# New Ticket Created by Sergey Aleynikov # Please include the string: [perl #130661] # in the subject line of all future correspondence about this issue. # <URL: https://rt.perl.org/Ticket/Display.html?id=130661 > This is a bug report for perl from sergey.aleynikov@gmail.com, generated with the help of perlbug 1.40 running under perl 5.25.9. ----------------------------------------------------------------- [Please describe your issue here] While fuzzing perl v5.25.9-35-g32207c637b built with afl and run under libdislocator, I found the following 5-bytes program hexdump -C 0051 00000000 73 75 62 28 ec |sub(.| 00000005 to cause an assertion failure when run with -Mexperimental=signatures. This is a regression in blead, bisect points to 0f8490d1d7ad76cac844fc2ae882994e38aaf2ef is the first bad commit commit 0f8490d1d7ad76cac844fc2ae882994e38aaf2ef Author: David Mitchell <davem@iabyn.com> Date: Sun Dec 4 08:10:27 2016 +0000 yyparse: only calculate yytoken on yychar change yytoken is a translated (via lookup table) version of parser->yychar. So we only need to recalculate it when yychar changes (usually by assigning the result of yylex() to it). This means when multiple reductions are done without shifting another token, we skip the extra overhead each time. GDB info about the crash location: (gdb) bt #0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:58 #1 0x00007fcb40e4c40a in __GI_abort () at abort.c:89 #2 0x00007fcb40e43e47 in __assert_fail_base (fmt=<optimized out>, assertion=assertion@entry=0x7fcb42cf9906 "parser->yychar >= 0", file=file@entry=0x7fcb42cf987a "perly.c", line=line@entry=341, function=function@entry=0x7fcb42cfa320 <__PRETTY_FUNCTION__.15814> "Perl_yyparse") at assert.c:92 #3 0x00007fcb40e43ef2 in __GI___assert_fail (assertion=assertion@entry=0x7fcb42cf9906 "parser->yychar >= 0", file=file@entry=0x7fcb42cf987a "perly.c", line=line@entry=341, function=function@entry=0x7fcb42cfa320 <__PRETTY_FUNCTION__.15814> "Perl_yyparse") at assert.c:101 #4 0x00007fcb423ea803 in Perl_yyparse (gramtype=gramtype@entry=258) at perly.c:341 #5 0x00007fcb4229a131 in S_parse_body (env=env@entry=0x0, xsinit=xsinit@entry=0x7fcb4218f990 <xs_init>) at perl.c:2376 #6 0x00007fcb422a0deb in perl_parse (my_perl=<optimized out>, xsinit=0x7fcb4218f990 <xs_init>, argc=<optimized out>, argv=<optimized out>, env=0x0) at perl.c:1691 #7 0x00007fcb4218f56e in main (argc=<optimized out>, argv=<optimized out>, env=<optimized out>) at perlmain.c:121 (gdb) f 4 #4 0x00007fcb423ea803 in Perl_yyparse (gramtype=gramtype@entry=258) at perly.c:341 341 assert(parser->yychar >= 0); (gdb) p parser->yychar $1 = -20 [Please do not change anything below this line] ----------------------------------------------------------------- --- Flags: category=core severity=medium --- Site configuration information for perl 5.25.9: Configured by root at Sat Jan 14 02:25:05 MSK 2017. Summary of my perl5 (revision 5 version 25 subversion 9) configuration: Commit id: cbe2fc5001aa59cdc73e04cc35e097a2ecfbeec0 Platform: osname=linux osvers=3.16.0-4-amd64 archname=x86_64-linux uname='linux dorothy 3.16.0-4-amd64 #1 smp debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 gnulinux ' config_args='-des -Dusedevel -DDEBUGGING -Dcc=afl-clang-fast -Doptimize=-O0 -g -ggdb3' hint=recommended useposix=true d_sigaction=define useithreads=undef usemultiplicity=undef use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n bincompat5005=undef Compiler: cc='afl-clang-fast' ccflags ='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2' optimize='-O0 -g -ggdb3' cppflags='-DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Clang 3.9.1 (tags/RELEASE_391/rc2)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='afl-clang-fast' ldflags =' -fstack-protector-strong -L/usr/local/lib' libpth=/usr/local/lib /usr/lib/llvm-3.9/bin/../lib/clang/3.9.1/lib /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc libc=libc-2.24.so so=so useshrplib=false libperl=libperl.a gnulibc_version='2.24' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=so d_dlsymun=undef ccdlflags='-Wl,-E' cccdlflags='-fPIC' lddlflags='-shared -O0 -g -ggdb3 -L/usr/local/lib -fstack-protector-strong' --- @INC for perl 5.25.9: lib /usr/local/lib/perl5/site_perl/5.25.9/x86_64-linux /usr/local/lib/perl5/site_perl/5.25.9 /usr/local/lib/perl5/5.25.9/x86_64-linux /usr/local/lib/perl5/5.25.9 --- Environment for perl 5.25.9: HOME=/home/afl LANG=en_US.UTF-8 LANGUAGE=en_US:en LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games PERLBREW_BASHRC_VERSION=0.78 PERLBREW_HOME=/home/afl/.perlbrew PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.22.1/man PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.22.1/bin PERLBREW_PERL=perl-5.22.1 PERLBREW_ROOT=/home/afl/perlbrew PERLBREW_VERSION=0.78 PERL_BADLANG (unset) SHELL=/usr/bin/zshThread Next