#!./perl # # Tests for a (non) reference-counted stack # # This file checks the test cases of tickets where having the stack not # reference-counted caused a crash or unexpected behaviour. # Some of tickets no longer failed in blead, but I added them as tests # anyway. # Many of the tests are just to ensure that there's no panic, SEGV or # ASAN errors, and so they are happy for the output to be "" rather # than any specific value. # # The tickets these test cases initially came from were either: # # - those linked on RT by the meta ticket: # RT #77706: "[META] stack not reference counted issues" # # - or on GH tagged as label:leak/refcount/malloc and which appear to # be stack-related BEGIN { chdir 't' if -d 't'; require './test.pl'; skip_all('not built with PERL_RC_STACK') unless defined &Internals::stack_refcounted && (Internals::stack_refcounted() & 1); set_up_inc( qw(. ../lib) ); } use warnings; use strict; # GH #2157: "coredump in map modifying input array" fresh_perl_is( q{my @a = 1..3; @a = map { splice( @a, 0 ); $_ } (@a); print "@a\n";}, "1 2 3", {stderr => 1}, "GH #2157" ); # GH #4924: "@_ gets corrupted when F(@X) shortens @X" { my @x; sub f4924 { @x = (); my @y = 999; "@_"; } @x = 1..3; # used to get "0 999 4" is f4924(0, @x, 4), "0 1 2 3 4", "GH #4924"; } # GH #6079: "Segfault when assigning to array that is being iterated over" fresh_perl_is( q{@a = 1..2; for (@a, 3) { $t = 'x'; $t =~ s/x/@a = ()/e; }}, "", {stderr => 1}, "GH #6079" ); # GH #6533: "Another self-modifyingloop bug" # # This failed an assertion prior to 5.26.0 fresh_perl_is( q{map { @a = ($_+=0) x $_ } @a=/\B./g for 100;}, "", {stderr => 1}, "GH #6533" ); # GH #6874: "Coredump when shortening an array during use" fresh_perl_is( q{$a=@F[4,7]-=@F=3}, "", {stderr => 1}, "GH #6874" ); # GH #6957: "Bizarre array copy: ???" fresh_perl_is( q{sub f { my $x; *G = \1; sub { package DB; ()=caller 1; @a = @DB::args; $x; }->(); } f($G)}, "", {stderr => 1}, "GH #6957" ); # GH #7251: "Manipulating hash in SIGCHLD handler causes "Segmentation fault"" # # Doesn't have a simple reproducer. # GH #7483: "Assignments inside lists misbehave" { my @a = 1..5; my @b = (@a, (@a = (8, 9))); is "@b", "1 2 3 4 5 8 9", "GH #7483"; } # GH #8520: "Mortality of objects (e.g. %$_) passed as args... - bug or # feature?" fresh_perl_is( q{sub foo { $x=0; \@_; } $x = { qw( a 1 b 2) }; foo(%$x);}, "", {stderr => 1}, "GH #8520" ); # GH #8842: "Combination of tie() and loop aliasing can cause perl to # crash" # # This appears to have been fixed in 5.14.0 fresh_perl_is( q{sub TIEARRAY {bless []} sub FETCH {[1]} tie my @a, 'main'; my $p = \$a[0]; my @h = ($$p->[0], $$p->[0]);}, "", {stderr => 1}, "GH #8842" ); # GH #8852: "panic copying freed scalar in Carp::Heavy" # # This appears to have been fixed in 5.14.0 fresh_perl_like( q{use Carp; @a=(1); f(@a); sub f { my $x = shift(@a); carp($x)}}, qr/^1 at /, {stderr => 1}, "GH #8852" ); # GH #8955 "Bug in orassign" # # Caused a panic. fresh_perl_is( q{my @a = (1); sub f { @a = () } $a[1] ||= f();}, "", {stderr => 1}, "GH #8955" ); # GH #9166: "$_[0] seems to get reused inappropriately" # # Duplicate of GH #9282 ? # GH #9203: "panic: attempt to copy freed