crash on binary-or lvalue operation on qr//

[p5pRT]

Migrated from rt.perl.org#54956 (status was 'resolved')

Searchable as RT54956$

[p5pRT]

From @ntyni

This is a bug report for perl from Niko Tyni \ntyni@​debian\.org\, generated with the help of perlbug 1.36 running under perl 5.10.0.

---

As seen in \<http​://bugs.debian.org/483150>\, this one-liner crashes 5.10.0 and blead@​33937 but not 5.8.8​:

# ./miniperl -e 'my $re = qr/x/; $re |= "y"' miniperl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)->sv_flags & 0xff)) >= SVt_PV' failed.

#0 0x00002b358c697165 in raise () from /lib/libc.so.6 #1 0x00002b358c698610 in abort () from /lib/libc.so.6 #2 0x00002b358c69060f in __assert_fail () from /lib/libc.so.6 #3 0x000000000062bed6 in Perl_do_vop (my_perl=0x987010\, optype=93\, sv=0x9a9f28\, left=0x9a9f28\,   right=0x9a9fa0) at doop.c​:1259 #4 0x000000000059c4bb in Perl_pp_bit_or (my_perl=0x987010) at pp.c​:2385 #5 0x00000000004ada20 in Perl_runops_debug (my_perl=0x987010) at dump.c​:1984 #6 0x00000000004f716e in S_run_body (my_perl=0x987010\, oldscope=1) at perl.c​:2392 #7 0x00000000004f64a0 in perl_run (my_perl=0x987010) at perl.c​:2312 #8 0x00000000006b1c4a in main (argc=3\, argv=0x7fff1ef33b08\, env=0x7fff1ef33b28) at miniperlmain.c​:113

On 5.10.0 without -DDEBUGGING this results in 'double free or corruption'.

Bisecting shows it was broken by change 27859​:

commit a39e44f1b8a997f82f02847b565d62c2cd84111f Author​: Jarkko Hietaniemi \jhi@&#8203;iki\.fi Date​: Mon Apr 17 13​:19​:37 2006 +0300

  dooop.c​: the strong asserts in Sv* macros could cause memory leakage -- move the macro calls earlier (Coverity CID 84)   Message-Id​: \20060417071937\.C13346CF2D@&#8203;aprikoosi\.hut\.fi  
  p4raw-id​: //depot/perl@​27859

---

---

Flags​:   category=core   severity=medium

---

Site configuration information for perl 5.10.0​:

Configured by Debian Project at Thu May 8 11​:57​:24 UTC 2008.

Summary of my perl5 (revision 5 version 10 subversion 0) configuration​:   Platform​:   osname=linux\, osvers=2.6.18-6-xen-amd64\, archname=x86_64-linux-gnu-thread-multi   uname='linux sid 2.6.18-6-xen-amd64 #1 smp thu apr 24 05​:10​:26 utc 2008 x86_64 gnulinux '   config_args='-Dusethreads -Duselargefiles -Dccflags=-DDEBIAN -Dcccdlflags=-fPIC -Darchname=x86_64-linux-gnu -Dprefix=/usr -Dprivlib=/usr/share/perl/5.10 -Darchlib=/usr/lib/perl/5.10 -Dvendorprefix=/usr -Dvendorlib=/usr/share/perl5 -Dvendorarch=/usr/lib/perl5 -Dsiteprefix=/usr/local -Dsitelib=/usr/local/share/perl/5.10.0 -Dsitearch=/usr/local/lib/perl/5.10.0 -Dman1dir=/usr/share/man/man1 -Dman3dir=/usr/share/man/man3 -Dsiteman1dir=/usr/local/man/man1 -Dsiteman3dir=/usr/local/man/man3 -Dman1ext=1 -Dman3ext=3perl -Dpager=/usr/bin/sensible-pager -Uafs -Ud_csh -Ud_ualarm -Uusesfio -Uusenm -DDEBUGGING=-g -Doptimize=-O2 -Duseshrplib -Dlibperl=libperl.so.5.10.0 -Dd_dosuid -des'   hint=recommended\, useposix=true\, d_sigaction=define   useithreads=define\, usemultiplicity=define   useperlio=define\, d_sfio=undef\, uselargefiles=define\, usesocks=undef   use64bitint=define\, use64bitall=define\, uselongdouble=undef   usemymalloc=n\, bincompat5005=undef   Compiler​:   cc='cc'\, ccflags ='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'\,   optimize='-O2 -g'\,   cppflags='-D_REENTRANT -D_GNU_SOURCE -DDEBIAN -fno-strict-aliasing -pipe -I/usr/local/include'   ccversion=''\, gccversion='4.2.3 (Debian 4.2.3-5)'\, gccosandvers=''   intsize=4\, longsize=8\, ptrsize=8\, doublesize=8\, byteorder=12345678   d_longlong=define\, longlongsize=8\, d_longdbl=define\, longdblsize=16   ivtype='long'\, ivsize=8\, nvtype='double'\, nvsize=8\, Off_t='off_t'\, lseeksize=8   alignbytes=8\, prototype=define   Linker and Libraries​:   ld='cc'\, ldflags =' -L/usr/local/lib'   libpth=/usr/local/lib /lib /usr/lib /lib64 /usr/lib64   libs=-lgdbm -lgdbm_compat -ldb -ldl -lm -lpthread -lc -lcrypt   perllibs=-ldl -lm -lpthread -lc -lcrypt   libc=/lib/libc-2.7.so\, so=so\, useshrplib=true\, libperl=libperl.so.5.10.0   gnulibc_version='2.7'   Dynamic Linking​:   dlsrc=dl_dlopen.xs\, dlext=so\, d_dlsymun=undef\, ccdlflags='-Wl\,-E'   cccdlflags='-fPIC'\, lddlflags='-shared -O2 -g -L/usr/local/lib'

