develooper Front page | perl.perl5.porters | Postings from May 2016

[perl #128238] Assert fail in gv.c without other symptoms: usere%:=0

Thread Previous
From:
Dan Collins
Date:
May 25, 2016 22:58
Subject:
[perl #128238] Assert fail in gv.c without other symptoms: usere%:=0
Message ID:
rt-4.0.18-20979-1464217092-1638.128238-75-0@perl.org
# New Ticket Created by  Dan Collins 
# Please include the string:  [perl #128238]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=128238 >


Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @@

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers an assert fail in debug buids of the perl interpreter. The testcase is the file below. On normal builds, this throws the expected error. On debug builds, this returns an assert fail.

use re%:=0

dcollins@nightshade64:~/perl$ ./perl -Ilib -e "use re%:=0"
Unknown "re" subpragma '0' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in exists at lib/re.pm line 150.
Use of uninitialized value $s in hash element at lib/re.pm line 152.
Use of uninitialized value $s in string eq at lib/re.pm line 155.
Use of uninitialized value $s in substitution (s///) at lib/re.pm line 180.
Use of uninitialized value $s in concatenation (.) or string at lib/re.pm line 246.
Unknown "re" subpragma '' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
dcollins@nightshade64:~/perl$ cd ../perldebug/
dcollins@nightshade64:~/perldebug$ ./perl -Ilib -e "use re%:=0"
Unknown "re" subpragma '0' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in exists at lib/re.pm line 150.
Use of uninitialized value $s in hash element at lib/re.pm line 152.
Use of uninitialized value $s in string eq at lib/re.pm line 155.
Use of uninitialized value $s in substitution (s///) at lib/re.pm line 180.
Use of uninitialized value $s in concatenation (.) or string at lib/re.pm line 246.
Unknown "re" subpragma '' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
perl: gv.c:2423: Perl_gv_check: Assertion `((stash)->sv_flags & 0x02000000)' failed.
Aborted



Debugging tool output is below. A git bisect was performed and reported the following, which is the commit in which the assert was initially added.

9075437773fb626926ef91a510090f595c08c653 is the first bad commit
commit 9075437773fb626926ef91a510090f595c08c653
Author: David Mitchell <davem@iabyn.com>
Date:   Sat Feb 15 16:38:31 2014 +0000

    gv_check(): use aux flag rather than IsCOW

    Currently the SVf_IsCOW flag doesn't have any meaning for HVs,
    except that it is used in the specific case of gv_check() to temporarily
    mark a stash as being scanned. Since stashes will have the HV_AUX fields,
    we can use a flags bit in the new xhv_aux_flags field instead.

    This then potentially frees up the SVf_IsCOW for use as a new general flag
    bit for *all* HVs (including non-stash ones).

:100644 100644 42cd69cb1626c962cf97c9516e254119919d0680 4a10f9b8adf98fe5f2dc72888ab3dcbcd08ef77f M      gv.c
:100644 100644 498e6f01f64c6294576e14ee2a4f389a0502e0bf 5ad1459a2e3463cc4fe28f73ae4c5858e31556ac M      hv.h
:100644 100644 715b12447fcf2a8e70be4dcb35ea01edb30013a9 a54fd8f55ceb284d743fd1e5d9ed839f9adbdfb6 M      sv.h
bisect run success



**GDB**

(gdb) run
Starting program: /home/dcollins/perldebug/perl -Ilib -e use\ re%:=0
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Unknown "re" subpragma '0' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in exists at lib/re.pm line 150.
Use of uninitialized value $s in hash element at lib/re.pm line 152.
Use of uninitialized value $s in string eq at lib/re.pm line 155.
Use of uninitialized value $s in substitution (s///) at lib/re.pm line 180.
Use of uninitialized value $s in concatenation (.) or string at lib/re.pm line 246.
Unknown "re" subpragma '' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
perl: gv.c:2423: Perl_gv_check: Assertion `((stash)->sv_flags & 0x02000000)' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0  0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1  0x00007ffff6cfa8fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2  0x00007ffff6cf23a7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3  0x00007ffff6cf2452 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4  0x0000000000482322 in Perl_gv_check (stash=0xab2a48) at gv.c:2423
#5  0x000000000048250d in Perl_gv_check (stash=0xa9dff8) at gv.c:2439
#6  0x000000000046152d in S_parse_body (env=0x0, xsinit=0x41e979 <xs_init>) at perl.c:2386
#7  0x000000000045f846 in perl_parse (my_perl=0xa9c010, xsinit=0x41e979 <xs_init>, argc=4, argv=0x7fffffffe628, env=0x0) at perl.c:1681
#8  0x000000000041e8d8 in main (argc=4, argv=0x7fffffffe628, env=0x7fffffffe650) at perlmain.c:114
(gdb) f 4
#4  0x0000000000482322 in Perl_gv_check (stash=0xab2a48) at gv.c:2423
2423        assert(SvOOK(stash));
(gdb) l
2418        PERL_ARGS_ASSERT_GV_CHECK;
2419
2420        if (!HvARRAY(stash))
2421            return;
2422
2423        assert(SvOOK(stash));
2424
2425        for (i = 0; i <= (I32) HvMAX(stash); i++) {
2426            const HE *entry;
2427            /* mark stash is being scanned, to avoid recursing */
(gdb)


