[perl #130617] op.c:14389: Perl_rpeep: Assertion `(kid->op_type ==OP_NULL && ( kid->op_targ == OP_NEXTSTATE || kid->op_targ == OP_DBSTATE )) ||kid->op_type == OP_STUB || kid->op_type == OP_ENTER' failed

# New Ticket Created by  Sergey Aleynikov 
# Please include the string:  [perl #130617]
# in the subject line of all future correspondence about this issue. 
# <URL: https://rt.perl.org/Ticket/Display.html?id=130617 >


This is a bug report for perl from sergey.aleynikov@gmail.com,
generated with the help of perlbug 1.40 running under perl 5.25.9.


-----------------------------------------------------------------
[Please describe your issue here]

While fuzzing perl v5.25.8-216-gfbceb79751 built with afl and run
under libdislocator, I found the following program

}my;0=sort{i d&0}0

to cause an assertion failure, even when run under -c for a syntax
check. This is a regression between v5.18.4 and v5.20.0, bisect points to

932bca295d64243e2ef2aeaacc779b68cc05e1b2 is the first bad commit
commit 932bca295d64243e2ef2aeaacc779b68cc05e1b2
Author: David Mitchell <davem@iabyn.com>
Date:   Wed Mar 5 14:44:41 2014 +0000

    OP_SORT: store start of block in null->op_next

    When a sort with a code block, like sort { BLOCK } arg, ...
    is compiled, it comes out like

         sort
            pushmark
            null
               scope
                  BLOCK
            arg
            ...

    (The 'scope' may be instead be 'ex-leave' depending on circumstances).

    At run time, pp_sort() navigates its way down from the sort op to find the
    start op of the BLOCK. We can shorten this process slightly by storing the
    start of BLOCK in the otherwise unused op_next field of the OP_NULL.
    Effectively we are using the null->op_next field as a surrogate op_other
    field for the op_sort (which doesn't have a spare field we could store
    the pointer in).

    The main point of this commit however is not the slight speed up from
    skipping a couple of pointer follows at run-time; rather that it will
    shortly allow us to trim any null ops from the beginning of the BLOCK. We
    can't do this directly, as that would involve changing the scope->op_first
    pointer, which might confuse B:: type modules.

GDB info about the crash location:

(gdb) bt
#0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58
#1  0x00007fc95d34140a in __GI_abort () at abort.c:89
#2  0x00007fc95d338e47 in __assert_fail_base (fmt=<optimized out>,
    assertion=assertion@entry=0x7fc95e9cf1e0 "(kid->op_type == OP_NULL
&& ( kid->op_targ == OP_NEXTSTATE || kid->op_targ == OP_DBSTATE )) ||
kid->op_type == OP_STUB || kid->op_type == OP_ENTER",
file=file@entry=0x7fc95e9c952e "op.c", line=line@entry=14389,
    function=function@entry=0x7fc95e9d06d8 <__PRETTY_FUNCTION__.19609>
"Perl_rpeep") at assert.c:92
#3  0x00007fc95d338ef2 in __GI___assert_fail (
    assertion=0x7fc95e9cf1e0 "(kid->op_type == OP_NULL && (
kid->op_targ == OP_NEXTSTATE || kid->op_targ == OP_DBSTATE )) ||
kid->op_type == OP_STUB || kid->op_type == OP_ENTER",
file=0x7fc95e9c952e "op.c", line=14389, function=0x7fc95e9d06d8
<__PRETTY_FUNCTION__.19609> "Perl_rpeep") at assert.c:101
#4  0x00007fc95e6b3266 in Perl_rpeep (o=0x7fc95ee00080) at op.c:14384
#5  0x00007fc95e6b3fa0 in Perl_peep (o=0x7fc95edfe168) at op.c:14718
#6  0x00007fc95e68647b in Perl_newPROG (o=0x7fc95edfe1a0) at op.c:4273
#7  0x00007fc95e7386f6 in Perl_yyparse (gramtype=258) at perly.y:123
#8  0x00007fc95e6bc33a in S_parse_body (env=0x0, xsinit=0x7fc95e677de8
<xs_init>) at perl.c:2376
#9  0x00007fc95e6ba69f in perl_parse (my_perl=0x7fc95eddd010,
xsinit=0x7fc95e677de8 <xs_init>, argc=2, argv=0x7ffd7a071f08, env=0x0)
at perl.c:1691
#10 0x00007fc95e677d26 in main (argc=2, argv=0x7ffd7a071f08,
env=0x7ffd7a071f20) at perlmain.c:121
(gdb) f 4
#4  0x00007fc95e6b3266 in Perl_rpeep (o=0x7fc95ee00080) at op.c:14384
(gdb) p PL_op_name[kid->op_type]
$3 = 0x7fc95ea81aa2 "lineseq"

