xref: /openbsd-src/gnu/usr.bin/perl/t/op/refstack.t (revision 5486feefcc8cb79b19e014ab332cc5dfd05b3b33) 
1#!./perl
2#
3# Tests for a (non) reference-counted stack
4#
5# This file checks the test cases of tickets where having the stack not
6# reference-counted caused a crash or unexpected behaviour.
7# Some of tickets no longer failed in blead, but I added them as tests
8# anyway.
9# Many of the tests are just to ensure that there's no panic, SEGV or
10# ASAN errors, and so they are happy for the output to be "" rather
11# than any specific value.
12#
13# The tickets these test cases initially came from were either:
14#
15# - those linked on RT by the meta ticket:
16#    RT #77706: "[META] stack not reference counted issues"
17#
18# - or on GH tagged as label:leak/refcount/malloc and which appear to
19#    be stack-related
20
21
22BEGIN {
23    chdir 't' if -d 't';
24    require './test.pl';
25    skip_all('not built with PERL_RC_STACK')
26        unless defined &Internals::stack_refcounted
27            && (Internals::stack_refcounted() & 1);
28    set_up_inc( qw(. ../lib) );
29}
30
31use warnings;
32use strict;
33
34
35# GH #2157: "coredump in map modifying input array"
36
37fresh_perl_is(
38    q{my @a = 1..3; @a = map { splice( @a, 0 ); $_ } (@a); print "@a\n";},
39    "1 2 3",
40    {stderr => 1},
41    "GH #2157"
42);
43
44
45# GH #4924: "@_ gets corrupted when F(@X) shortens @X"
46
47{
48    my @x;
49
50    sub f4924 {
51        @x = ();
52        my @y = 999;
53        "@_";
54    }
55
56    @x = 1..3;
57    # used to get "0 999   4"
58    is f4924(0, @x, 4), "0 1 2 3 4", "GH #4924";
59}
60
61
62# GH #6079: "Segfault when assigning to array that is being iterated over"
63
64fresh_perl_is(
65    q{@a = 1..2; for (@a, 3) { $t = 'x'; $t =~ s/x/@a = ()/e; }},
66    "",
67    {stderr => 1},
68    "GH #6079"
69);
70
71
72# GH #6533: "Another self-modifyingloop bug"
73#
74# This failed an assertion prior to 5.26.0
75
76fresh_perl_is(
77    q{map { @a = ($_+=0) x $_ } @a=/\B./g for 100;},
78    "",
79    {stderr => 1},
80    "GH #6533"
81);
82
83
84# GH #6874: "Coredump when shortening an array during use"
85
86fresh_perl_is(
87    q{$a=@F[4,7]-=@F=3},
88    "",
89    {stderr => 1},
90    "GH #6874"
91);
92
93
94# GH #6957: "Bizarre array copy: ???"
95
96fresh_perl_is(
97    q{sub f { my $x; *G = \1; sub { package DB; ()=caller 1; @a = @DB::args; $x; }->(); } f($G)},
98    "",
99    {stderr => 1},
100    "GH #6957"
101);
102
103
104# GH #7251: "Manipulating hash in SIGCHLD handler causes "Segmentation fault""
105#
106# Doesn't have a simple reproducer.
107
108
109
110# GH #7483: "Assignments inside lists misbehave"
111
112{
113    my @a = 1..5;
114    my @b = (@a, (@a = (8, 9)));
115    is "@b", "1 2 3 4 5 8 9", "GH #7483";
116}
117
118
119# GH #8520: "Mortality of objects (e.g. %$_) passed as args... - bug or
120#            feature?"
121
122fresh_perl_is(
123    q{sub foo { $x=0; \@_; } $x = { qw( a 1 b 2) }; foo(%$x);},
124    "",
125    {stderr => 1},
126    "GH #8520"
127);
128
129
130# GH #8842: "Combination of tie() and loop aliasing can cause perl to
131#            crash"
132#
133# This appears to have been fixed in 5.14.0
134
135fresh_perl_is(
136    q{sub TIEARRAY {bless []} sub FETCH {[1]} tie my @a, 'main'; my $p = \$a[0]; my @h = ($$p->[0], $$p->[0]);},
137    "",
138    {stderr => 1},
139    "GH #8842"
140);
141
142
143# GH #8852: "panic copying freed scalar in Carp::Heavy"
144#
145# This appears to have been fixed in 5.14.0
146
147fresh_perl_like(
148    q{use Carp; @a=(1); f(@a); sub f { my $x = shift(@a); carp($x)}},
149    qr/^1 at /,
150    {stderr => 1},
151    "GH #8852"
152);
153
154
155# GH #8955 "Bug in orassign"
156#
157# Caused a panic.
