develooper Front page | perl.perl5.porters | Postings from May 2016

[perl #128207] Assert fail in vutil.c with very large versionnumbers in warnings in quadmath builds: `use B.9E90`

Dan Collins
May 21, 2016 14:56
[perl #128207] Assert fail in vutil.c with very large versionnumbers in warnings in quadmath builds: `use B.9E90`
Message ID:
# New Ticket Created by  Dan Collins 
# Please include the string:  [perl #128207]
# in the subject line of all future correspondence about this issue. 
# <URL: >

I have compiled bleadperl with the afl-gcc compiler using:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -DDEBUGGING -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl -t -W @@

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers a assert fail in debugging builds of the perl interpreter. The testcase is the file below. On most perls, this exits with the correct errors - version v.Inf required. However, on debugging builds, with quadmath enabled, with -W, the following assert failure is emitted. This seems to be harmless?

use B.9E90

dcollins@nightshade64:~/perlquad$ ./perl -W -e 'use B.9E90'
Use of uninitialized value in subroutine entry at -e line 1.
        main::BEGIN() called at -e line 1
        eval {...} called at -e line 1
perl: vutil.c:666: Perl_upg_version: Assertion `PL_numeric_standard == 2' failed.


dcollins@nightshade64:~/perlquad$ ./perl -W -e 'use B.9E90'
Use of uninitialized value in subroutine entry at -e line 1.
        main::BEGIN() called at -e line 1
        eval {...} called at -e line 1
Integer overflow in version at -e line 1.
        main::BEGIN() called at -e line 1
        eval {...} called at -e line 1
B version v.Inf required--this is only version 1.62 at /usr/local/perl-afl/lib/5.25.1/Exporter/ line 125.
BEGIN failed--compilation aborted at -e line 1.

Debugging tool output is below. A git bisect was attempted. In very old perls (5.14.0), this emitted a "panic: snprintf buffer overflow". With that marked as "good" and the assert fail marked as "bad", bisect reports the following commit, which is the commit where the assert was first added, so, not too helpful.

7738054cc936a59cb4b0e0da328f287c9ec8a98a is the first bad commit
commit 7738054cc936a59cb4b0e0da328f287c9ec8a98a
Author: Karl Williamson <>
Date:   Sun Jun 1 20:07:30 2014 -0600

    Allow dynamic lock of LC_NUMERIC

    When processing version strings, the radix character must be a dot even
    if we otherwise would be using some other character.  vutil.c
    upg_version() changes to the dot, but calls sv_catpvf() which may try to
    change the character to something else.  This commit introduces a way to
    lock the character to a dot around the call to sv_catpvf()

    vutil.c is cpan-upstream, but already blead and cpan have diverged, so
    this just updates the SHA of the new version

:100644 100644 17b2551773d01d16fd1fbf6f903a0e33ac469a98 3e7d4a36f7eecdd94c3ac1bb                                                                                                                     afd5e50fdcdea909 M      intrpvar.h
:100644 100644 3004dce9c91e33a609fae2a2a175a7629e99b2bf 929a249a81e8539280c570c9                                                                                                                     5d7a11a6c894fba7 M      locale.c
:100644 100644 970a25ff1ab63f04dfaf5da3185cb24acae684f1 3ee2cd49af29e095b1043863                                                                                                                     e13de3eabf75fcda M      perl.h
:040000 040000 6e5355877cdc8a2fb233b8b41ca2bc291260666b c189fbc99068c0bbc43c93af                                                                                                                     95184858b14c0e95 M      t
:100644 100644 200ff73cb6591247cb48a2f76fd89f52711a9af4 6f92d33274f31422a5c76001                                                                                                                     2ceb2e430b129e88 M      vutil.c
bisect run success