Locally applied patches​:  

---

@​INC for perl 5.10.0​:   /etc/perl   /usr/local/lib/perl/5.10.0   /usr/local/share/perl/5.10.0   /usr/lib/perl5   /usr/share/perl5   /usr/lib/perl/5.10   /usr/share/perl/5.10   /usr/local/lib/site_perl   .

---

Environment for perl 5.10.0​:   HOME=/home/niko   LANG=en_US.UTF-8   LANGUAGE (unset)   LC_CTYPE=fi_FI.UTF-8   LD_LIBRARY_PATH (unset)   LOGDIR (unset)   PATH=/home/niko/bin​:/usr/local/bin​:/usr/bin​:/bin​:/usr/bin/X11​:/usr/games​:/sbin​:/usr/sbin   PERL_BADLANG (unset)   SHELL=/bin/zsh

[p5pRT]

From @smpeters

On Tue May 27 23​:17​:19 2008\, ntyni@​debian.org wrote​:

This is a bug report for perl from Niko Tyni \ntyni@&#8203;debian\.org\, generated with the help of perlbug 1.36 running under perl 5.10.0.

----------------------------------------------------------------- As seen in \<http​://bugs.debian.org/483150>\, this one-liner crashes 5.10.0 and blead@​33937 but not 5.8.8​:

# ./miniperl -e 'my $re = qr/x/; $re |= "y"' miniperl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)-

sv_flags & 0xff)) >= SVt_PV' failed.

#0 0x00002b358c697165 in raise () from /lib/libc.so.6 #1 0x00002b358c698610 in abort () from /lib/libc.so.6 #2 0x00002b358c69060f in __assert_fail () from /lib/libc.so.6 #3 0x000000000062bed6 in Perl_do_vop (my_perl=0x987010\, optype=93\, sv=0x9a9f28\, left=0x9a9f28\, right=0x9a9fa0) at doop.c​:1259 #4 0x000000000059c4bb in Perl_pp_bit_or (my_perl=0x987010) at pp.c​:2385 #5 0x00000000004ada20 in Perl_runops_debug (my_perl=0x987010) at dump.c​:1984 #6 0x00000000004f716e in S_run_body (my_perl=0x987010\, oldscope=1) at perl.c​:2392 #7 0x00000000004f64a0 in perl_run (my_perl=0x987010) at perl.c​:2312 #8 0x00000000006b1c4a in main (argc=3\, argv=0x7fff1ef33b08\, env=0x7fff1ef33b28) at miniperlmain.c​:113

On 5.10.0 without -DDEBUGGING this results in 'double free or corruption'.

Bisecting shows it was broken by change 27859​:

commit a39e44f1b8a997f82f02847b565d62c2cd84111f Author​: Jarkko Hietaniemi \jhi@&#8203;iki\.fi Date​: Mon Apr 17 13​:19​:37 2006 +0300

dooop\.c​: the strong asserts in Sv\* macros could cause memory

leakage -- move the macro calls earlier (Coverity CID 84) Message-Id​: \20060417071937\.C13346CF2D@&#8203;aprikoosi\.hut\.fi

p4raw\-id​: //depot/perl@​27859

Yep\, running with a debugging Perl gives me...

Assertion ((svtype)((sv)->sv_flags & 0xff)) >= SVt_PV failed​: file "doop.c"\, line 1234 at -e line 1.