158
159fresh_perl_is(
160    q{my @a = (1); sub f { @a = () } $a[1] ||= f();},
161    "",
162    {stderr => 1},
163    "GH #8955"
164);
165
166
167# GH #9166: "$_[0] seems to get reused inappropriately"
168#
169# Duplicate of GH #9282 ?
170
171
172
173# GH #9203: "panic: attempt to copy freed scalar"
174
175fresh_perl_is(
176    q{@a = (1); foo(@a); sub foo { my $x = shift(@a); my $y = shift; }},
177    "",
178    {stderr => 1},
179    "GH #9203"
180);
181
182
183# GH #9282: "Bizarre copy of ARRAY in sassign at Carp/Heavy.pm"
184
185fresh_perl_is(
186    q{@a = (1); sub { @a = (); package DB; () = caller(0); 1 for @DB::args; }->(@a);},
187    "",
188    {stderr => 1},
189    "GH #9282"
190);
191
192
193# GH #9776: "segmentation fault modifying array ref during push"
194
195fresh_perl_is(
196    q{push @$x, f(); sub f { $x = 1; 2; }},
197    "",
198    {stderr => 1},
199    "GH #9776"
200);
201
202
203# GH #10533: "segmentation fault in pure perl"
204
205fresh_perl_is(
206    q{my @a = ({},{}); sub f { my ($x) = @_; @a =  ( {}, {} ); 0 for (); } map { f $_ } @a;},
207    "",
208    {stderr => 1},
209    "GH #10533"
210);
211
212
213# GH #10687: "Bizarre copy of ARRAY in list assignment"
214
215{
216    my @a = (8);
217    sub f10687 {
218        @a = ();
219        package DB;
220        () = caller(0);
221        $DB::args[0];
222    }
223    is f10687(@a), "8", "GH #10687";
224}
225
226# GH #11287: "Use of freed value in iteration at perlbug line 6"
227
228fresh_perl_is(
229    q{my $a = my $b = { qw(a 1 b 2) }; for (values %$a, values %$b) { %$b=() }},
230    "",
231    {stderr => 1},
232    "GH #11287"
233);
234
235
236# GH #11758: "@DB::args freed entries"
237
238fresh_perl_is(
239    q{my @a = qw(a v); sub f { shift @a; package DB; my @p = caller(0); print "[@DB::args]\n"; } f(@a);},
240    "[a v]",
241    {stderr => 1},
242    "GH #11758"
243);
244
245
246# GH #11844: "SegFault in perl 5.010 -5.14.1"
247#
248# This was fixed in 5.16.0 by 9f71cfe6ef2 and 60edcf09a5cb0
249# and tests were already added.
250
251
252
253# GH #12315: "Panic in pure-Perl code with vanilla perl-5.16.0 from perlbrew"
254#
255# (This is the ticket that first got sprout and zefram talking seriously
256# about how to transition to a ref-counted stack, which indirectly led
257# to the work that included this test file - albeit using a slightly
258# different approach.)
259
260fresh_perl_is(
261    q{@h{ @x = (1) } = @x for 1,2; print for %h;},
262    "11",
263    {stderr => 1},
264    "GH #12315"
265);
266
267
268# GH #12952: "[5.16] Unreferenced scalar in recursion"
269
270fresh_perl_is(
271    q{@a = (1,1,1,1); map { [shift @a, shift @a] } @a;},
272    "",
273    {stderr => 1},
274    "GH #12952"
275);
276
277
278# GH #13622: "Perl fails with message 'panic: attempt to copy freed scalar'"
279
280fresh_perl_is(
281    q{my @a = (8); sub g { shift @{$_[0]}; } sub f { g(\@a); return @_; } my @b = f(@a);},
282    "",
283    {stderr => 1},
284    "GH #13622"
285);
286
287
288# GH #14630: "Perl_sv_clear: Assertion `((svtype)((sv)->sv_flags & 0xff))
289#              != (svtype)0xff' failed (perl: sv.c:6537) "
290
291fresh_perl_is(
292    q{map $z=~s/x//, 0, $$z; grep 1, @b=1, @b=();},
293    "",
294    {stderr => 1},
295    "GH #14630"
296);
297
298
299# GH #14716: "perls (including bleadperl) segfault/etc. with
300#             recursion+sub{}+map pure-Perl code"
301
302fresh_perl_is(
303    q{sub f { my($n)=@_; print $n; @a = $n ? (sub { f(0); }, 0) : (); map { ref$_ ? &$_ :$_ } @a; } f(1);},
304    "10",
305    {stderr => 1},
306    "GH #14716"
307);
308
309
310# GH #14785: "Perl_sv_clear: Assertion `((svtype)((sv)->sv_flags & 0xff))
311#             != (svtype)0xff' failed (sv.c:6395)"
312
313fresh_perl_is(
314    q{map{%0=map{0}m 0 0}%0=map{0}0},
315    "",
316    {stderr => 1},
317    "GH #14785"
318);
319
320
321# GH #14873: "v5.23.1-199-ga5f4850 breaks something badly"
322#
323# Doesn't have a simple reproducer.
