Assert fail in op.c without other symptoms: sub{\@0[0]=0}

[p5pRT]

Migrated from rt.perl.org#128252 (status was 'resolved')

Searchable as RT128252$

[p5pRT]

From @dcollinsn

Greetings Porters,

I have compiled bleadperl with the afl-gcc compiler using​:

./Configure -Dusedevel -Dprefix='/usr/local/perl-afl' -Dcc='ccache afl-gcc' -Uuselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -Dusequadmath -des
AFL_HARDEN=1 make && make test

And then fuzzed the resulting binary using​:

AFL_NO_VAR_CHECK=1 afl-fuzz -i in -o out bin/perl @​@​

After reducing testcases using `afl-tmin` and performing additional minimization by hand, I have located the following testcase that triggers an assert fail in debug buids of the perl interpreter. The testcase is the file below. On normal builds, this runs normally (albeit with an expected warning). On debug builds, this returns an assert fail.

dcollins@​nightshade64​:~/perl$ ./perl -Ilib -t -W -e 'sub{\@​0[0]=0}'
Experimental aliasing via reference not enabled at -e line 1.
dcollins@​nightshade64​:~/perl$ cd ../perldebug/
dcollins@​nightshade64​:~/perldebug$ ./perl -Ilib -t -W -e 'sub{\@​0[0]=0}'
Experimental aliasing via reference not enabled at -e line 1.
perl​: op.c​:731​: Perl_op_free​: Assertion `!(o->op_private & ~PL_op_private_valid[type])' failed.
Aborted

The closing brace is not necessary in order to replicate, and neither is -t, but -W is.

Debugging tool output is below. A git bisect was performed and reported the following.

0ca7b7f is the first bad commit
commit 0ca7b7f
Author​: Father Chrysostomos <sprout@​cpan.org>
Date​: Fri Sep 26 10​:40​:19 2014 -0700

  \@​array[@​slice] assignment

  plus changes to the aelem tests to check rhs context.

  I did \local @​a[@​s] at the same time, since I was practically copying
  and pasting code from aslice (ok, not quite).

:100644 100644 1184bf28927651410830cce06bf2f9018d44f4c2 150d70f3457ae67e43c9ec8bbe82836be0211c19 M op.c
:100644 100644 da6a72cfa55d635de4cc1649ab503fd9cc3bc835 baaa140e28a97c7385ddb64e4d9f910f8b945f0f M pp.c
:040000 040000 62d63f1a713fbd075cd67e5b7d452179088514e2 dcb2f8fc0165a9a5be98e2af41983bb4a9a39ae8 M t
bisect run success

**GDB**

dcollins@​nightshade64​:~/perldebug$ gdb --args ./perl -Ilib -W -e 'sub{\@​0[0]=0}'
GNU gdb (GDB) 7.10
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+​: GNU GPL version 3 or later <http​://gnu.org/licenses/gpl.html>
This is free software​: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-unknown-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see​:
<http​://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at​:
<http​://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word"...
Reading symbols from ./perl...done.
(gdb) run
Starting program​: /home/dcollins/perldebug/perl -Ilib -W -e sub\{\\@​0\[0\]=0\}
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
Experimental aliasing via reference not enabled at -e line 1.
perl​: op.c​:731​: Perl_op_free​: Assertion `!(o->op_private & ~PL_op_private_valid[type])' failed.

