
0x00007ffff6cf4107 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6cf4107 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6cf54e8 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff6ced226 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ffff6ced2d2 in __assert_fail ()
from /lib/x86_64-linux-gnu/libc.so.6
#4 0x0000000000441119 in Perl_cv_const_sv_or_av (cv=cv@entry=0x11ba930)
at op.c:7750
#5 0x00000000005ebb24 in Perl_yylex () at toke.c:7045
#6 0x00000000006527ad in Perl_yyparse (gramtype=gramtype@entry=258)
at perly.c:322
#7 0x000000000051e645 in S_parse_body (env=env@entry=0x0,
xsinit=xsinit@entry=0x428c60 <xs_init>) at perl.c:2307
#8 0x0000000000525437 in perl_parse (my_perl=<optimized out>,
xsinit=xsinit@entry=0x428c60 <xs_init>, argc=<optimized out>,
argv=<optimized out>, env=env@entry=0x0) at perl.c:1634
#9 0x0000000000428888 in main (argc=3, argv=0x7fffffffe658,
env=0x7fffffffe678) at perlmain.c:114
(gdb) f 4
#4 0x0000000000441119 in Perl_cv_const_sv_or_av (cv=cv@entry=0x11ba930)
at op.c:7750
7750 assert (SvTYPE(cv) == SVt_PVCV || SvTYPE(cv) == SVt_PVFM);
(gdb) info locals
__PRETTY_FUNCTION__ = "Perl_cv_const_sv_or_av"
(gdb) q
**VALGRIND**
dcollins@nightshade64:/usr/local/perl-afl$ valgrind ./bin/perl -e 'sub(){sub ub(){0}ub ub'
==23798== Memcheck, a memory error detector
==23798== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==23798== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==23798== Command: ./bin/perl -e sub(){sub\ ub(){0}ub\ ub
==23798==
perl: op.c:7750: Perl_cv_const_sv_or_av: Assertion `((svtype)((cv)->sv_flags & 0xff)) == SVt_PVCV || ((svtype)((cv)->sv_flags & 0xff)) == SVt_PVFM' failed.
==23798==
==23798== Process terminating with default action of signal 6 (SIGABRT)
==23798== at 0x5BDC107: raise (raise.c:56)
==23798== by 0x5BDD4E7: abort (abort.c:89)
==23798== by 0x5BD5225: __assert_fail_base (assert.c:92)
==23798== by 0x5BD52D1: __assert_fail (assert.c:101)
==23798== by 0x441118: Perl_cv_const_sv_or_av (op.c:7750)
==23798== by 0x5EBB23: Perl_yylex (toke.c:7045)
==23798== by 0x6527AC: Perl_yyparse (perly.c:322)
==23798== by 0x51E644: S_parse_body (perl.c:2307)
==23798== by 0x525436: perl_parse (perl.c:1634)
==23798== by 0x428887: main (perlmain.c:114)
==23798==
==23798== HEAP SUMMARY:
==23798== in use at exit: 118,114 bytes in 563 blocks
==23798== total heap usage: 697 allocs, 134 frees, 136,150 bytes allocated
==23798==
==23798== LEAK SUMMARY:
==23798== definitely lost: 176 bytes in 1 blocks
==23798== indirectly lost: 1,974 bytes in 20 blocks
==23798== possibly lost: 24 bytes in 1 blocks
==23798== still reachable: 115,940 bytes in 541 blocks
==23798== suppressed: 0 bytes in 0 blocks
==23798== Rerun with --leak-check=full to see details of leaked memory
==23798==
==23798== For counts of detected and suppressed errors, rerun with: -v
==23798== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Aborted
**PERL -V**
dcollins@nightshade64:/usr/local/perl-afl$ ./bin/perl -V
Summary of my perl5 (revision 5 version 23 subversion 5) configuration:
Commit id: 7195e5da55a40d15e29ad80562668bdd6895441f
Platform:
osname=linux, osvers=3.16.0-4-amd64, archname=x86_64-linux-ld
uname='linux nightshade64 3.16.0-4-amd64 #1 smp debian 3.16.7-ckt11-1+deb8u4 (2015-09-19) x86_64 gnulinux '
config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache afl-gcc -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'
hint=recommended, useposix=true, d_sigaction=define
useithreads=undef, usemultiplicity=undef
use64bitint=define, use64bitall=define, uselongdouble=define
usemymalloc=n, bincompat5005=undef
Compiler:
cc='ccache afl-gcc', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
optimize='-g',
cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
ccversion='', gccversion='5.2.0', gccosandvers=''
intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
alignbytes=16, prototype=define
Linker and Libraries:
ld='ccache afl-gcc', ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-unknown-linux-gnu/5.2.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
libc=libc-2.19.so, so=so, useshrplib=false, libperl=libperl.a
gnulibc_version='2.19'
Dynamic Linking:
dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'
Characteristics of this binary (from libperl):
Compile-time options: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
PERL_DONT_CREATE_GVSV
PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
PERL_PRESERVE_IVUV PERL_USE_DEVEL USE_64_BIT_ALL
USE_64_BIT_INT USE_LARGE_FILES USE_LOCALE
USE_LOCALE_COLLATE USE_LOCALE_CTYPE
USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
USE_PERLIO USE_PERL_ATOF
Built under linux
Compiled at Oct 22 2015 15:44:40
@INC:
/usr/local/perl-afl/lib/site_perl/5.23.5/x86_64-linux-ld
/usr/local/perl-afl/lib/site_perl/5.23.5
/usr/local/perl-afl/lib/5.23.5/x86_64-linux-ld
/usr/local/perl-afl/lib/5.23.5
/usr/local/perl-afl/lib/site_perl/5.23.4
/usr/local/perl-afl/lib/site_perl
.
-
[perl #126482] Assert fail w/o other symptoms - op.c:7750Perl_cv_const_sv_or_av
by Dan Collins