324
325
326
327# GH #14912: "undefing function argument references: "Attempt to free
328#             unreferenced scalar""
329
330fresh_perl_is(
331    q[sub f { $r = 1; my ($x) = @_; } $r = \{}; f($$r);],
332    "",
333    {stderr => 1},
334    "GH #14912"
335);
336
337
338# GH #14943: "Double-free in Perl_free_tmps"
339
340fresh_perl_is(
341    q{$[ .= *[ = 'y';},
342    "",
343    {stderr => 1},
344    "GH #14943:"
345);
346
347
348# GH #15186: "Access to freed SV"
349
350fresh_perl_is(
351    q{@a=[0,0];map { $_=5; pop @$_ for @a } @{$a[0]}},
352    "",
353    {stderr => 1},
354    "GH #15186"
355);
356
357
358# GH #15283: "Perl_sv_setnv: Assertion
359#             `PL_valid_types_NV_set[((svtype)((sv)->sv_flags & 0xff)) & 0xf]'
360#             failed."
361
362fresh_perl_is(
363    q{$z *= *z=0;},
364    "",
365    {stderr => 1},
366    "GH #15283"
367);
368
369
370# GH #15287: "null pointer dereference in Perl_sv_setpvn at sv.c:4896"
371
372fresh_perl_is(
373    q{$x ^= *x = 0},
374    "",
375    {stderr => 1},
376    "GH #15287"
377);
378
379
380# GH #15398: "Specific array shifting causes panic"
381#
382# Seems to have been fixed in 5.26
383
384fresh_perl_is(
385    q{sub o { shift; @a = (shift,shift); } o(@a); o(@a);},
386    "",
387    {stderr => 1},
388    "GH #15398"
389);
390
391
392# GH #15447: "Unexpected: Use of freed value in iteration at ..."
393
394fresh_perl_is(
395    q{my $h = {qw(a 1 b 2)}; for (sort values %$h) { delete $h->{ b }; }},
396    "",
397    {stderr => 1},
398    "GH #15447"
399);
400
401
402# GH #15556: "null ptr deref, segfault Perl_sv_setsv_flags (sv.c:4558)"
403#
404# Seems to have been fixed in 5.26
405
406fresh_perl_is(
407    q{*z=%::=$a=@b=0},
408    "",
409    {stderr => 1},
410    "GH #15556"
411);
412
413
414# GH #15607: " null ptr deref, segfault in S_rv2gv (pp.c:296)"
415# This still fails on  an ASAN on a PERL_RC_STACK build
416# Since its a bit unlreliable as to whether it fails or not,
417# just ignore for now.