dcollins@nightshade64:~/perlquad$ gdb --args ./perl -Ilib -W -e 'use B.9E90'
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
Find the GDB manual and other documentation resources online at:
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./perl...done.
(gdb) run
Starting program: /home/dcollins/perlquad/perl -Ilib -W -e use\ B.9E90
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/".
Use of uninitialized value in subroutine entry at -e line 1.
        main::BEGIN() called at -e line 1
        eval {...} called at -e line 1
perl: vutil.c:666: Perl_upg_version: Assertion `PL_numeric_standard == 2' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/
(gdb) bt
#0  0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/
#1  0x00007ffff6cfa8fa in abort () from /lib/x86_64-linux-gnu/
#2  0x00007ffff6cf23a7 in ?? () from /lib/x86_64-linux-gnu/
#3  0x00007ffff6cf2452 in __assert_fail ()
   from /lib/x86_64-linux-gnu/
#4  0x0000000000566ba2 in Perl_upg_version (ver=0xb18f30, qv=false)
    at vutil.c:666
#5  0x000000000056618d in Perl_new_version (ver=0xb18f18) at vutil.c:551
#6  0x00000000007089dd in XS_universal_version (cv=0xaa3450) at
#7  0x00000000005bf883 in Perl_pp_entersub () at pp_hot.c:3990
#8  0x0000000000559874 in Perl_runops_debug () at dump.c:2239
#9  0x0000000000463653 in Perl_call_sv (sv=0xab7840, flags=13) at perl.c:2841
#10 0x000000000046d36f in Perl_call_list (oldscope=2, paramList=0xab79a8)
    at perl.c:5009
#11 0x0000000000442c33 in S_process_special_blocks (floor=39,
    fullname=0xab1b10 "BEGIN", gv=0xab79c0, cv=0xab7840) at op.c:8781
#12 0x00000000004424c7 in Perl_newATTRSUB_x (floor=39, o=0xac2218, proto=0x0,
    attrs=0x0, block=0xac21d8, o_is_gv=false) at op.c:8710
#13 0x00000000004321cc in Perl_utilize (aver=1, floor=39, version=0x0,
    idop=0xac0b08, arg=0xac1df8) at op.c:6084
#14 0x00000000004d55ed in Perl_yyparse (gramtype=258) at perly.y:351
#15 0x0000000000461461 in S_parse_body (env=0x0, xsinit=0x41ea19 <xs_init>)
    at perl.c:2365
---Type <return> to continue, or q <return> to quit---
#16 0x000000000045f8a7 in perl_parse (my_perl=0xaa1010,
    xsinit=0x41ea19 <xs_init>, argc=5, argv=0x7fffffffe608, env=0x0)
    at perl.c:1681
#17 0x000000000041e978 in main (argc=5, argv=0x7fffffffe608,
    env=0x7fffffffe638) at perlmain.c:114
(gdb) f 4
#4  0x0000000000566ba2 in Perl_upg_version (ver=0xb18f30, qv=false)
    at vutil.c:666
666             UNLOCK_NUMERIC_STANDARD();
(gdb) l
661             }
662             else {
663                 len = my_snprintf(tbuf, sizeof(tbuf), "%.9"NVff, SvNVX(ver));
664                 buf = tbuf;
665             }
666             UNLOCK_NUMERIC_STANDARD();
667             RESTORE_NUMERIC_LOCAL();
668             }
669             while (buf[len-1] == '0' && len > 0) len--;
670             if ( buf[len-1] == '.' ) len--; /* eat the trailing decimal */
(gdb) info locals
_was_local = false
len = 100
tbuf = "\320Q\267\000\000\000\000\000\360I\266\000\000\000\000\000\060\a\261\000\n\000\000\000\220I\266\000\000\000\000\000\360I\266\000\000\000\000\000\000\206\271\351\rvf\275\360\316\377\377\377\177\000\000\216pV\000\000\000\000"
sv = 0xb75a70
buf = 0xb05ec0 "8", '9' <repeats 36 times>, "79916978141823691996788351450347598460165708610273280.000000000"
version = 0x602c48 <Perl_newSVpvn+146> "H\213E\360\311\303UH\211\345H\203\354pH\211}\230dH\213\004%("
s = 0x7fffffffe600 "\005"
mg = 0xb64990
__PRETTY_FUNCTION__ = "Perl_upg_version"
(gdb) q
A debugging session is active.

        Inferior 1 [process 20534] will be killed.

Quit anyway? (y or n) y


==13582== Process terminating with default action of signal 6 (SIGABRT)
==13582==    at 0x5BD8478: raise (in /lib/x86_64-linux-gnu/
==13582==    by 0x5BD98F9: abort (in /lib/x86_64-linux-gnu/
==13582==    by 0x5BD13A6: __assert_fail_base (in /lib/x86_64-linux-gnu/
==13582==    by 0x5BD1451: __assert_fail (in /lib/x86_64-linux-gnu/
==13582==    by 0x566BA1: Perl_upg_version (vutil.c:666)
==13582==    by 0x56618C: Perl_new_version (vutil.c:551)
==13582==    by 0x7089DC: XS_universal_version (
==13582==    by 0x5BF882: Perl_pp_entersub (pp_hot.c:3990)
==13582==    by 0x559873: Perl_runops_debug (dump.c:2239)
==13582==    by 0x463652: Perl_call_sv (perl.c:2841)
==13582==    by 0x46D36E: Perl_call_list (perl.c:5009)
==13582==    by 0x442C32: S_process_special_blocks (op.c:8781)
==13582== HEAP SUMMARY:
==13582==     in use at exit: 1,301,684 bytes in 4,925 blocks
==13582==   total heap usage: 11,622 allocs, 6,697 frees, 2,283,630 bytes allocated
==13582== LEAK SUMMARY:
==13582==    definitely lost: 192 bytes in 1 blocks
==13582==    indirectly lost: 2,027 bytes in 22 blocks
==13582==      possibly lost: 626,677 bytes in 451 blocks
==13582==    still reachable: 672,788 bytes in 4,451 blocks
==13582==                       of which reachable via heuristic:
==13582==                         newarray           : 3,032 bytes in 95 blocks
==13582==         suppressed: 0 bytes in 0 blocks
==13582== Rerun with --leak-check=full to see details of leaked memory
==13582== For counts of detected and suppressed errors, rerun with: -v
==13582== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)

**PERL -V**

dcollins@nightshade64:~/perlquad$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 1) configuration:
  Commit id: 9e17953912c0ab4f21dd642345727a44c388a0af
    osname=linux, osvers=4.5.0-2-amd64, archname=x86_64-linux-quadmath
    uname='linux nightshade64 4.5.0-2-amd64 #1 smp debian 4.5.3-2 (2016-05-08) x86_64 gnulinux '
    config_args='-Dusedevel -Dcc=ccache gcc-6.1 -Uuselongdouble -Duse64bitall -Dusequadmath -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
    cc='ccache gcc-6.1', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion='', gccversion='6.1.0', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
    ivtype='long', ivsize=8, nvtype='__float128', nvsize=16, Off_t='off_t', lseeksize=8
    alignbytes=16, prototype=define
  Linker and Libraries:
    ld='ccache gcc-6.1', ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/6.1.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc -lquadmath, so=so, useshrplib=false, libperl=libperl.a
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl):
                        USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES
                        USE_PERL_ATOF USE_QUADMATH
  Built under linux
  Compiled at May 21 2016 10:01:53
    . Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About