develooper Front page | perl.perl5.porters | Postings from September 2016

[perl #129176] Conditional jump depends on uninitialized values inS_scan_heredoc

Thread Previous | Thread Next
From:
Dan Collins
Date:
September 2, 2016 20:38
Subject:
[perl #129176] Conditional jump depends on uninitialized values inS_scan_heredoc
Message ID:
rt-4.0.24-5712-1472848701-451.129176-75-0@perl.org
# New Ticket Created by  Dan Collins 
# Please include the string:  [perl #129176]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=129176 >


$ perl -e 'print "<<`\\"' | valgrind ../bin/perl
==20392== Conditional jump or move depends on uninitialised value(s)
==20392==    at 0x4C2D67A: __GI_strchr (vg_replace_strmem.c:246)
==20392==    by 0x4DA7A9: S_scan_heredoc (toke.c:9590)
==20392==    by 0x4DA7A9: Perl_yylex (toke.c:6216)
==20392==    by 0x4F7C05: Perl_yyparse (perly.c:334)
==20392==    by 0x479F38: S_parse_body (perl.c:2373)
==20392==    by 0x479F38: perl_parse (perl.c:1689)
==20392==    by 0x41FCB2: main (perlmain.c:121)
==20392==
==20392== Conditional jump or move depends on uninitialised value(s)
==20392==    at 0x4C2D680: __GI_strchr (vg_replace_strmem.c:246)
==20392==    by 0x4DA7A9: S_scan_heredoc (toke.c:9590)
==20392==    by 0x4DA7A9: Perl_yylex (toke.c:6216)
==20392==    by 0x4F7C05: Perl_yyparse (perly.c:334)
==20392==    by 0x479F38: S_parse_body (perl.c:2373)
==20392==    by 0x479F38: perl_parse (perl.c:1689)
==20392==    by 0x41FCB2: main (perlmain.c:121)
==20392==
Can't find string terminator "\" anywhere before EOF at - line 1.
==20392==
==20392== HEAP SUMMARY:
==20392==     in use at exit: 144,138 bytes in 535 blocks
==20392==   total heap usage: 688 allocs, 153 frees, 185,856 bytes allocated
==20392==
==20392== LEAK SUMMARY:
==20392==    definitely lost: 7,590 bytes in 15 blocks
==20392==    indirectly lost: 136,548 bytes in 520 blocks
==20392==      possibly lost: 0 bytes in 0 blocks
==20392==    still reachable: 0 bytes in 0 blocks
==20392==         suppressed: 0 bytes in 0 blocks
==20392== Rerun with --leak-check=full to see details of leaked memory
==20392==
==20392== For counts of detected and suppressed errors, rerun with: -v
==20392== Use --track-origins=yes to see where uninitialised values come from
==20392== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)

I'll also include a disassemble, to highlight that this is happening in some SSE type instructions:

dcollins@nightshade64:/usr/local/perl-afl/out$ LD_PRELOAD=/home/dcollins/toolcha                                                                                                                     in/afl-2.32b/libdislocator/libdislocator.so gdb --args ../bin/perl allcrash/f1i0                                                                                                                     00000
GNU gdb (Debian 7.11.1-2) 7.11.1
Copyright (C) 2016 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ../bin/perl...done.
(gdb) run
Starting program: /usr/local/perl-afl/bin/perl allcrash/f1i000000
b[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Program received signal SIGSEGV, Segmentation fault.
__strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:87
87      ../sysdeps/x86_64/multiarch/../strchr.S: No such file or directory.
(gdb) bt
#0  __strchr_sse2 () at ../sysdeps/x86_64/multiarch/../strchr.S:87
#1  0x00000000004da7aa in S_scan_heredoc (my_perl=0x7ffff7ff3258,
    s=0x7ffff65c0ffc "AAAA") at toke.c:9590
#2  Perl_yylex (my_perl=<optimized out>) at toke.c:6216
#3  0x00000000004f7c06 in Perl_yyparse (my_perl=<optimized out>,
    gramtype=<optimized out>) at perly.c:334
#4  0x0000000000479f39 in S_parse_body (my_perl=<optimized out>,
    env=<optimized out>, xsinit=<optimized out>) at perl.c:2373
#5  perl_parse (my_perl=<optimized out>, xsinit=<optimized out>,
    argc=<optimized out>, argv=<optimized out>, env=<optimized out>)
    at perl.c:1689
#6  0x000000000041fcb3 in main (argc=-161738816, argv=0xf65c0f3c,
    env=<optimized out>) at perlmain.c:121
(gdb) exploitable
Description: Access violation on source operand
Short description: SourceAv (19/22)
Hash: 3cda16a9d29df0c5bcdcdcd95093363c.9c89f70cf23d6b4b31419a8bd7bf434f
Exploitability Classification: UNKNOWN
Explanation: The target crashed on an access violation at an address matching the source operand of the current instruction. This likely indicates a read access violation.
Other tags: AccessViolation (21/22)
(gdb) disassemble
Dump of assembler code for function __strchr_sse2:
   0x00007ffff6b3a2e0 <+0>:     movd   xmm1,esi
   0x00007ffff6b3a2e4 <+4>:     mov    eax,edi
   0x00007ffff6b3a2e6 <+6>:     and    eax,0xfff
   0x00007ffff6b3a2eb <+11>:    punpcklbw xmm1,xmm1
   0x00007ffff6b3a2ef <+15>:    cmp    eax,0xfc0
   0x00007ffff6b3a2f4 <+20>:    punpcklwd xmm1,xmm1
   0x00007ffff6b3a2f8 <+24>:    pshufd xmm1,xmm1,0x0
   0x00007ffff6b3a2fd <+29>:    jg     0x7ffff6b3a460 <__strchr_sse2+384>
   0x00007ffff6b3a303 <+35>:    movdqu xmm0,XMMWORD PTR [rdi]
   0x00007ffff6b3a307 <+39>:    pxor   xmm3,xmm3
   0x00007ffff6b3a30b <+43>:    movdqa xmm4,xmm0
   0x00007ffff6b3a30f <+47>:    pcmpeqb xmm0,xmm1
   0x00007ffff6b3a313 <+51>:    pcmpeqb xmm4,xmm3
   0x00007ffff6b3a317 <+55>:    por    xmm0,xmm4
   0x00007ffff6b3a31b <+59>:    pmovmskb eax,xmm0
   0x00007ffff6b3a31f <+63>:    test   eax,eax
   0x00007ffff6b3a321 <+65>:    je     0x7ffff6b3a338 <__strchr_sse2+88>
   0x00007ffff6b3a323 <+67>:    bsf    eax,eax
   0x00007ffff6b3a326 <+70>:    mov    edx,0x0
   0x00007ffff6b3a32b <+75>:    lea    rax,[rdi+rax*1]
   0x00007ffff6b3a32f <+79>:    cmp    BYTE PTR [rax],sil
   0x00007ffff6b3a332 <+82>:    cmovne rax,rdx
   0x00007ffff6b3a336 <+86>:    ret
   0x00007ffff6b3a337 <+87>:    nop
   0x00007ffff6b3a338 <+88>:    movdqu xmm0,XMMWORD PTR [rdi+0x10]
   0x00007ffff6b3a33d <+93>:    movdqa xmm4,xmm0
   0x00007ffff6b3a341 <+97>:    pcmpeqb xmm0,xmm1
   0x00007ffff6b3a345 <+101>:   pcmpeqb xmm4,xmm3
   0x00007ffff6b3a349 <+105>:   por    xmm0,xmm4
   0x00007ffff6b3a34d <+109>:   pmovmskb ecx,xmm0
   0x00007ffff6b3a351 <+113>:   movdqu xmm0,XMMWORD PTR [rdi+0x20]
   0x00007ffff6b3a356 <+118>:   movdqa xmm4,xmm0
   0x00007ffff6b3a35a <+122>:   pcmpeqb xmm0,xmm1
   0x00007ffff6b3a35e <+126>:   shl    rcx,0x10
   0x00007ffff6b3a362 <+130>:   pcmpeqb xmm4,xmm3
   0x00007ffff6b3a366 <+134>:   por    xmm0,xmm4
   0x00007ffff6b3a36a <+138>:   pmovmskb eax,xmm0
   0x00007ffff6b3a36e <+142>:   movdqu xmm0,XMMWORD PTR [rdi+0x30]
   0x00007ffff6b3a373 <+147>:   pcmpeqb xmm3,xmm0
   0x00007ffff6b3a377 <+151>:   shl    rax,0x20
   0x00007ffff6b3a37b <+155>:   pcmpeqb xmm0,xmm1
   0x00007ffff6b3a37f <+159>:   or     rax,rcx
   0x00007ffff6b3a382 <+162>:   por    xmm0,xmm3
   0x00007ffff6b3a386 <+166>:   pmovmskb ecx,xmm0
   0x00007ffff6b3a38a <+170>:   shl    rcx,0x30
   0x00007ffff6b3a38e <+174>:   or     rax,rcx
   0x00007ffff6b3a391 <+177>:   test   rax,rax
   0x00007ffff6b3a394 <+180>:   jne    0x7ffff6b3a440 <__strchr_sse2+352>
   0x00007ffff6b3a39a <+186>:   nop    WORD PTR [rax+rax*1+0x0]
   0x00007ffff6b3a3a0 <+192>:   pxor   xmm6,xmm6
   0x00007ffff6b3a3a4 <+196>:   and    rdi,0xffffffffffffffc0
   0x00007ffff6b3a3a8 <+200>:   add    rdi,0x40
=> 0x00007ffff6b3a3ac <+204>:   movdqa xmm5,XMMWORD PTR [rdi]
   0x00007ffff6b3a3b0 <+208>:   movdqa xmm2,XMMWORD PTR [rdi+0x10]
   0x00007ffff6b3a3b5 <+213>:   movdqa xmm3,XMMWORD PTR [rdi+0x20]
   0x00007ffff6b3a3ba <+218>:   pxor   xmm5,xmm1
   0x00007ffff6b3a3be <+222>:   movdqa xmm4,XMMWORD PTR [rdi+0x30]
   0x00007ffff6b3a3c3 <+227>:   pxor   xmm2,xmm1
   0x00007ffff6b3a3c7 <+231>:   pxor   xmm3,xmm1
   0x00007ffff6b3a3cb <+235>:   pminub xmm5,XMMWORD PTR [rdi]
   0x00007ffff6b3a3cf <+239>:   pxor   xmm4,xmm1
   0x00007ffff6b3a3d3 <+243>:   pminub xmm2,XMMWORD PTR [rdi+0x10]
   0x00007ffff6b3a3d8 <+248>:   pminub xmm3,XMMWORD PTR [rdi+0x20]
   0x00007ffff6b3a3dd <+253>:   pminub xmm5,xmm2
   0x00007ffff6b3a3e1 <+257>:   pminub xmm4,XMMWORD PTR [rdi+0x30]
   0x00007ffff6b3a3e6 <+262>:   pminub xmm5,xmm3
   0x00007ffff6b3a3ea <+266>:   pminub xmm5,xmm4
   0x00007ffff6b3a3ee <+270>:   pcmpeqb xmm5,xmm6
   0x00007ffff6b3a3f2 <+274>:   pmovmskb eax,xmm5
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb)