418#
419# fresh_perl_is(
420#     q{no warnings 'experimental'; use feature "refaliasing"; \$::{foo} = \undef; *{"foo"};},
421#     "",
422#     {stderr => 1},
423#     "GH #15607"
424# );
425
426
427# GH #15663: " gv.c:1492: HV *S_gv_stashsvpvn_cached(
428#                                SV *, const char *, U32, I32):
429#              Assertion
430#              `PL_valid_types_IVX[((svtype)((_svivx)->sv_flags & 0xff)) &
431#              0xf]' failed"
432
433fresh_perl_like(
434    q{map xx->yy, (@z = 1), (@z = ());},
435    qr/^Can't locate object method "yy"/,
436    {stderr => 1},
437    "GH #15663"
438);
439
440
441# GH #15684: "heap-use-after-free in Perl_sv_setpv (sv.c:4990)"
442#
443# Seems to have been fixed in 5.24
444
445fresh_perl_is(
446    q{($0+=(*0)=@0=($0)=N)=@0=(($0)=0)=@0=()},
447    "",
448    {stderr => 1},
449    "GH #15684"
450);
451
452
453# GH #15687: "heap-use-after-free in S_unshare_hek_or_pvn (hv.c:2857)"
454
455fresh_perl_like(
456    q{*p= *$p= $| = *$p = $p |= *$p = *p = $p = \p},
457    qr/^Can't use an undefined value as a symbol reference/,
458    {stderr => 1},
459    "GH #15687"
460);
461
462
463# GH #15740: "null ptr deref + segfault in Perl_sv_setpv_bufsize (sv.c:4956)"
464#
465# Seems to have been fixed in 5.36
466
467fresh_perl_is(
468    q{$$.=$A=*$=0},
469    "",
470    {stderr => 1},
471    "GH #15740"
472);
473
474
475# GH #15747: "heap-use-after-free Perl_sv_setpv_bufsize (sv.c:4956)"
476#
477# Seems to have been fixed in 5.36
478
479fresh_perl_is(
480    q{@0=$0|=*0=H or()},
481    "",
482    {stderr => 1},
483    "GH #15747"
484);
485
486
487# GH #15752: "fuzzing testcase triggers LeakSanitizer
488#             over 101 byte memory leak"
489#
490# Seems to have been fixed in 5.36
491
492fresh_perl_is(
493    q{$$0 ^= ($0 |= (*0 = *H)), *& = ($$0 ^= ($0 |= (*0 = *H = *& = *a6))) for 'a9', 'a9'},
494    "",
495    {stderr => 1},
496    "GH #15752"
497);
498
499
500# GH #15755: "Perl_sv_clear(SV *const): Assertion
501#             `((svtype)((sv)->sv_flags & 0xff)) != (svtype)0xff'
502#             failed (sv.c:6540)"
503
504fresh_perl_is(
505    q{map@0=%0=0,%0=D..T;},
506    "",
507    {stderr => 1},
508    "GH #15755"
509);
510
511
512# GH #15756: "Null pointer dereference + segfault in Perl_pp_subst
513#             (pp_hot.c:3368)"
514
515fresh_perl_is(
516    q{map 1, (%x) = (1..3), (%x) = ();},
517    "",
518    {stderr => 1},
519    "GH #15756"
520);
521
522
523# GH #15757: "Perl_sv_backoff(SV *const): Assertion
524#             `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV'
525#             failed (sv.c:1516)"
526
527fresh_perl_is(
528    q{map( ($_ = $T % 1), ((%x) = 'T'), ((%x) = 'T'), %$T);},
529    "",
530    {stderr => 1},
531    "GH #15757"
532);
533
534
535# GH #15758: "Perl_sv_2nv_flags(SV *const, const I32): Assertion
536#             `((svtye)((sv)->sv_flags & 0xff)) != SVt_PVAV
537#             && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV
538#             && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM'
539#             fail"
540
541fresh_perl_is(
542    q{map( 1, (%_) = ('D', 'E'), (%_) = (),);},
543    "",
544    {stderr => 1},
545    "GH #15758"
546);
547
548
549# GH #15759: "segfault in Perl_mg_magical (mg.c:144)"
550
551fresh_perl_is(
552    q{map( ((%^H) = ('D'..'FT')), (%_) = ('D'..'G'), (%_) = ());},
553    "",
554    {stderr => 1},
555    "GH #15759"
556);
557
558
559# GH #15762: "heap-buffer-overflow Perl_vivify_ref (pp_hot.c:4362)"
560
561fresh_perl_is(
562    q{map$$_=0,%$T=%::},
563    "",
564    {stderr => 1},
565    "GH #15762"
566);
567
568
