[perl #129087] null ptr deref, segfault Perl_sv_setsv_flags(sv.c:4558)

# New Ticket Created by  Brian Carpenter 
# Please include the string:  [perl #129087]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=129087 >


Null pointer deref and segfault in v5.25.5 (v5.25.4-10-g8d168aa) triggered by:

perl -e '*0=@0=*0=@0=@0=%::=@0=$0=%0=0'

==23769==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000000c (pc 0x00000091fce8 bp 0x7ffd62207a00 sp 0x7ffd622078e0 T0)
    #0 0x91fce7 in Perl_sv_setsv_flags /root/perl/sv.c:4558:3
    #1 0x89e56e in Perl_pp_sassign /root/perl/pp_hot.c:226:5
    #2 0x7f1dd3 in Perl_runops_debug /root/perl/dump.c:2234:23
    #3 0x5a1234 in S_run_body /root/perl/perl.c:2525:2
    #4 0x5a1234 in perl_run /root/perl/perl.c:2448
    #5 0x4de85d in main /root/perl/perlmain.c:123:9
    #6 0x7f7132ed6b44 in __libc_start_main /build/glibc-uPj9cH/glibc-2.19/csu/libc-start.c:287
    #7 0x4de4cc in _start (/root/perl/perl+0x4de4cc)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /root/perl/sv.c:4558 Perl_sv_setsv_flags
==23769==ABORTING


On a non-instrumented build, we can look at the same thing in Valgrind:

valgrind -q ./unperl -e '*0=@0=*0=@0=@0=%::=@0=$0=%0=0'
==18924== Invalid read of size 4
==18924==    at 0x521444: Perl_sv_setsv_flags (sv.c:4558)
==18924==    by 0x4FEEE5: Perl_pp_sassign (pp_hot.c:226)
==18924==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==18924==    by 0x452E96: S_run_body (perl.c:2525)
==18924==    by 0x452E96: perl_run (perl.c:2448)
==18924==    by 0x421834: main (perlmain.c:123)
==18924==  Address 0xc is not stack'd, malloc'd or (recently) free'd
==18924==
==18924==
==18924== Process terminating with default action of signal 11 (SIGSEGV)
==18924==  Access not within mapped region at address 0xC
==18924==    at 0x521444: Perl_sv_setsv_flags (sv.c:4558)
==18924==    by 0x4FEEE5: Perl_pp_sassign (pp_hot.c:226)
==18924==    by 0x4D6261: Perl_runops_debug (dump.c:2234)
==18924==    by 0x452E96: S_run_body (perl.c:2525)
==18924==    by 0x452E96: perl_run (perl.c:2448)
==18924==    by 0x421834: main (perlmain.c:123)
==18924==  If you believe this happened as a result of a stack
==18924==  overflow in your program's main thread (unlikely but
==18924==  possible), you can try to increase the size of the
==18924==  main thread stack using the --main-stacksize= flag.
==18924==  The main thread stack size used in this run was 8388608.
Segmentation fault

• [perl #129087] null ptr deref, segfault Perl_sv_setsv_flags(sv.c:4558) by Dan Collins via RT
• [perl #129087] null ptr deref, segfault Perl_sv_setsv_flags(sv.c:4558) by Brian Carpenter
• Re: [perl #129087] null ptr deref, segfault Perl_sv_setsv_flags(sv.c:4558) by Zefram