scalar" fresh_perl_is( q{@a = (1); foo(@a); sub foo { my $x = shift(@a); my $y = shift; }}, "", {stderr => 1}, "GH #9203" ); # GH #9282: "Bizarre copy of ARRAY in sassign at Carp/Heavy.pm" fresh_perl_is( q{@a = (1); sub { @a = (); package DB; () = caller(0); 1 for @DB::args; }->(@a);}, "", {stderr => 1}, "GH #9282" ); # GH #9776: "segmentation fault modifying array ref during push" fresh_perl_is( q{push @$x, f(); sub f { $x = 1; 2; }}, "", {stderr => 1}, "GH #9776" ); # GH #10533: "segmentation fault in pure perl" fresh_perl_is( q{my @a = ({},{}); sub f { my ($x) = @_; @a = ( {}, {} ); 0 for (); } map { f $_ } @a;}, "", {stderr => 1}, "GH #10533" ); # GH #10687: "Bizarre copy of ARRAY in list assignment" { my @a = (8); sub f10687 { @a = (); package DB; () = caller(0); $DB::args[0]; } is f10687(@a), "8", "GH #10687"; } # GH #11287: "Use of freed value in iteration at perlbug line 6" fresh_perl_is( q{my $a = my $b = { qw(a 1 b 2) }; for (values %$a, values %$b) { %$b=() }}, "", {stderr => 1}, "GH #11287" ); # GH #11758: "@DB::args freed entries" fresh_perl_is( q{my @a = qw(a v); sub f { shift @a; package DB; my @p = caller(0); print "[@DB::args]\n"; } f(@a);}, "[a v]", {stderr => 1}, "GH #11758" ); # GH #11844: "SegFault in perl 5.010 -5.14.1" # # This was fixed in 5.16.0 by 9f71cfe6ef2 and 60edcf09a5cb0 # and tests were already added. # GH #12315: "Panic in pure-Perl code with vanilla perl-5.16.0 from perlbrew" # # (This is the ticket that first got sprout and zefram talking seriously # about how to transition to a ref-counted stack, which indirectly led # to the work that included this test file - albeit using a slightly # different approach.) fresh_perl_is( q{@h{ @x = (1) } = @x for 1,2; print for %h;}, "11", {stderr => 1}, "GH #12315" ); # GH #12952: "[5.16] Unreferenced scalar in recursion" fresh_perl_is( q{@a = (1,1,1,1); map { [shift @a, shift @a] } @a;}, "", {stderr => 1}, "GH #12952" ); # GH #13622: "Perl fails with message 'panic: attempt to copy freed scalar'" fresh_perl_is( q{my @a = (8); sub g { shift @{$_[0]}; } sub f { g(\@a); return @_; } my @b = f(@a);}, "", {stderr => 1}, "GH #13622" ); # GH #14630: "Perl_sv_clear: Assertion `((svtype)((sv)->sv_flags & 0xff)) # != (svtype)0xff' failed (perl: sv.c:6537) " fresh_perl_is( q{map $z=~s/x//, 0, $$z; grep 1, @b=1, @b=();}, "", {stderr => 1}, "GH #14630" ); # GH #14716: "perls (including bleadperl) segfault/etc. with # recursion+sub{}+map pure-Perl code" fresh_perl_is( q{sub f { my($n)=@_; print $n; @a = $n ? (sub { f(0); }, 0) : (); map { ref$_ ? &$_ :$_ } @a; } f(1);}, "10", {stderr => 1}, "GH #14716" ); # GH #14785: "Perl_sv_clear: Assertion `((svtype)((sv)->sv_flags & 0xff)) # != (svtype)0xff' failed (sv.c:6395)" fresh_perl_is( q{map{%0=map{0}m 0 0}%0=map{0}0}, "", {stderr => 1}, "GH #14785" ); # GH #14873: "v5.23.1-199-ga5f4850 breaks something badly" # # Doesn't have a simple reproducer. # GH #14912: "undefing function argument references: "Attempt to free # unreferenced scalar"" fresh_perl_is( q[sub f { $r = 1; my ($x) = @_; } $r = \{}; f($$r);], "", {stderr => 1}, "GH #14912" ); # GH #14943: "Double-free in Perl_free_tmps" fresh_perl_is( q{$[ .