1*5486feefSafresh1#!./perl 2*5486feefSafresh1# 3*5486feefSafresh1# Tests for a (non) reference-counted stack 4*5486feefSafresh1# 5*5486feefSafresh1# This file checks the test cases of tickets where having the stack not 6*5486feefSafresh1# reference-counted caused a crash or unexpected behaviour. 7*5486feefSafresh1# Some of tickets no longer failed in blead, but I added them as tests 8*5486feefSafresh1# anyway. 9*5486feefSafresh1# Many of the tests are just to ensure that there's no panic, SEGV or 10*5486feefSafresh1# ASAN errors, and so they are happy for the output to be "" rather 11*5486feefSafresh1# than any specific value. 12*5486feefSafresh1# 13*5486feefSafresh1# The tickets these test cases initially came from were either: 14*5486feefSafresh1# 15*5486feefSafresh1# - those linked on RT by the meta ticket: 16*5486feefSafresh1# RT #77706: "[META] stack not reference counted issues" 17*5486feefSafresh1# 18*5486feefSafresh1# - or on GH tagged as label:leak/refcount/malloc and which appear to 19*5486feefSafresh1# be stack-related 20*5486feefSafresh1 21*5486feefSafresh1 22*5486feefSafresh1BEGIN { 23*5486feefSafresh1 chdir 't' if -d 't'; 24*5486feefSafresh1 require './test.pl'; 25*5486feefSafresh1 skip_all('not built with PERL_RC_STACK') 26*5486feefSafresh1 unless defined &Internals::stack_refcounted 27*5486feefSafresh1 && (Internals::stack_refcounted() & 1); 28*5486feefSafresh1 set_up_inc( qw(. ../lib) ); 29*5486feefSafresh1} 30*5486feefSafresh1 31*5486feefSafresh1use warnings; 32*5486feefSafresh1use strict; 33*5486feefSafresh1 34*5486feefSafresh1 35*5486feefSafresh1# GH #2157: "coredump in map modifying input array" 36*5486feefSafresh1 37*5486feefSafresh1fresh_perl_is( 38*5486feefSafresh1 q{my @a = 1..3; @a = map { splice( @a, 0 ); $_ } (@a); print "@a\n";}, 39*5486feefSafresh1 "1 2 3", 40*5486feefSafresh1 {stderr => 1}, 41*5486feefSafresh1 "GH #2157" 42*5486feefSafresh1); 43*5486feefSafresh1 44*5486feefSafresh1 45*5486feefSafresh1# GH #4924: "@_ gets corrupted when F(@X) shortens @X" 46*5486feefSafresh1 47*5486feefSafresh1{ 48*5486feefSafresh1 my @x; 49*5486feefSafresh1 50*5486feefSafresh1 sub f4924 { 51*5486feefSafresh1 @x = (); 52*5486feefSafresh1 my @y = 999; 53*5486feefSafresh1 "@_"; 54*5486feefSafresh1 } 55*5486feefSafresh1 56*5486feefSafresh1 @x = 1..3; 57*5486feefSafresh1 # used to get "0 999 4" 58*5486feefSafresh1 is f4924(0, @x, 4), "0 1 2 3 4", "GH #4924"; 59*5486feefSafresh1} 60*5486feefSafresh1 61*5486feefSafresh1 62*5486feefSafresh1# GH #6079: "Segfault when assigning to array that is being iterated over" 63*5486feefSafresh1 64*5486feefSafresh1fresh_perl_is( 65*5486feefSafresh1 q{@a = 1..2; for (@a, 3) { $t = 'x'; $t =~ s/x/@a = ()/e; }}, 66*5486feefSafresh1 "", 67*5486feefSafresh1 {stderr => 1}, 68*5486feefSafresh1 "GH #6079" 69*5486feefSafresh1); 70*5486feefSafresh1 71*5486feefSafresh1 72*5486feefSafresh1# GH #6533: "Another self-modifyingloop