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @smpeters

On Wed\, May 28\, 2008 at 8​:35 AM\, Steve Peters via RT \perlbug\-followup@&#8203;perl\.org wrote​:

On Tue May 27 23​:17​:19 2008\, ntyni@​debian.org wrote​:

This is a bug report for perl from Niko Tyni \ntyni@&#8203;debian\.org\, generated with the help of perlbug 1.36 running under perl 5.10.0.

----------------------------------------------------------------- As seen in \<http​://bugs.debian.org/483150>\, this one-liner crashes 5.10.0 and blead@​33937 but not 5.8.8​:

# ./miniperl -e 'my $re = qr/x/; $re |= "y"' miniperl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)-

sv_flags & 0xff)) >= SVt_PV' failed.

#0 0x00002b358c697165 in raise () from /lib/libc.so.6 #1 0x00002b358c698610 in abort () from /lib/libc.so.6 #2 0x00002b358c69060f in __assert_fail () from /lib/libc.so.6 #3 0x000000000062bed6 in Perl_do_vop (my_perl=0x987010\, optype=93\, sv=0x9a9f28\, left=0x9a9f28\, right=0x9a9fa0) at doop.c​:1259 #4 0x000000000059c4bb in Perl_pp_bit_or (my_perl=0x987010) at pp.c​:2385 #5 0x00000000004ada20 in Perl_runops_debug (my_perl=0x987010) at dump.c​:1984 #6 0x00000000004f716e in S_run_body (my_perl=0x987010\, oldscope=1) at perl.c​:2392 #7 0x00000000004f64a0 in perl_run (my_perl=0x987010) at perl.c​:2312 #8 0x00000000006b1c4a in main (argc=3\, argv=0x7fff1ef33b08\, env=0x7fff1ef33b28) at miniperlmain.c​:113

On 5.10.0 without -DDEBUGGING this results in 'double free or corruption'.

Bisecting shows it was broken by change 27859​:

commit a39e44f1b8a997f82f02847b565d62c2cd84111f Author​: Jarkko Hietaniemi \jhi@&#8203;iki\.fi Date​: Mon Apr 17 13​:19​:37 2006 +0300

dooop\.c​: the strong asserts in Sv\* macros could cause memory

leakage -- move the macro calls earlier (Coverity CID 84) Message-Id​: \20060417071937\.C13346CF2D@&#8203;aprikoosi\.hut\.fi

p4raw\-id​: //depot/perl@​27859

Yep\, running with a debugging Perl gives me...

Assertion ((svtype)((sv)->sv_flags & 0xff)) >= SVt_PV failed​: file "doop.c"\, line 1234 at -e line 1.

OK\, after coffee and a think\, a couple of things came up. First\, &= fails similarly...

steve@​picard​:\~/perl-current$ ./perl -e 'my $re = qr/x/; $re &= "y"' perl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)->sv_flags & 0xff)) >= SVt_PV' failed. Aborted

Second\, the failures only occur with debugging Perls. Without debugging...

[steve@​kirk perl-current]$ ./perl -Ilib -E'my $re = qr/x/; $re |= "y"; say $re' y?-xism​:x)

is same as what I get under Perl 5.8.8.

Finally\, the problem isn't qr//. Its references in general. For example...

steve@​picard​:\~/perl-current$ ./perl -e ' my $sploosh = "aiieee"; $powie = \$sploosh; $powie &= "spla_a_t"' perl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)->sv_flags & 0xff)) >= SVt_PV' failed.

steve@​picard​:\~/perl-current$ ./perl -e ' my $sploosh = bless {}\, "Aiieee"; $sploosh &= "spla_a_t"' perl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)->sv_flags & 0xff)) >= SVt_PV' failed.

steve@​picard​:\~/perl-current$ ./perl -e ' my $sploosh = 1; $powie = \$sploosh; $powie &= "spla_a_t"' perl​: doop.c​:1259​: Perl_do_vop​: Assertion `((svtype)((sv)->sv_flags & 0xff)) >= SVt_PV' failed.

...although\, if we have a reference to a number and a number on the other side...

steve@​picard​:\~/perl-current$ ./perl -e ' my $sploosh = 1; $powie = \$sploosh; $powie &= 2'

it works. Obviously\, then\, we don't have test cases for bitwise & and | with references that are not numeric. I also don't think I can add them at the moment since the asserts would kill the tests. I'll try digging into a fix unless someone else wants to take a stab at it first.

Steve Peters steve@​fisharerojo.org

[p5pRT]

From module@renee-baecker.de

fixed with http​://perl5.git.perl.org/perl.git/commit/8c8eee8276dbc780932b841fe5183943a7117a3d

[p5pRT]

module@renee-baecker.de - Status changed from 'open' to 'resolved'