= *[ = 'y';}, "", {stderr => 1}, "GH #14943:" ); # GH #15186: "Access to freed SV" fresh_perl_is( q{@a=[0,0];map { $_=5; pop @$_ for @a } @{$a[0]}}, "", {stderr => 1}, "GH #15186" ); # GH #15283: "Perl_sv_setnv: Assertion # `PL_valid_types_NV_set[((svtype)((sv)->sv_flags & 0xff)) & 0xf]' # failed." fresh_perl_is( q{$z *= *z=0;}, "", {stderr => 1}, "GH #15283" ); # GH #15287: "null pointer dereference in Perl_sv_setpvn at sv.c:4896" fresh_perl_is( q{$x ^= *x = 0}, "", {stderr => 1}, "GH #15287" ); # GH #15398: "Specific array shifting causes panic" # # Seems to have been fixed in 5.26 fresh_perl_is( q{sub o { shift; @a = (shift,shift); } o(@a); o(@a);}, "", {stderr => 1}, "GH #15398" ); # GH #15447: "Unexpected: Use of freed value in iteration at ..." fresh_perl_is( q{my $h = {qw(a 1 b 2)}; for (sort values %$h) { delete $h->{ b }; }}, "", {stderr => 1}, "GH #15447" ); # GH #15556: "null ptr deref, segfault Perl_sv_setsv_flags (sv.c:4558)" # # Seems to have been fixed in 5.26 fresh_perl_is( q{*z=%::=$a=@b=0}, "", {stderr => 1}, "GH #15556" ); # GH #15607: " null ptr deref, segfault in S_rv2gv (pp.c:296)" # This still fails on an ASAN on a PERL_RC_STACK build # Since its a bit unlreliable as to whether it fails or not, # just ignore for now. # # fresh_perl_is( # q{no warnings 'experimental'; use feature "refaliasing"; \$::{foo} = \undef; *{"foo"};}, # "", # {stderr => 1}, # "GH #15607" # ); # GH #15663: " gv.c:1492: HV *S_gv_stashsvpvn_cached( # SV *, const char *, U32, I32): # Assertion # `PL_valid_types_IVX[((svtype)((_svivx)->sv_flags & 0xff)) & # 0xf]' failed" fresh_perl_like( q{map xx->yy, (@z = 1), (@z = ());}, qr/^Can't locate object method "yy"/, {stderr => 1}, "GH #15663" ); # GH #15684: "heap-use-after-free in Perl_sv_setpv (sv.c:4990)" # # Seems to have been fixed in 5.24 fresh_perl_is( q{($0+=(*0)=@0=($0)=N)=@0=(($0)=0)=@0=()}, "", {stderr => 1}, "GH #15684" ); # GH #15687: "heap-use-after-free in S_unshare_hek_or_pvn (hv.c:2857)" fresh_perl_like( q{*p= *$p= $| = *$p = $p |= *$p = *p = $p = \p}, qr/^Can't use an undefined value as a symbol reference/, {stderr => 1}, "GH #15687" ); # GH #15740: "null ptr deref + segfault in Perl_sv_setpv_bufsize (sv.c:4956)" # # Seems to have been fixed in 5.36 fresh_perl_is( q{$$.=$A=*$=0}, "", {stderr => 1}, "GH #15740" ); # GH #15747: "heap-use-after-free Perl_sv_setpv_bufsize (sv.c:4956)" # # Seems to have been fixed in 5.36 fresh_perl_is( q{@0=$0|=*0=H or()}, "", {stderr => 1}, "GH #15747" ); # GH #15752: "fuzzing testcase triggers LeakSanitizer # over 101 byte memory leak" # # Seems to have been fixed in 5.36 fresh_perl_is( q{$$0 ^= ($0 |= (*0 = *H)), *& = ($$0 ^= ($0 |= (*0 = *H = *& = *a6))) for 'a9', 'a9'}, "", {stderr => 1}, "GH #15752" ); # GH #15755: "Perl_sv_clear(SV *const): Assertion # `((svtype)((sv)->sv_flags & 0xff)) != (svtype)0xff' # failed (sv.c:6540)" fresh_perl_is( q{map@0=%0=0,%0=D..T;}, "", {stderr => 1}, "GH #15755" ); # GH #15756: "Null pointer dereference + segfault in Perl_pp_subst # (pp_hot.c:3368)" fresh_perl_is( q{map 1, (%x) = (1..3), (%x) = ();}, "", {stderr => 1}, "GH #15756" ); # GH #15757: "Perl_sv_backoff(SV *const): Assertion # `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV' # failed (sv.c:1516)" fresh_perl_is( q{map( ($_ = $T % 1), ((%x) = 'T'), ((%x) = 'T'), %$T);}, "", {stderr => 1}, "GH #15757" ); # GH #15758: "Perl_sv_2nv_flags(SV *const, const I32): Assertion # `((svtye)((sv)->sv_flags & 0xff)) != SVt_PVAV # && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV # && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' # fail" fresh_perl_is( q{map( 1, (%_) = ('D', 'E'), (%_) = (),);}, "", {stderr => 1}, "GH #15758" ); # GH #15759: "segfault in Perl_mg_magical (mg.c:144)" fresh_perl_is( q{map( ((%^H) = ('D'..'FT')), (%_) = ('D'..'G'), (%_) = ());}, "", {stderr => 1}, "GH #15759" ); # GH #15762: "heap-buffer-overflow Perl_vivify_ref (pp_hot.c:4362)" fresh_perl_is( q{map$$_=0,%$T=%::}, "", {stderr => 1}, "GH #15762" ); # GH #15765: "double-free affecting multiple Perl versions" fresh_perl_like( q{map*$_= $#$_=8,%_=D.. FD,%_=D.. F}, qr/^Not a GLOB reference at/, {stderr => 1}, "GH #15765" ); # GH #15769: "attempting free on address which was not malloc()-ed" SKIP: { skip_if_miniperl('miniperl: ERRNO hash is read only'); fresh_perl_is( # this combines both failing statements from this ticket q{map%$_= %_= %$_,%::; map %$_ = %_, *::, $::{Internals::};}, "", {stderr => 1}, "GH #15769" ); } # GH #15770: "Perl_sv_pvn_force_flags(SV *const, STRLEN *const, const I32): # Assertion # `PL_valid_types_PVX[((svtype)((_svpvx)->sv_flags & 0xff)) & 0xf]' # failed (sv.c:10056)" fresh_perl_is( q{map 1, %x = (a => 1, b => undef), %x = (Y => 'Z');}, "", {stderr => 1}, "GH #15770" ); # GH #15772: "heap-use-after-free S_gv_fetchmeth_internal (gv.c:782)" fresh_perl_like( q{f { $s=1, @x=2, @x=() } 9}, qr/^Can't locate object method .* line \d+\.$/, {stderr => 1}, "GH #15772" ); # GH #15807: "Coredump in Perl_sv_cmp_flags type-core" fresh_perl_is( q{@0=s//0/; @0=sort(0,@t00=0,@t00=0,@0=s///);}, "", {stderr => 1}, "GH #15807" ); # GH #15847: "sv.c:6545: void Perl_sv_clear(SV *const): Assertion # `SvTYPE(sv) != (svtype)SVTYPEMASK' failed" fresh_perl_is( q{sub X::f{} f{'X',%0=local$0,%0=0}}, "", {stderr => 1}, "GH #15847" ); # GH #15894: "AddressSanitizer: attempting free on address in Perl_safesysfree" fresh_perl_is( q{map $p[0][0],@z=z,@z=z,@z=z,@z=z,@z=z,@z= ~9}, "", {stderr => 1}, "GH #15894" ); # GH #15912: "AddressSanitizer: attempting free in Perl_vivify_ref" fresh_perl_is( q{map $a[0][0], @a = 0, @a = 1;}, "", {stderr => 1}, "GH #15912" ); # GH #15930: "Perl 5.24 makes nama FTBFS due to segfault" fresh_perl_is( q{my @a = 0..1; sub f { my $x = shift; my @b = @a; @a = @b; 1; } map{ f($_) } @a;}, "", {stderr => 1}, "GH #15930" ); # GH #15942: "segfault in S_mg_findext_flags()" fresh_perl_is( q{map /x/g, (%h = ("y", 0)), (%h = ("y", 0))}, "", {stderr => 1}, "GH #15942" ); # GH #15959: "panic: attempt to copy freed scalar via @ARGV on stack, # Getopt::Long + Carp::longmess" # # Too much like hard work to reduce the bug report to a simple test case, # but the full script doesn't crash under PERL_RC_STACK # GH #16103: "perl: sv.c:6566: void Perl_sv_clear(SV *const): # Assertion `SvTYPE(sv) != (svtype)SVTYPEMASK' failed" # # Reproducing script had too many random control and unicode chars in # it to make a simple test which could be included here, but # the full script doesn't crash under PERL_RC_STACK # GH #16104: "Null Pointer Dereference in Perl_sv_setpv_bufsize" # # Seems to have been fixed in 5.36 fresh_perl_is( q{$_.