search

Perl / perl5

🐪 The Perl programming language
https://dev.perl.org/perl5/
Other
1.98k stars 559 forks source link

Assertion failure in Perl_sv_grow (sv.c:1581) #16885

Open p5pRT opened 5 years ago

p5pRT commented 5 years ago

Migrated from rt.perl.org#133922 (status was 'open')

Searchable as RT133922$

p5pRT commented 5 years ago

From @dur-randir

Created by @dur-randir

While fuzzing perl v5.29.8-21-gde59f38ed9 built with afl and run under libdislocator\, I found the following program

for$@​(*0){eval}

to cause an assertion failure​:

perl​: sv.c​:1581​: char *Perl_sv_grow(SV *const\, STRLEN)​: Assertion `!isGV_with_GP(_svcur)' failed.

GDB stack trace is following

#0 __GI_raise (sig=sig@​entry=6) at ../sysdeps/unix/sysv/linux/raise.c​:50 #1 0x00007ffff7c25535 in __GI_abort () at abort.c​:79 #2 0x00007ffff7c2540f in __assert_fail_base (fmt=0x7ffff7d87ee0 "%s%s%s​:%u​: %s%sAssertion `%s' failed.\n%n"\,   assertion=0x555555a91f3e "!isGV_with_GP(_svcur)"\, file=0x555555a90f80 "sv.c"\, line=1581\, function=\) at assert.c​:92 #3 0x00007ffff7c330f2 in __GI___assert_fail (assertion=0x555555a91f3e "!isGV_with_GP(_svcur)"\, file=0x555555a90f80 "sv.c"\, line=1581\,   function=0x555555aa3520 \<__PRETTY_FUNCTION__.18480> "Perl_sv_grow") at assert.c​:101 #4 0x0000555555770bda in Perl_sv_grow (sv=0x555555b49240\, newlen=2) at sv.c​:1581 #5 0x000055555579433a in Perl_sv_setpv_bufsize (sv=0x555555b49240\, cur=0\, len=0) at sv.c​:4915 #6 0x00005555558242f1 in S_doeval_compile (gimme=1 '\001'\, outside=0x555555b2e8f0\, seq=4294967248\, hh=0x0) at pp_ctl.c​:3443 #7 0x000055555582c958 in Perl_pp_entereval () at pp_ctl.c​:4477 #8 0x00005555556f6fe4 in Perl_runops_debug () at dump.c​:2537 #9 0x00005555555da147 in S_run_body (oldscope=1) at perl.c​:2692 #10 0x00005555555d96c5 in perl_run (my_perl=0x555555b2c260) at perl.c​:2615 #11 0x000055555558e13e in main (argc=2\, argv=0x7fffffffe1e8\, env=0x7fffffffe200) at perlmain.c​:127

Perl Info ``` Flags: category=core severity=low Site configuration information for perl 5.29.9: Configured by dur-randir at Wed Feb 27 14:51:01 MSK 2019. Summary of my perl5 (revision 5 version 29 subversion 9) configuration: Commit id: c1e47bad34ce1d9c84ed57c9b8978bcbd5a02e98 Platform: osname=darwin osvers=13.4.0 archname=darwin-thread-multi-2level uname='darwin isengard.local 13.4.0 darwin kernel version 13.4.0: mon jan 11 18:17:34 pst 2016; root:xnu-2422.115.15~1release_x86_64 x86_64 ' config_args='-de -Dusedevel -DDEBUGGING -Dusethreads' hint=recommended useposix=true d_sigaction=define useithreads=define usemultiplicity=define use64bitint=define use64bitall=define uselongdouble=undef usemymalloc=n default_inc_excludes_dot=define bincompat5005=undef Compiler: cc='cc' ccflags ='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include -DPERL_USE_SAFE_PUTENV' optimize='-O3 -g' cppflags='-fno-common -DPERL_DARWIN -mmacosx-version-min=10.9 -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector -I/usr/local/include' ccversion='' gccversion='4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.56)' gccosandvers='' intsize=4 longsize=8 ptrsize=8 doublesize=8 byteorder=12345678 doublekind=3 d_longlong=define longlongsize=8 d_longdbl=define longdblsize=16 longdblkind=3 ivtype='long' ivsize=8 nvtype='double' nvsize=8 Off_t='off_t' lseeksize=8 alignbytes=8 prototype=define Linker and Libraries: ld='cc' ldflags =' -mmacosx-version-min=10.9 -fstack-protector -L/usr/local/lib' libpth=/usr/local/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib /usr/lib libs=-lpthread -lgdbm -ldbm -ldl -lm -lutil -lc perllibs=-lpthread -ldl -lm -lutil -lc libc= so=dylib useshrplib=false libperl=libperl.a gnulibc_version='' Dynamic Linking: dlsrc=dl_dlopen.xs dlext=bundle d_dlsymun=undef ccdlflags=' ' cccdlflags=' ' lddlflags=' -mmacosx-version-min=10.9 -bundle -undefined dynamic_lookup -L/usr/local/lib -fstack-protector' @INC for perl 5.29.9: lib /usr/local/lib/perl5/site_perl/5.29.9/darwin-thread-multi-2level /usr/local/lib/perl5/site_perl/5.29.9 /usr/local/lib/perl5/5.29.9/darwin-thread-multi-2level /usr/local/lib/perl5/5.29.9 Environment for perl 5.29.9: DYLD_LIBRARY_PATH (unset) HOME=/Users/dur-randir LANG=en_US.UTF-8 LANGUAGE (unset) LD_LIBRARY_PATH (unset) LOGDIR (unset) PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin:/usr/local/bin:/usr/local/sbin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/texbin PERLBREW_HOME=/Users/dur-randir/.perlbrew PERLBREW_MANPATH=/Users/dur-randir/perlbrew/perls/perl-5.22.1/man PERLBREW_PATH=/Users/dur-randir/perlbrew/bin:/Users/dur-randir/perlbrew/perls/perl-5.22.1/bin PERLBREW_PERL=perl-5.22.1 PERLBREW_ROOT=/Users/dur-randir/perlbrew PERLBREW_SHELLRC_VERSION=0.84 PERLBREW_VERSION=0.84 PERL_BADLANG (unset) SHELL=/usr/local/bin/zsh ```
p5pRT commented 5 years ago

From @tonycoz

On Mon\, 11 Mar 2019 16​:21​:20 -0700\, randir wrote​:

While fuzzing perl v5.29.8-21-gde59f38ed9 built with afl and run under libdislocator\, I found the following program

for$@​(*0){eval}

to cause an assertion failure​:

I'm not sure what the correct behaviour should be here.

The obvious case is making it act like​:

  for $@​(*0) { $@​ = "" } # *0 = "" # set GP to that of *{""}

but that's not really what I expect from eval.

Tony

p5pRT commented 5 years ago

The RT System itself - Status changed from 'new' to 'open'