569# GH #15765: "double-free affecting multiple Perl versions"
570
571fresh_perl_like(
572    q{map*$_= $#$_=8,%_=D.. FD,%_=D.. F},
573    qr/^Not a GLOB reference at/,
574    {stderr => 1},
575    "GH #15765"
576);
577
578
579# GH #15769: "attempting free on address which was not malloc()-ed"
580
581SKIP: {
582    skip_if_miniperl('miniperl: ERRNO hash is read only');
583    fresh_perl_is(
584        # this combines both failing statements from this ticket
585        q{map%$_= %_= %$_,%::;  map %$_ = %_, *::, $::{Internals::};},
586        "",
587        {stderr => 1},
588        "GH #15769"
589    );
590}
591
592
593# GH #15770: "Perl_sv_pvn_force_flags(SV *const, STRLEN *const, const I32):
594#             Assertion
595#             `PL_valid_types_PVX[((svtype)((_svpvx)->sv_flags & 0xff)) & 0xf]'
596#             failed (sv.c:10056)"
597
598fresh_perl_is(
599    q{map 1, %x = (a => 1, b => undef), %x = (Y => 'Z');},
600    "",
601    {stderr => 1},
602    "GH #15770"
603);
604
605
606# GH #15772: "heap-use-after-free S_gv_fetchmeth_internal (gv.c:782)"
607
608fresh_perl_like(
609    q{f { $s=1, @x=2, @x=() } 9},
610    qr/^Can't locate object method .* line \d+\.$/,
611    {stderr => 1},
612    "GH #15772"
613);
614
615
616# GH #15807: "Coredump in Perl_sv_cmp_flags type-core"
617
618fresh_perl_is(
619    q{@0=s//0/; @0=sort(0,@t00=0,@t00=0,@0=s///);},
620    "",
621    {stderr => 1},
622    "GH #15807"
623);
624
625
626# GH #15847: "sv.c:6545: void Perl_sv_clear(SV *const): Assertion
627#             `SvTYPE(sv) != (svtype)SVTYPEMASK' failed"
628
629fresh_perl_is(
630    q{sub X::f{} f{'X',%0=local$0,%0=0}},
631    "",
632    {stderr => 1},
633    "GH #15847"
634);
635
636
637# GH #15894: "AddressSanitizer: attempting free on address in Perl_safesysfree"
638
639fresh_perl_is(
640    q{map $p[0][0],@z=z,@z=z,@z=z,@z=z,@z=z,@z= ~9},
641    "",
642    {stderr => 1},
643    "GH #15894"
644);
645
646
647# GH #15912: "AddressSanitizer: attempting free in Perl_vivify_ref"
648
649fresh_perl_is(
650    q{map $a[0][0], @a = 0, @a = 1;},
651    "",
652    {stderr => 1},
653    "GH #15912"
654);
655
656
657# GH #15930: "Perl 5.24 makes nama FTBFS due to segfault"
658
659fresh_perl_is(
660    q{my @a = 0..1; sub f { my $x = shift; my @b = @a; @a = @b; 1; } map{ f($_) } @a;},
661    "",
662    {stderr => 1},
663    "GH #15930"
664);
665
666
667# GH #15942: "segfault in S_mg_findext_flags()"
668
669fresh_perl_is(
670    q{map /x/g, (%h = ("y", 0)), (%h = ("y", 0))},
671    "",
672    {stderr => 1},
673    "GH #15942"
674);
675
676
677# GH #15959: "panic: attempt to copy freed scalar via @ARGV on stack,
678#           Getopt::Long + Carp::longmess"
679#
680# Too much like hard work to reduce the bug report to a simple test case,
681# but the full script doesn't crash under PERL_RC_STACK
682
683
684
685# GH #16103: "perl: sv.c:6566: void Perl_sv_clear(SV *const):
686#             Assertion `SvTYPE(sv) != (svtype)SVTYPEMASK' failed"
687#
688# Reproducing script had too many random control and unicode chars in
689# it to make a simple test which could be included here, but
690# the full script doesn't crash under PERL_RC_STACK
691
692
693
694# GH #16104: "Null Pointer Dereference in Perl_sv_setpv_bufsize"
695#
696# Seems to have been fixed in 5.36
697
698fresh_perl_is(
699    q{$_.=*_='x';},
700    "",
701    {stderr => 1},
702    "GH #16104"
703);
704
705
706# GH #16120: "heap-use-after-free in Perl_sv_setpv_bufsize"
707#
708# Seems to have been fixed in 5.36
709
710fresh_perl_is(
711    q{$~|=*~='a';},
712    "",
713    {stderr => 1},
714    "GH #16120"
715);
716