I'll poke at it when I'm less starving to see whether it's dependent on a certain -O level. This appears to be unrelated to the previous crashes in this function, namely 123712, 126815, 125540, because all of those have been fixed ;) Here's my perl:

Summary of my perl5 (revision 5 version 25 subversion 5) configuration:
  Commit id: 483efd0abe32386a3d82710532464cf4e9a0124b
  Platform:
    osname=linux
    osvers=4.6.0-1-amd64
    archname=x86_64-linux-thread-multi
    uname='linux nightshade64 4.6.0-1-amd64 #1 smp debian 4.6.4-1 (2016-07-18) x86_64 gnulinux '
    config_args='-Dusedevel -Dusethreads -Duselongdoubles -Dcc=afl-clang-fast -des -Doptimize=-O3 -g3 -Dprefix=/usr/local/perl-afl -Uman1dir -Uman3dir -Uversiononly'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=define
    usemultiplicity=define
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O3 -g3'
    cppflags='-D_REENTRANT -D_GNU_SOURCE -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.0 (trunk 273094)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.23.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.23'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O3 -g3 -L/usr/local/lib -fstack-protector-strong'


Characteristics of this binary (from libperl):
  Compile-time options:
    HAS_TIMES
    MULTIPLICITY
    PERLIO_LAYERS
    PERL_COPY_ON_WRITE
    PERL_DONT_CREATE_GVSV
    PERL_HASH_FUNC_ONE_AT_A_TIME_HARD
    PERL_IMPLICIT_CONTEXT
    PERL_MALLOC_WRAP
    PERL_OP_PARENT
    PERL_PRESERVE_IVUV
    PERL_USE_DEVEL
    USE_64_BIT_ALL
    USE_64_BIT_INT
    USE_ITHREADS
    USE_LARGE_FILES
    USE_LOCALE
    USE_LOCALE_COLLATE
    USE_LOCALE_CTYPE
    USE_LOCALE_NUMERIC
    USE_LOCALE_TIME
    USE_PERLIO
    USE_PERL_ATOF
    USE_REENTRANT_API
  Built under linux
  Compiled at Sep  1 2016 20:01:32
  %ENV:
    PERLBREW_BASHRC_VERSION="0.76"
    PERLBREW_HOME="/home/dcollins/.perlbrew"
    PERLBREW_ROOT="/home/dcollins/toolchain/perl5"
  @INC:
    /usr/local/perl-afl/lib/site_perl/5.25.5/x86_64-linux-thread-multi
    /usr/local/perl-afl/lib/site_perl/5.25.5
    /usr/local/perl-afl/lib/5.25.5/x86_64-linux-thread-multi
    /usr/local/perl-afl/lib/5.25.5
    .

-- 
Respectfully,
Dan Collins


Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About