Program received signal SIGABRT, Aborted.
0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
(gdb) bt
#0 0x00007ffff6cf9478 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007ffff6cfa8fa in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007ffff6cf23a7 in ?? () from /lib/x86_64-linux-gnu/libc.so.6
#3 0x00007ffff6cf2452 in __assert_fail () from /lib/x86_64-linux-gnu/libc.so.6
#4 0x00000000004213cf in Perl_op_free (o=0xabbc00) at op.c​:731
#5 0x0000000000420932 in Perl_opslab_force_free (slab=0xabbb00) at op.c​:448
#6 0x00000000004da35c in Perl_cv_undef_flags (cv=0xab2710, flags=0) at pad.c​:354
#7 0x00000000004d9d88 in Perl_cv_undef (cv=0xab2710) at pad.c​:302
#8 0x00000000005f4cd1 in Perl_sv_clear (orig_sv=0xab2710) at sv.c​:6504
#9 0x00000000005f7e2e in Perl_sv_free2 (sv=0xab2710, rc=1) at sv.c​:6954
#10 0x00000000004d3d41 in S_SvREFCNT_dec (sv=0xab2710) at inline.h​:166
#11 0x00000000004d43df in S_clear_yystack (parser=0xab9d40) at perly.c​:234
#12 0x0000000000656917 in Perl_leave_scope (base=0) at scope.c​:1176
#13 0x000000000046e5d2 in S_my_exit_jump () at perl.c​:5189
#14 0x000000000046e41b in Perl_my_failure_exit () at perl.c​:5173
#15 0x0000000000664ed7 in Perl_die_unwind (msv=0xab27a0) at pp_ctl.c​:1722
#16 0x0000000000560917 in Perl_vcroak (
  pat=0x746498 "Experimental aliasing via reference not enabled", args=0x7fffffffdd60)
  at util.c​:1791
#17 0x00000000005609c8 in Perl_croak (
  pat=0x746498 "Experimental aliasing via reference not enabled") at util.c​:1836
#18 0x00000000004277dd in Perl_op_lvalue_flags (o=0xabc0d8, type=38, flags=0) at op.c​:3132
#19 0x0000000000432e26 in Perl_newASSIGNOP (flags=64, left=0xabc0d8, optype=0, right=0xabc098)
  at op.c​:6412
#20 0x00000000004d7428 in Perl_yyparse (gramtype=258) at perly.y​:781
#21 0x000000000046169b in S_parse_body (env=0x0, xsinit=0x41eb69 <xs_init>) at perl.c​:2365
#22 0x000000000045fae1 in perl_parse (my_perl=0xa9c010, xsinit=0x41eb69 <xs_init>, argc=5,
  argv=0x7fffffffe608, env=0x0) at perl.c​:1681
#23 0x000000000041eac8 in main (argc=5, argv=0x7fffffffe608, env=0x7fffffffe638)
  at perlmain.c​:114
(gdb) f 4
#4 0x00000000004213cf in Perl_op_free (o=0xabbc00) at op.c​:731
731 assert(!(o->op_private & ~PL_op_private_valid[type]));
(gdb) l
726 #ifdef DEBUGGING
727 if ( o->op_ppaddr == PL_ppaddr[o->op_type]
728 && PL_parser
729 && !PL_parser->error_count)
730 {
731 assert(!(o->op_private & ~PL_op_private_valid[type]));
732 }
733 #endif
734
735 if (o->op_private & OPpREFCOUNTED) {
(gdb) info locals
type = 391
defer_ix = -1
defer_stack_alloc = 100
defer_stack = 0xabe190
__PRETTY_FUNCTION__ = "Perl_op_free"

**VALGRIND**

No reported memory management errors.

**PERL -V**

dcollins@​nightshade64​:~/perldebug$ ./perl -Ilib -V
Summary of my perl5 (revision 5 version 25 subversion 2) configuration​:
  Commit id​: c29dfc6
  Platform​:
  osname=linux, osvers=4.5.0-2-amd64, archname=x86_64-linux-ld
  uname='linux nightshade64 4.5.0-2-amd64 #1 smp debian 4.5.3-2 (2016-05-08) x86_64 gnulinux '
  config_args='-Dusedevel -Dprefix=/usr/local/perl-afl -Dcc=ccache gcc-6.1 -Duselongdouble -Duse64bitall -Doptimize=-g -Uversiononly -Uman1dir -Uman3dir -DDEBUGGING -DPERL_POISON -des'
  hint=recommended, useposix=true, d_sigaction=define
  useithreads=undef, usemultiplicity=undef
  use64bitint=define, use64bitall=define, uselongdouble=define
  usemymalloc=n, bincompat5005=undef
  Compiler​:
  cc='ccache gcc-6.1', ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64',
  optimize='-g',
  cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
  ccversion='', gccversion='6.1.0', gccosandvers=''
  intsize=4, longsize=8, ptrsize=8, doublesize=8, byteorder=12345678, doublekind=3
  d_longlong=define, longlongsize=8, d_longdbl=define, longdblsize=16, longdblkind=3
  ivtype='long', ivsize=8, nvtype='long double', nvsize=16, Off_t='off_t', lseeksize=8
  alignbytes=16, prototype=define
  Linker and Libraries​:
  ld='ccache gcc-6.1', ldflags =' -fstack-protector-strong -L/usr/local/lib'
  libpth=/usr/local/lib /usr/local/lib/gcc/x86_64-pc-linux-gnu/6.1.0/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib
  libs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
  libc=libc-2.22.so, so=so, useshrplib=false, libperl=libperl.a
  gnulibc_version='2.22'
  Dynamic Linking​:
  dlsrc=dl_dlopen.xs, dlext=so, d_dlsymun=undef, ccdlflags='-Wl,-E'
  cccdlflags='-fPIC', lddlflags='-shared -g -L/usr/local/lib -fstack-protector-strong'