[Please do not change anything below this line]
-----------------------------------------------------------------
---
Flags:
    category=core
    severity=medium
---
Site configuration information for perl 5.25.9:

Configured by root at Sat Jan 14 02:25:05 MSK 2017.

Summary of my perl5 (revision 5 version 25 subversion 9) configuration:
  Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0
  Platform:
    osname=linux
    osvers=3.16.0-4-amd64
    archname=x86_64-linux
    uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2
(2016-10-19) x86_64 gnulinux '
    config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast
-Doptimize=-O0 -g -ggdb3'
    hint=recommended
    useposix=true
    d_sigaction=define
    useithreads=undef
    usemultiplicity=undef
    use64bitint=define
    use64bitall=define
    uselongdouble=undef
    usemymalloc=n
    bincompat5005=undef
  Compiler:
    cc='afl-clang-fast'
    ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE
-D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
    optimize='-O0 -g -ggdb3'
    cppflags='-DDEBUGGING -fno-strict-aliasing -pipe
-fstack-protector-strong -I/usr/local/include'
    ccversion=''
    gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)'
    gccosandvers=''
    intsize=4
    longsize=8
    ptrsize=8
    doublesize=8
    byteorder=12345678
    doublekind=3
    d_longlong=define
    longlongsize=8
    d_longdbl=define
    longdblsize=16
    longdblkind=3
    ivtype='long'
    ivsize=8
    nvtype='double'
    nvsize=8
    Off_t='off_t'
    lseeksize=8
    alignbytes=8
    prototype=define
  Linker and Libraries:
    ld='afl-clang-fast'
    ldflags =' -fstack-protector-strong -L/usr/local/lib'
    libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib
/usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu
/lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
    libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
    libc=libc-2.24.so
    so=so
    useshrplib=false
    libperl=libperl.a
    gnulibc_version='2.24'
  Dynamic Linking:
    dlsrc=dl_dlopen.xs
    dlext=so
    d_dlsymun=undef
    ccdlflags='-Wl,-E'
    cccdlflags='-fPIC'
    lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong'


---
@INC for perl 5.25.9:
    lib
    /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux
    /usr/local/lib/perl5/site_perl/5.25.9
    /usr/local/lib/perl5/5.25.9/x86_64-linux
    /usr/local/lib/perl5/5.25.9

---
Environment for perl 5.25.9:
    HOME=/home/afl
    LANG=en_US.UTF-8
    LANGUAGE=en_US:en
    LD_LIBRARY_PATH (unset)
    LOGDIR (unset)
    PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
    PERLBREW_BASHRC_VERSION=0.78
    PERLBREW_HOME=/home/afl/.perlbrew
    PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man
    PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin
    PERLBREW_PERL=perl-5.22.1
    PERLBREW_ROOT=/home/afl/perlbrew
    PERLBREW_VERSION=0.78
    PERL_BADLANG (unset)
    SHELL=/usr/bin/zsh

• [perl #130617] op.c:14389: Perl_rpeep: Assertion `(kid->op_type ==OP_NULL && ( kid->op_targ == OP_NEXTSTATE || kid->op_targ == OP_DBSTATE )) ||kid->op_type == OP_STUB || kid->op_type == OP_ENTER' failed by Sergey Aleynikov
• Re: [perl #130617] op.c:14389: Perl_rpeep: Assertion `(kid->op_type== OP_NULL && ( kid->op_targ == OP_NEXTSTATE || kid->op_targ == OP_DBSTATE ))|| kid->op_type == OP_STUB || kid->op_type == OP_ENTER' failed by Dave Mitchell