bug" 73*5486feefSafresh1# 74*5486feefSafresh1# This failed an assertion prior to 5.26.0 75*5486feefSafresh1 76*5486feefSafresh1fresh_perl_is( 77*5486feefSafresh1 q{map { @a = ($_+=0) x $_ } @a=/\B./g for 100;}, 78*5486feefSafresh1 "", 79*5486feefSafresh1 {stderr => 1}, 80*5486feefSafresh1 "GH #6533" 81*5486feefSafresh1); 82*5486feefSafresh1 83*5486feefSafresh1 84*5486feefSafresh1# GH #6874: "Coredump when shortening an array during use" 85*5486feefSafresh1 86*5486feefSafresh1fresh_perl_is( 87*5486feefSafresh1 q{$a=@F[4,7]-=@F=3}, 88*5486feefSafresh1 "", 89*5486feefSafresh1 {stderr => 1}, 90*5486feefSafresh1 "GH #6874" 91*5486feefSafresh1); 92*5486feefSafresh1 93*5486feefSafresh1 94*5486feefSafresh1# GH #6957: "Bizarre array copy: ???" 95*5486feefSafresh1 96*5486feefSafresh1fresh_perl_is( 97*5486feefSafresh1 q{sub f { my $x; *G = \1; sub { package DB; ()=caller 1; @a = @DB::args; $x; }->(); } f($G)}, 98*5486feefSafresh1 "", 99*5486feefSafresh1 {stderr => 1}, 100*5486feefSafresh1 "GH #6957" 101*5486feefSafresh1); 102*5486feefSafresh1 103*5486feefSafresh1 104*5486feefSafresh1# GH #7251: "Manipulating hash in SIGCHLD handler causes "Segmentation fault"" 105*5486feefSafresh1# 106*5486feefSafresh1# Doesn't have a simple reproducer. 107*5486feefSafresh1 108*5486feefSafresh1 109*5486feefSafresh1 110*5486feefSafresh1# GH #7483: "Assignments inside lists misbehave" 111*5486feefSafresh1 112*5486feefSafresh1{ 113*5486feefSafresh1 my @a = 1..5; 114*5486feefSafresh1 my @b = (@a, (@a = (8, 9))); 115*5486feefSafresh1 is "@b", "1 2 3 4 5 8 9", "GH #7483"; 116*5486feefSafresh1} 117*5486feefSafresh1 118*5486feefSafresh1 119*5486feefSafresh1# GH #8520: "Mortality of objects (e.g. %$_) passed as args... - bug or 120*5486feefSafresh1# feature?" 121*5486feefSafresh1 122*5486feefSafresh1fresh_perl_is( 123*5486feefSafresh1 q{sub foo { $x=0; \@_; } $x = { qw( a 1 b 2) }; foo(%$x);}, 124*5486feefSafresh1 "", 125*5486feefSafresh1 {stderr => 1}, 126*5486feefSafresh1 "GH #8520" 127*5486feefSafresh1); 128*5486feefSafresh1 129*5486feefSafresh1 130*5486feefSafresh1# GH #8842: "Combination of tie() and loop aliasing can cause perl to 131*5486feefSafresh1# crash" 132*5486feefSafresh1# 133*5486feefSafresh1# This appears to have been fixed in 5.14.0 134*5486feefSafresh1 135*5486feefSafresh1fresh_perl_is( 136*5486feefSafresh1 q{sub TIEARRAY {bless []} sub FETCH {[1]} tie my @a, 'main'; my $p = \$a[0]; my @h = ($$p->[0], $$p->[0]);}, 137*5486feefSafresh1 "", 138*5486feefSafresh1 {stderr => 1}, 139*5486feefSafresh1 "GH #8842" 140*5486feefSafresh1); 141*5486feefSafresh1 142*5486feefSafresh1 143*5486feefSafresh1# GH #8852: "panic copying freed scalar in Carp::Heavy" 144*5486feefSafresh1# 145*5486feefSafresh1# This appears to have been fixed in 5.14.0 146*5486feefSafresh1 147*5486feefSafresh1fresh_perl_like( 148*5486feefSafresh1 q{use Carp; @a=(1); f(@a); sub f { my $x = shift(@a); carp($x)}}, 149*5486feefSafresh1 qr/^1 at /, 150*5486feefSafresh1 {stderr => 1}, 151*5486feefSafresh1 "GH #8852" 152*5486feefSafresh1); 153*5486feefSafresh1 154*5486feefSafresh1 155*5486feefSafresh1# GH #8955 "Bug in orassign" 156*5486feefSafresh1# 157*5486feefSafresh1# Caused a panic. 