=*_='x';}, "", {stderr => 1}, "GH #16104" ); # GH #16120: "heap-use-after-free in Perl_sv_setpv_bufsize" # # Seems to have been fixed in 5.36 fresh_perl_is( q{$~|=*~='a';}, "", {stderr => 1}, "GH #16120" ); # GH #16320: "PERL-5.26.1 heap_buffer_overflow READ of size 8" # # This crashed prior to 5.36.0 fresh_perl_like( q{*^V = "*main::"; 1 for Y $\ = $\ = $~ = *\ = $\ = *^ = %^V = *^V;}, qr/^Can't locate object method "Y"/, {stderr => 1}, "GH #16320" ); # GH #16321: "PERL-5.26.1 heap_use_after_free READ of size 8" # # This failed under ASAN fresh_perl_like( q{"x" . $x . pack "Wu", ~qr{}, !~"" = "x" . $x . pack "Wu", ~"", !~"" = $^V .= *^V = ""}, qr/^Modification of a read-only value/, {stderr => 1}, "GH #16321" ); # GH #16322: "PERL-5.26.1 heap_use_after_free WRITE of size 1" # # This failed under ASAN, but doesn't seem to on 5.38.0 fresh_perl_is( q{$^A .= *^A = $^A .= ""}, "", {stderr => 1}, "GH #16322" ); # GH #16323: "PERL-5.26.1 heap_use_after_free WRITE of size 1" fresh_perl_is( q{$$W += $W = 0;}, "", {stderr => 1}, "GH #16323" ); # GH #16324: "PERL-5.26.1 heap_use_after_free READ of size 8" # # This used $*, which is no longer supported # GH #16325: "PERL-5.26.1 heap_buffer_overflow READ of size 1" # # This failed under ASAN, but doesn't seem to on 5.38.0 fresh_perl_is( q{$T .= *: = *T = "*main::"}, "", {stderr => 1}, "GH #16325" ); # GH #16326: "PERL-5.26.1 heap_buffer_overflow READ of size 8" # # This used $*, which is no longer supported # GH #16443: "Assertion `SvTYPE(sv) != (svtype)SVTYPEMASK' failed" fresh_perl_is( q{($a)=map[split//],G0;$0=map abs($0[$a++]),@$a;}, "", {stderr => 1}, "GH #16443" ); # GH #16455: "Fwd: [rt.cpan.org #124716] Use after free in sv.c:4860" # # Seems to have been fixed in 5.36 fresh_perl_is( q{$a ^= (*a = 'b');}, "", {stderr => 1}, "GH #16455" ); # GH #16576: "Reporting a use-after-free vulnerability in function # Perl_sv_setpv_bufsize" # # This failed under ASAN, but doesn't seem to on 5.38.0 fresh_perl_is( q{$~ |= *~ = $~;}, "", {stderr => 1}, "GH #16576" ); # GH #16613: "#10 AddressSanitizer: heap-use-after-free on address # 0x604000000990 at pc 0x00000114d184 bp 0x7fffdb11d170 # sp 0x7fffdb11d168 WRITE of size 1 at 0x604000000990" fresh_perl_is( q{$A .= $$B .= $B = 0}, "", {stderr => 1}, "GH #16613" ); # GH #16622: "Segfault on invalid script" # # This crashed prior to 5.36.0 fresh_perl_like( q{'A'->A($A .= *A = @5 = *A * 'A');}, qr/^Can't locate object method "A"/, {stderr => 1}, "GH #16622" ); # GH #16727: "NULL pointer deference in Perl_sv_setpv_bufsize # # Seems to have been fixed in 5.36 fresh_perl_is( q{$^ ^= *: = ** = *^= *: = ** = *^= *: = ** = *:;}, "", {stderr => 1}, "GH #16727" ); # GH #16742: "segfault triggered by invalid read in S_mg_findext_flags" # # Seems to have been fixed in 5.36. # The test case is very noisy, so I've skipped including here. # GH #17333: "map modifying its own LIST causes segfault in perl-5.16 and # later versions" fresh_perl_is( q{my @a = 1..5; map { pop @a } @a;}, "", {stderr => 1}, "GH #17333" ); done_testing();