Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Perl_rpeep: Assertion `(kid->op_type == OP_NULL && ( kid->op_targ == OP_NEXTSTATE || kid->op_targ == OP_DBSTATE )) || kid->op_type == OP_STUB || kid->op_type == OP_ENTER || (PL_parser && PL_parser->error_count)' failed. #17728

Open
dur-randir opened this issue Apr 20, 2020 · 2 comments
Open

Perl_rpeep: Assertion `(kid->op_type == OP_NULL && ( kid->op_targ == OP_NEXTSTATE || kid->op_targ == OP_DBSTATE )) || kid->op_type == OP_STUB || kid->op_type == OP_ENTER || (PL_parser && PL_parser->error_count)' failed. #17728

dur-randir opened this issue Apr 20, 2020 · 2 comments

Comments

@dur-randir
Copy link
Member

This is a bug report for perl from [email protected],
generated with the help of perlbug 1.41 running under perl 5.31.10.

[Please describe your issue here]

While fuzzing perl v5.31.9-70-g0c96aa4b7b built with afl and run
under libdislocator, I found the following program

x c t{}sort{my
sub p}0

to cause an assertion failure

perl: op.c:14484: Perl_rpeep: Assertion `(kid->op_type == OP_NULL && ( kid->op_targ == OP_NEXTSTATE || kid->op_targ == OP_DBSTATE )) || kid->op_type == OP_STUB || kid->op_type == OP_ENTER || (PL_parser && PL_parser->error_count)' failed.

GDB stack trace is:

(gdb) bt
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7c24535 in __GI_abort () at abort.c:79
#2 0x00007ffff7c2440f in __assert_fail_base (fmt=0x7ffff7d86ee0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
assertion=0x555555951df8 "(kid->op_type == OP_NULL && ( kid->op_targ == OP_NEXTSTATE || kid->op_targ == OP_DBSTATE )) || kid->op_type == OP_STUB || kid->op_type == OP_ENTER || (PL_parser && PL_parser->error_count)", file=0x555555949b51 "op.c", line=17672, function=) at assert.c:92
#3 0x00007ffff7c32102 in __GI___assert_fail (
assertion=0x555555951df8 "(kid->op_type == OP_NULL && ( kid->op_targ == OP_NEXTSTATE || kid->op_targ == OP_DBSTATE )) || kid->op_type == OP_STUB || kid->op_type == OP_ENTER || (PL_parser && PL_parser->error_count)", file=0x555555949b51 "op.c", line=17672,
function=0x555555953d68 <PRETTY_FUNCTION.23623> "Perl_rpeep") at assert.c:101
#4 0x00005555555e569a in Perl_rpeep (o=0x555555c44d58) at op.c:17666
#5 0x00005555555e64c1 in Perl_peep (o=0x555555c44b88) at op.c:18024
#6 0x00005555555ae3db in S_process_optree (cv=0x0, optree=0x555555c44bb8, start=0x555555c44b88) at op.c:3670
#7 0x00005555555b673c in Perl_newPROG (o=0x555555c44bb8) at op.c:5895
#8 0x000055555566ec71 in Perl_yyparse (gramtype=258) at perly.y:127
#9 0x00005555555efa04 in S_parse_body (env=0x0, xsinit=0x5555555a21ff <xs_init>) at perl.c:2574
#10 0x00005555555eddf0 in perl_parse (my_perl=0x555555c15260, xsinit=0x5555555a21ff <xs_init>, argc=2, argv=0x7fffffffe1b8, env=0x0) at perl.c:1869
#11 0x00005555555a213d in main (argc=2, argv=0x7fffffffe1b8, env=0x7fffffffe1d0) at perlmain.c:132

This is a regression between 5.24 and 5.26, bisect points to 60e04ba is the first bad commit

commit 60e04ba1a34f784612d20e526a0ce38e47a53cf1
Author: Father Chrysostomos <[email protected]>
Date:   Fri May 20 12:45:10 2016 -0700

    Enable lex subs everywhere; suppress warning

    Adjust tests, too.

[Please do not change anything below this line]
Flags:
category=core
severity=low
Site configuration information for perl 5.31.10:

Configured by root at Fri Mar 13 17:15:02 MSK 2020.

Summary of my perl5 (revision 5 version 31 subversion 10) configuration:
Commit id: 0c96aa4
Platform:
osname=linux
osvers=4.19.0-8-amd64
archname=x86_64-linux
uname='linux dorothy 4.19.0-8-amd64 #1 smp debian 4.19.98-1 (2020-01-26) x86_64 gnulinux '
config_args='-de -Dusedevel -Doptimize=-O2'
hint=recommended
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler:
cc='cc'
ccflags ='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -D_FORTIFY_SOURCE=2'
optimize='-O2'
cppflags='-fwrapv -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
ccversion=''
gccversion='8.3.0'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='cc'
ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/8/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
libc=libc-2.28.so
so=so
useshrplib=false
libperl=libperl.a
gnulibc_version='2.28'
Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=so
d_dlsymun=undef
ccdlflags='-Wl,-E'
cccdlflags='-fPIC'
lddlflags='-shared -O2 -L/usr/local/lib -fstack-protector-strong'

