Assertion failure in S_regmatch (regexec.c:7279)

[p5pRT]

Migrated from rt.perl.org#133885 (status was 'open')

Searchable as RT133885$

[p5pRT]

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.29.8-21-gde59f38ed9 built with afl and run under libdislocator\, I found the following program

s((?{my sub f})())00

to cause an assertion failure​:

perl​: regexec.c​:7295​: ssize_t S_regmatch(regmatch_info *\, char *\, regnode *)​: Assertion `o->op_type == OP_NEXTSTATE || o->op_type == OP_DBSTATE || (o->op_type == OP_NULL && ( o->op_targ == OP_NEXTSTATE || o->op_targ == OP_DBSTATE ) )' failed.

GDB stack trace is following​:

#0 __GI_raise (sig=sig@​entry=6) at ../sysdeps/unix/sysv/linux/raise.c​:50 #1 0x00007ffff7c25535 in __GI_abort () at abort.c​:79 #2 0x00007ffff7c2540f in __assert_fail_base (fmt=0x7ffff7d87ee0 "%s%s%s​:%u​: %s%sAssertion `%s' failed.\n%n"\,   assertion=0x10ec280 \<.str.318> "o->op_type == OP_NEXTSTATE || o->op_type == OP_DBSTATE || (o->op_type == OP_NULL && ( o->op_targ == OP_NEXTSTATE || o->op_targ == OP_DBSTATE ) )"\, file=0x10ca1e0 \<.str.2> "regexec.c"\, line=7295\, function=\) at assert.c​:92 #3 0x00007ffff7c330f2 in __GI___assert_fail (   assertion=0x10ec280 \<.str.318> "o->op_type == OP_NEXTSTATE || o->op_type == OP_DBSTATE || (o->op_type == OP_NULL && ( o->op_targ == OP_NEXTSTATE || o->op_targ == OP_DBSTATE ) )"\, file=0x10ca1e0 \<.str.2> "regexec.c"\, line=7295\,   function=0x10e4e00 \<__PRETTY_FUNCTION__.S_regmatch> "ssize_t S_regmatch(regmatch_info *\, char *\, regnode *)") at assert.c​:101 #4 0x0000000000ceb201 in S_regmatch (reginfo=\\, startpos=\\, prog=0x60800000bc58) at regexec.c​:7288 #5 0x0000000000ca76be in S_regtry (reginfo=\\, startposp=\) at regexec.c​:3933 #6 0x0000000000c6d2b4 in Perl_regexec_flags (rx=\\, stringarg=0x107bf20 \<.str.90> ""\, strend=0x107bf20 \<.str.90> ""\, strbeg=\\,   minend=105827994212176\, sv=\\, data=\\, flags=\) at regexec.c​:3790 #7 0x0000000000992609 in Perl_pp_subst () at pp_hot.c​:4231 #8 0x000000000088f835 in Perl_runops_debug () at dump.c​:2537 #9 0x00000000005f1016 in S_run_body (oldscope=\) at perl.c​:2692 #10 perl_run (my_perl=\) at perl.c​:2615 #11 0x000000000050b60b in main (argc=0\, argv=\\, env=0x7fffffffe1e8) at perlmain.c​:127

Perl Info

``` Flags: category=core severity=low Site configuration information for perl 5.29.9: Configured by dur-randir at Wed Feb 27 14:51:01 MSK 2019. Summary of my perl5 (revision 5 version 29 subversion 9) configuration: Commit id: c1e47bad34ce1d9c84ed57c9b8978bcbd5a02e98 Platform: osname=darwin osvers=13.4.0 archname=darwin-thread-multi-2level uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0: mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64 x86_64 ' config_args='-de -Dusedevel -DDEBUGGING -Dusethreads' hint=recommended useposix=true d_sigaction=define useithreads=define usemultiplicity=define use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='cc' ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -DPERL_USE_SAFE_PUTENV' optimize='-O3 -g' cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='cc' ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib' libpth=/usr/local/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib /usr/lib libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc perllibs=-lpthread -ldl -lm -lutil -lc libc= so=dylib useshrplib=false libperl=libperl.a gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=bundle d_dlsymun=undef ccdlflags=' ' cccdlflags=' ' lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined dynamic_lookup -L/usr/local/lib -fstack-protector' @INC for perl 5.29.9: lib /usr/local/lib/perl5/site_perl/5.29.9/darwin-thread-multi-2level /usr/local/lib/perl5/site_perl/5.29.9 /usr/local/lib/perl5/5.29.9/darwin-thread-multi-2level /usr/local/lib/perl5/5.29.9 Environment for perl 5.29.9: DYLD_LIBRARY_PATH (unset) HOME=/Users/dur-randir LANG=en_US.UTF-8 LANGUAGE (unset) LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/texbin PERLBREW_HOME=/Users/dur-randir/.perlbrew PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.22.1/man PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin PERLBREW_PERL=perl-5.22.1 PERLBREW_ROOT=/Users/dur-randir/perlbrew PERLBREW_SHELLRC_VERSION=0.84 PERLBREW_VERSION=0.84 PERL_BADLANG (unset) SHELL=/usr/local/bin/zsh ```

[p5pRT]

From @khwilliamson

I looked at this\, and this failure appears to have been there since the lexical subs feature was added in 5.18 -- Karl Williamson

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'