158*5486feefSafresh1 159*5486feefSafresh1fresh_perl_is( 160*5486feefSafresh1 q{my @a = (1); sub f { @a = () } $a[1] ||= f();}, 161*5486feefSafresh1 "", 162*5486feefSafresh1 {stderr => 1}, 163*5486feefSafresh1 "GH #8955" 164*5486feefSafresh1); 165*5486feefSafresh1 166*5486feefSafresh1 167*5486feefSafresh1# GH #9166: "$_[0] seems to get reused inappropriately" 168*5486feefSafresh1# 169*5486feefSafresh1# Duplicate of GH #9282 ? 170*5486feefSafresh1 171*5486feefSafresh1 172*5486feefSafresh1 173*5486feefSafresh1# GH #9203: "panic: attempt to copy freed scalar" 174*5486feefSafresh1 175*5486feefSafresh1fresh_perl_is( 176*5486feefSafresh1 q{@a = (1); foo(@a); sub foo { my $x = shift(@a); my $y = shift; }}, 177*5486feefSafresh1 "", 178*5486feefSafresh1 {stderr => 1}, 179*5486feefSafresh1 "GH #9203" 180*5486feefSafresh1); 181*5486feefSafresh1 182*5486feefSafresh1 183*5486feefSafresh1# GH #9282: "Bizarre copy of ARRAY in sassign at Carp/Heavy.pm" 184*5486feefSafresh1 185*5486feefSafresh1fresh_perl_is( 186*5486feefSafresh1 q{@a = (1); sub { @a = (); package DB; () = caller(0); 1 for @DB::args; }->(@a);}, 187*5486feefSafresh1 "", 188*5486feefSafresh1 {stderr => 1}, 189*5486feefSafresh1 "GH #9282" 190*5486feefSafresh1); 191*5486feefSafresh1 192*5486feefSafresh1 193*5486feefSafresh1# GH #9776: "segmentation fault modifying array ref during push" 194*5486feefSafresh1 195*5486feefSafresh1fresh_perl_is( 196*5486feefSafresh1 q{push @$x, f(); sub f { $x = 1; 2; }}, 197*5486feefSafresh1 "", 198*5486feefSafresh1 {stderr => 1}, 199*5486feefSafresh1 "GH #9776" 200*5486feefSafresh1); 201*5486feefSafresh1 202*5486feefSafresh1 203*5486feefSafresh1# GH #10533: "segmentation fault in pure perl" 204*5486feefSafresh1 205*5486feefSafresh1fresh_perl_is( 206*5486feefSafresh1 q{my @a = ({},{}); sub f { my ($x) = @_; @a = ( {}, {} ); 0 for (); } map { f $_ } @a;}, 207*5486feefSafresh1 "", 208*5486feefSafresh1 {stderr => 1}, 209*5486feefSafresh1 "GH #10533" 210*5486feefSafresh1); 211*5486feefSafresh1 212*5486feefSafresh1 213*5486feefSafresh1# GH #10687: "Bizarre copy of ARRAY in list assignment" 214*5486feefSafresh1 215*5486feefSafresh1{ 216*5486feefSafresh1 my @a = (8); 217*5486feefSafresh1 sub f10687 { 218*5486feefSafresh1 @a = (); 219*5486feefSafresh1 package DB; 220*5486feefSafresh1 () = caller(0); 221*5486feefSafresh1 $DB::args[0]; 222*5486feefSafresh1 } 223*5486feefSafresh1 is f10687(@a), "8", "GH #10687"; 224*5486feefSafresh1} 225*5486feefSafresh1 226*5486feefSafresh1# GH #11287: "Use of freed value in iteration at perlbug line 6" 227*5486feefSafresh1 228*5486feefSafresh1fresh_perl_is( 229*5486feefSafresh1 q{my $a = my $b = { qw(a 1 b 2) }; for (values %$a, values %$b) { %$b=() }}, 230*5486feefSafresh1 "", 231*5486feefSafresh1 {stderr => 1}, 232*5486feefSafresh1 "GH #11287" 233*5486feefSafresh1); 234*5486feefSafresh1 235*5486feefSafresh1 236*5486feefSafresh1# GH #11758: "@DB::args freed entries" 237*5486feefSafresh1 238*5486feefSafresh1fresh_perl_is( 239*5486feefSafresh1 q{my @a = qw(a v); sub f { shift @a; package DB; my @p = caller(0); print "[@DB::args]\n"; } f(@a);}, 240*5486feefSafresh1 "[a v]", 241*5486feefSafresh1 {stderr => 1}, 242*5486feefSafresh1 "GH #11758" 243*5486feefSafresh1); 244*5486feefSafresh1 245*5486feefSafresh1 246*5486feefSafresh1# GH #11844: "SegFault in perl 5.010 -5.14.1" 247*5486feefSafresh1# 248*5486feefSafresh1# This was fixed in 5.16.0 by 9f71cfe6ef2 and 60edcf09a5cb0 249*5486feefSafresh1# and tests were already added. 250*5486feefSafresh1 251*5486feefSafresh1 252*5486feefSafresh1 253*5486feefSafresh1# GH #12315: "Panic in pure-Perl code with vanilla perl-5.16.0 from perlbrew" 254*5486feefSafresh1# 255*5486feefSafresh1# (This is the ticket that first got sprout and zefram talking seriously 256*5486feefSafresh1# about how to transition to a ref-counted stack, which indirectly led 257*5486feefSafresh1# to the work that included this test file - albeit using a slightly 258*5486feefSafresh1# different approach.) 259*5486feefSafresh1 260*5486feefSafresh1fresh_perl_is( 261*5486feefSafresh1 q{@h{ @x = (1) } = @x for 1,2; print for %h;}, 262*5486feefSafresh1 "11", 263*5486feefSafresh1 {stderr => 1}, 264*5486feefSafresh1 "GH #12315" 265*5486feefSafresh1); 266*5486feefSafresh1 267*5486feefSafresh1 268*5486feefSafresh1# GH #12952: "[5.16] Unreferenced scalar in recursion" 269*5486feefSafresh1 270*5486feefSafresh1fresh_perl_is( 271*5486feefSafresh1 q{@a = (1,1,1,1); map { [shift @a, shift @a] } @a;}, 272*5486feefSafresh1 "", 273*5486feefSafresh1 {stderr => 1}, 274*5486feefSafresh1 "GH #12952" 275*5486feefSafresh1); 276*5486feefSafresh1 277*5486feefSafresh1 278*5486feefSafresh1# GH #13622: "Perl fails with message 'panic: attempt to copy freed scalar'" 279*5486feefSafresh1 280*5486feefSafresh1fresh_perl_is( 281*5486feefSafresh1 q{my @a = (8); sub g { shift @{$_[0]}; } sub f { g(\@a); return @_; } my @b = f(@a);}, 282*5486feefSafresh1 "", 283*5486feefSafresh1 {stderr => 1}, 284*5486feefSafresh1 "GH #13622" 285*5486feefSafresh1); 286*5486feefSafresh1 287*5486feefSafresh1 288*5486feefSafresh1# GH #14630: "Perl_sv_clear: Assertion `((svtype)((sv)->sv_flags & 0xff)) 289*5486feefSafresh1# != (svtype)0xff' failed (perl: sv.c:6537) " 290*5486feefSafresh1 291*5486feefSafresh1fresh_perl_is( 292*5486feefSafresh1 q{map $z=~s/x//, 0, $$z; grep 1, @b=1, @b=();}, 293*5486feefSafresh1 "", 294*5486feefSafresh1 {stderr => 1}, 295*5486feefSafresh1 "GH #14630" 296*5486feefSafresh1); 297*5486feefSafresh1 298*5486feefSafresh1 299*5486feefSafresh1# GH #14716: "perls (including