@inc for perl 5.31.10:
lib
/usr/local/lib/perl5/site_perl/5.31.10/x86_64-linux
/usr/local/lib/perl5/site_perl/5.31.10
/usr/local/lib/perl5/5.31.10/x86_64-linux
/usr/local/lib/perl5/5.31.10

Environment for perl 5.31.10:
HOME=/home/afl
LANG=en_US.UTF-8
LANGUAGE=en_US:en
LC_CTYPE=en_US.UTF-8
LC_TIME=C
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.30.0-dbg/bin:/opt/local/bin:/usr/texbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
PERLBREW_HOME=/home/afl/.perlbrew
PERLBREW_MANPATH=/home/afl/perlbrew/perls/perl-5.30.0-dbg/man
PERLBREW_PATH=/home/afl/perlbrew/bin:/home/afl/perlbrew/perls/perl-5.30.0-dbg/bin
PERLBREW_PERL=perl-5.30.0-dbg
PERLBREW_ROOT=/home/afl/perlbrew
PERLBREW_SHELLRC_VERSION=0.88
PERLBREW_VERSION=0.88
PERL_BADLANG (unset)
@jkeenan
Copy link
Contributor

jkeenan commented Apr 25, 2020

This is a bug report for perl from [email protected],
generated with the help of perlbug 1.41 running under perl 5.31.10.

[Please describe your issue here]

While fuzzing perl v5.31.9-70-g0c96aa4b7b built with afl and run
under libdislocator, I found the following program

x c t{}sort{my
sub p}0

to cause an assertion failure

Confirmed on a threaded, debugging build on FreeBSD-11.

(gdb) run  ~/learn/perl/p5p/ghi-17728-assert.pl
Starting program: /usr/home/jkeenan/testing/blead/bin/perl ~/learn/perl/p5p/ghi-17728-assert.pl
Assertion failed: ((kid->op_type == OP_NULL && ( kid->op_targ == OP_NEXTSTATE || kid->op_targ == OP_DBSTATE )) || kid->op_type == OP_STUB || kid->op_type == OP_ENTER || (PL_parser && PL_parser->error_count)), function Perl_rpeep, file op.c, line 17672.

Program received signal SIGABRT, Aborted.
0x000000080185ffba in thr_kill () from /lib/libc.so.7
Current language:  auto; currently minimal
(gdb) bt
#0  0x000000080185ffba in thr_kill () from /lib/libc.so.7
#1  0x000000080185ff84 in __raise (s=6) at /usr/src/lib/libc/gen/raise.c:52
#2  0x000000080185fef9 in abort () at /usr/src/lib/libc/stdlib/abort.c:65
#3  0x00000008018dcf21 in __assert (func=<value optimized out>, file=<value optimized out>, 
    line=<value optimized out>, failedexpr=<value optimized out>) at /usr/src/lib/libc/gen/assert.c:51
#4  0x0000000000449020 in Perl_rpeep (my_perl=0x801e22000, o=<value optimized out>) at op.c:17666
#5  0x000000000042f58d in Perl_newPROG (my_perl=0x801e22000, o=<value optimized out>) at op.c:3670
#6  0x000000000049a2a3 in Perl_yyparse (my_perl=0x801e22000, gramtype=<value optimized out>)
    at perly.y:127
#7  0x0000000000453e07 in S_parse_body () at perl.c:2574
#8  0x0000000000451860 in perl_parse (my_perl=0x801e22000, xsinit=0x4206f0 <xs_init>, 
    argc=<value optimized out>, argv=0x206, env=<value optimized out>) at perl.c:1869
#9  0x000000000042064a in main (argc=<value optimized out>, argv=<value optimized out>, 
    env=0x7fffffffe780) at perlmain.c:126
(gdb) bt
#0  0x000000080185ffba in thr_kill () from /lib/libc.so.7
#1  0x000000080185ff84 in __raise (s=6) at /usr/src/lib/libc/gen/raise.c:52
#2  0x000000080185fef9 in abort () at /usr/src/lib/libc/stdlib/abort.c:65
#3  0x00000008018dcf21 in __assert (func=<value optimized out>, file=<value optimized out>, 
    line=<value optimized out>, failedexpr=<value optimized out>) at /usr/src/lib/libc/gen/assert.c:51
#4  0x0000000000449020 in Perl_rpeep (my_perl=0x801e22000, o=<value optimized out>) at op.c:17666
#5  0x000000000042f58d in Perl_newPROG (my_perl=0x801e22000, o=<value optimized out>) at op.c:3670
#6  0x000000000049a2a3 in Perl_yyparse (my_perl=0x801e22000, gramtype=<value optimized out>)
    at perly.y:127
#7  0x0000000000453e07 in S_parse_body () at perl.c:2574
#8  0x0000000000451860 in perl_parse (my_perl=0x801e22000, xsinit=0x4206f0 <xs_init>, 
    argc=<value optimized out>, argv=0x206, env=<value optimized out>) at perl.c:1869
#9  0x000000000042064a in main (argc=<value optimized out>, argv=<value optimized out>, 
    env=0x7fffffffe780) at perlmain.c:126

@hvds
Copy link
Contributor

hvds commented Apr 28, 2020

The testcase reduces to ./miniperl -e 'sort {my sub p} 0'. At the point of assert, kid is of type OP_LINESEQ. If I try with {sub p} instead, kid at the same point is an OP_STUB.

I don't plan to look further at this myself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jkeenan @hvds @dur-randir