717
718# GH #16320: "PERL-5.26.1 heap_buffer_overflow READ of size 8"
719#
720# This crashed prior to 5.36.0
721
722fresh_perl_like(
723    q{*^V = "*main::"; 1 for Y $\ = $\ = $~ = *\ = $\ = *^ = %^V = *^V;},
724    qr/^Can't locate object method "Y"/,
725    {stderr => 1},
726    "GH #16320"
727);
728
729
730# GH #16321: "PERL-5.26.1 heap_use_after_free READ of size 8"
731#
732# This failed under ASAN
733
734fresh_perl_like(
735    q{"x" . $x . pack "Wu", ~qr{}, !~"" = "x" . $x . pack "Wu", ~"", !~"" = $^V .= *^V = ""},
736    qr/^Modification of a read-only value/,
737    {stderr => 1},
738    "GH #16321"
739);
740
741
742# GH #16322: "PERL-5.26.1 heap_use_after_free WRITE of size 1"
743#
744# This failed under ASAN, but doesn't seem to on 5.38.0
745
746fresh_perl_is(
747    q{$^A .= *^A = $^A .= ""},
748    "",
749    {stderr => 1},
750    "GH #16322"
751);
752
753
754# GH #16323: "PERL-5.26.1 heap_use_after_free WRITE of size 1"
755
756fresh_perl_is(
757    q{$$W += $W = 0;},
758    "",
759    {stderr => 1},
760    "GH #16323"
761);
762
763
764# GH #16324: "PERL-5.26.1 heap_use_after_free READ of size 8"
765#
766# This used $*, which is no longer supported
767
768
769
770# GH #16325: "PERL-5.26.1 heap_buffer_overflow READ of size 1"
771#
772# This failed under ASAN, but doesn't seem to on 5.38.0
773
774fresh_perl_is(
775    q{$T .= *: = *T = "*main::"},
776
777    "",
778    {stderr => 1},
779    "GH #16325"
780);
781
782
783# GH #16326: "PERL-5.26.1 heap_buffer_overflow READ of size 8"
784#
785# This used $*, which is no longer supported
786
787
788# GH #16443: "Assertion `SvTYPE(sv) != (svtype)SVTYPEMASK' failed"
789
790fresh_perl_is(
791    q{($a)=map[split//],G0;$0=map abs($0[$a++]),@$a;},
792    "",
793    {stderr => 1},
794    "GH #16443"
795);
796
797
798# GH #16455: "Fwd: [rt.cpan.org #124716] Use after free in sv.c:4860"
799#
800# Seems to have been fixed in 5.36
801
802fresh_perl_is(
803    q{$a ^= (*a = 'b');},
804    "",
805    {stderr => 1},
806    "GH #16455"
807);
808
809
810# GH #16576: "Reporting a use-after-free vulnerability in function
811#             Perl_sv_setpv_bufsize"
812#
813# This failed under ASAN, but doesn't seem to on 5.38.0
814
815fresh_perl_is(
816    q{$~ |= *~ = $~;},
817    "",
818    {stderr => 1},
819    "GH #16576"
820);
821
822
823# GH #16613: "#10 AddressSanitizer: heap-use-after-free on address
824#             0x604000000990 at pc 0x00000114d184 bp 0x7fffdb11d170
825#             sp 0x7fffdb11d168 WRITE of size 1 at 0x604000000990"
826
827fresh_perl_is(
828    q{$A .= $$B .= $B = 0},
829    "",
830    {stderr => 1},
831    "GH #16613"
832);
833
834
835# GH #16622: "Segfault on invalid script"
836#
837# This crashed prior to 5.36.0
838
839fresh_perl_like(
840    q{'A'->A($A .= *A = @5 = *A * 'A');},
841    qr/^Can't locate object method "A"/,
842    {stderr => 1},
843    "GH #16622"
844);
845
846
847# GH #16727: "NULL pointer deference in Perl_sv_setpv_bufsize
848#
849# Seems to have been fixed in 5.36
850
851fresh_perl_is(
852    q{$^ ^= *: = ** = *^= *: = ** = *^= *: = ** = *:;},
853    "",
854    {stderr => 1},
855    "GH #16727"
856);
857
858
859# GH #16742: "segfault triggered by invalid read in S_mg_findext_flags"
860#
861# Seems to have been fixed in 5.36.
862# The test case is very noisy, so I've skipped including here.
863
864
865
866# GH #17333: "map modifying its own LIST causes segfault in perl-5.16 and
867#             later versions"
868
869fresh_perl_is(
870    q{my @a = 1..5; map { pop @a } @a;},
871    "",
872    {stderr => 1},
873    "GH #17333"
874);
875
876
877
878done_testing();
879