Characteristics of this binary (from libperl)​:
  Compile-time options​: DEBUGGING HAS_TIMES PERLIO_LAYERS PERL_COPY_ON_WRITE
  PERL_DONT_CREATE_GVSV
  PERL_HASH_FUNC_ONE_AT_A_TIME_HARD PERL_MALLOC_WRAP
  PERL_OP_PARENT PERL_PRESERVE_IVUV PERL_USE_DEVEL
  USE_64_BIT_ALL USE_64_BIT_INT USE_LARGE_FILES
  USE_LOCALE USE_LOCALE_COLLATE USE_LOCALE_CTYPE
  USE_LOCALE_NUMERIC USE_LOCALE_TIME USE_LONG_DOUBLE
  USE_PERLIO USE_PERL_ATOF
  Built under linux
  Compiled at May 26 2016 17​:57​:37
  @​INC​:
  lib
  /usr/local/perl-afl/lib/site_perl/5.25.2/x86_64-linux-ld
  /usr/local/perl-afl/lib/site_perl/5.25.2
  /usr/local/perl-afl/lib/5.25.2/x86_64-linux-ld
  /usr/local/perl-afl/lib/5.25.2
  /usr/local/perl-afl/lib/site_perl/5.25.1
  /usr/local/perl-afl/lib/site_perl/5.24.0
  /usr/local/perl-afl/lib/site_perl
  .

[p5pRT]

From @iabyn

On Thu, May 26, 2016 at 04​:33​:47PM -0700, Dan Collins wrote​:

dcollins@​nightshade64​:~/perldebug$ ./perl -Ilib -t -W -e 'sub{\@​0[0]=0}'
Experimental aliasing via reference not enabled at -e line 1.
perl​: op.c​:731​: Perl_op_free​: Assertion `!(o->op_private & ~PL_op_private_valid[type])' failed.

Fixed by v5.25.2-53-g36efb5a

--
Hofstadter's Law​: It always takes longer than you expect, even when you
take into account Hofstadter's Law.

[p5pRT]

The RT System itself - Status changed from 'new' to 'open'

[p5pRT]

From @cpansprout

On Mon Jun 27 07​:08​:15 2016, davem wrote​:

On Thu, May 26, 2016 at 04​:33​:47PM -0700, Dan Collins wrote​:

dcollins@​nightshade64​:~/perldebug$ ./perl -Ilib -t -W -e
'sub{\@​0[0]=0}'
Experimental aliasing via reference not enabled at -e line 1.
perl​: op.c​:731​: Perl_op_free​: Assertion `!(o->op_private &
~PL_op_private_valid[type])' failed.

Fixed by v5.25.2-53-g36efb5a

Oops. Thank you. (Why did you not add a test?)

--

Father Chrysostomos

[p5pRT]

From @iabyn

On Mon, Jun 27, 2016 at 08​:27​:28AM -0700, Father Chrysostomos via RT wrote​:

On Mon Jun 27 07​:08​:15 2016, davem wrote​:

On Thu, May 26, 2016 at 04​:33​:47PM -0700, Dan Collins wrote​:

dcollins@​nightshade64​:~/perldebug$ ./perl -Ilib -t -W -e
'sub{\@​0[0]=0}'
Experimental aliasing via reference not enabled at -e line 1.
perl​: op.c​:731​: Perl_op_free​: Assertion `!(o->op_private &
~PL_op_private_valid[type])' failed.

Fixed by v5.25.2-53-g36efb5a

Oops. Thank you. (Why did you not add a test?)

Because I'm lazy??? :-)

Test added with v5.25.2-60-gc61e103

--
Any [programming] language that doesn't occasionally surprise the
novice will pay for it by continually surprising the expert.
  -- Larry Wall

[p5pRT]

@iabyn - Status changed from 'open' to 'pending release'

[p5pRT]

From @khwilliamson

Thank you for filing this report. You have helped make Perl better.

With the release today of Perl 5.26.0, this and 210 other issues have been
resolved.

Perl 5.26.0 may be downloaded via​:
https://metacpan.org/release/XSAWYERX/perl-5.26.0

If you find that the problem persists, feel free to reopen this ticket.

[p5pRT]

@khwilliamson - Status changed from 'pending release' to 'resolved'