**VALGRIND**

dcollins@nightshade64:~/perldebug$ valgrind ./perl -Ilib -e "use re%:=0"
==45407== Memcheck, a memory error detector
==45407== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==45407== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==45407== Command: ./perl -Ilib -e use\ re%:=0
==45407==
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/ld-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/ld-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/ld-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libnsl-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libnsl-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libnsl-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libdl-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libdl-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libdl-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libm-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libm-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libm-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libcrypt-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libcrypt-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libcrypt-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libutil-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libutil-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libutil-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libc-2.22.so:
--45407-- Ignoring non-Dwarf2/3/4 block in .debug_info
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libc-2.22.so:
--45407-- Last block truncated in .debug_info; ignoring
--45407-- WARNING: Serious error when reading debug info
--45407-- When reading debug info from /lib/x86_64-linux-gnu/libc-2.22.so:
--45407-- parse_CU_Header: is neither DWARF2 nor DWARF3 nor DWARF4
Unknown "re" subpragma '0' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 128.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in string eq at lib/re.pm line 146.
Use of uninitialized value $s in exists at lib/re.pm line 150.
Use of uninitialized value $s in hash element at lib/re.pm line 152.
Use of uninitialized value $s in string eq at lib/re.pm line 155.
Use of uninitialized value $s in substitution (s///) at lib/re.pm line 180.
Use of uninitialized value $s in concatenation (.) or string at lib/re.pm line 246.
Unknown "re" subpragma '' (known ones are: 'debug', 'debugcolor', 'eval', 'taint') at -e line 1.
perl: gv.c:2423: Perl_gv_check: Assertion `((stash)->sv_flags & 0x02000000)' failed.
==45407==
==45407== Process terminating with default action of signal 6 (SIGABRT)
==45407==    at 0x5BD8478: raise (in /lib/x86_64-linux-gnu/libc-2.22.so)
==45407==    by 0x5BD98F9: abort (in /lib/x86_64-linux-gnu/libc-2.22.so)
==45407==    by 0x5BD13A6: __assert_fail_base (in /lib/x86_64-linux-gnu/libc-2.22.so)
==45407==    by 0x5BD1451: __assert_fail (in /lib/x86_64-linux-gnu/libc-2.22.so)
==45407==    by 0x482321: Perl_gv_check (gv.c:2423)
==45407==    by 0x48250C: Perl_gv_check (gv.c:2439)
==45407==    by 0x46152C: S_parse_body (perl.c:2386)
==45407==    by 0x45F845: perl_parse (perl.c:1681)
==45407==    by 0x41E8D7: main (perlmain.c:114)
==45407==
==45407== HEAP SUMMARY:
==45407==     in use at exit: 861,161 bytes in 3,199 blocks
==45407==   total heap usage: 9,155 allocs, 5,956 frees, 1,640,397 bytes allocated
==45407==
==45407== LEAK SUMMARY:
==45407==    definitely lost: 192 bytes in 1 blocks
==45407==    indirectly lost: 2,009 bytes in 22 blocks
==45407==      possibly lost: 511,553 bytes in 668 blocks
==45407==    still reachable: 347,407 bytes in 2,508 blocks
==45407==                       of which reachable via heuristic:
==45407==                         newarray           : 3,768 bytes in 118 blocks
==45407==         suppressed: 0 bytes in 0 blocks
==45407== Rerun with --leak-check=full to see details of leaked memory
==45407==
==45407== For counts of detected and suppressed errors, rerun with: -v
==45407== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Aborted


**PERL -V**

dcollins@nightshade64:~/perldebug$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 1) configuration:
  Commit id: 9e17953912c0ab4f21dd642345727a44c388a0af
  Platform:
    osname=linux, osvers=4.5.0-2-amd64, archname=x86_64-linux
    uname='linux nightshade64 4.5.0-2-amd64 #1 smp debian 4.5.3-2 (2016-05-08) x86_64 gnulinux '
    config_args='-Dusedevel -Dcc=ccache gcc-6.1 -DDEBUGGING -Doptimize=-g -des'
    hint=recommended, useposix=true, d_sigaction=define
    useithreads=undef, usemultiplicity=undef
    use64bitint=define, use64bitall=define, uselongdouble=undef
    usemymalloc=n, bincompat5005=undef
  Compiler:
    cc='ccache gcc-6.1', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
    optimize='-g',
    cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion='', gccversion='6.1.0', gccosandvers=''
    intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
    d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
    ivtype='long', ivsize=8, nvtype='double', nvsize=8, Off_t='off_t', lseeksize=8
    alignbytes=8, prototype=define
  Linker and Libraries:
    ld='ccache gcc-6.1', ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/6.1.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
    gnulibc_version='2.22'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
    cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'


Characteristics of this binary (from libperl):
  Compile-time options: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
                        PERL_DONT_CREATE_GVSV
                        PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
                        PERL_OP_PARENT PERL_PRESERVE_IVUV PERL_USE_DEVEL
                        USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES
                        USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
                        USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_PERLIO
                        USE_PERL_ATOF
  Built under linux
  Compiled at May 18 2016 19:50:06
  @INC:
    lib
    /usr/local/lib/perl5/site_perl/5.25.1/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.25.1
    /usr/local/lib/perl5/5.25.1/x86_64-linux
    /usr/local/lib/perl5/5.25.1
    .


Thread Previous


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About