bleadperl) segfault/etc. with 300*5486feefSafresh1# recursion+sub{}+map pure-Perl code" 301*5486feefSafresh1 302*5486feefSafresh1fresh_perl_is( 303*5486feefSafresh1 q{sub f { my($n)=@_; print $n; @a = $n ? (sub { f(0); }, 0) : (); map { ref$_ ? &$_ :$_ } @a; } f(1);}, 304*5486feefSafresh1 "10", 305*5486feefSafresh1 {stderr => 1}, 306*5486feefSafresh1 "GH #14716" 307*5486feefSafresh1); 308*5486feefSafresh1 309*5486feefSafresh1 310*5486feefSafresh1# GH #14785: "Perl_sv_clear: Assertion `((svtype)((sv)->sv_flags & 0xff)) 311*5486feefSafresh1# != (svtype)0xff' failed (sv.c:6395)" 312*5486feefSafresh1 313*5486feefSafresh1fresh_perl_is( 314*5486feefSafresh1 q{map{%0=map{0}m 0 0}%0=map{0}0}, 315*5486feefSafresh1 "", 316*5486feefSafresh1 {stderr => 1}, 317*5486feefSafresh1 "GH #14785" 318*5486feefSafresh1); 319*5486feefSafresh1 320*5486feefSafresh1 321*5486feefSafresh1# GH #14873: "v5.23.1-199-ga5f4850 breaks something badly" 322*5486feefSafresh1# 323*5486feefSafresh1# Doesn't have a simple reproducer. 324*5486feefSafresh1 325*5486feefSafresh1 326*5486feefSafresh1 327*5486feefSafresh1# GH #14912: "undefing function argument references: "Attempt to free 328*5486feefSafresh1# unreferenced scalar"" 329*5486feefSafresh1 330*5486feefSafresh1fresh_perl_is( 331*5486feefSafresh1 q[sub f { $r = 1; my ($x) = @_; } $r = \{}; f($$r);], 332*5486feefSafresh1 "", 333*5486feefSafresh1 {stderr => 1}, 334*5486feefSafresh1 "GH #14912" 335*5486feefSafresh1); 336*5486feefSafresh1 337*5486feefSafresh1 338*5486feefSafresh1# GH #14943: "Double-free in Perl_free_tmps" 339*5486feefSafresh1 340*5486feefSafresh1fresh_perl_is( 341*5486feefSafresh1 q{$[ .= *[ = 'y';}, 342*5486feefSafresh1 "", 343*5486feefSafresh1 {stderr => 1}, 344*5486feefSafresh1 "GH #14943:" 345*5486feefSafresh1); 346*5486feefSafresh1 347*5486feefSafresh1 348*5486feefSafresh1# GH #15186: "Access to freed SV" 349*5486feefSafresh1 350*5486feefSafresh1fresh_perl_is( 351*5486feefSafresh1 q{@a=[0,0];map { $_=5; pop @$_ for @a } @{$a[0]}}, 352*5486feefSafresh1 "", 353*5486feefSafresh1 {stderr => 1}, 354*5486feefSafresh1 "GH #15186" 355*5486feefSafresh1); 356*5486feefSafresh1 357*5486feefSafresh1 358*5486feefSafresh1# GH #15283: "Perl_sv_setnv: Assertion 359*5486feefSafresh1# `PL_valid_types_NV_set[((svtype)((sv)->sv_flags & 0xff)) & 0xf]' 360*5486feefSafresh1# failed." 361*5486feefSafresh1 362*5486feefSafresh1fresh_perl_is( 363*5486feefSafresh1 q{$z *= *z=0;}, 364*5486feefSafresh1 "", 365*5486feefSafresh1 {stderr => 1}, 366*5486feefSafresh1 "GH #15283" 367*5486feefSafresh1); 368*5486feefSafresh1 369*5486feefSafresh1 370*5486feefSafresh1# GH #15287: "null pointer dereference in Perl_sv_setpvn at sv.c:4896" 371*5486feefSafresh1 372*5486feefSafresh1fresh_perl_is( 373*5486feefSafresh1 q{$x ^= *x = 0}, 374*5486feefSafresh1 "", 375*5486feefSafresh1 {stderr => 1}, 376*5486feefSafresh1 "GH #15287" 377*5486feefSafresh1); 378*5486feefSafresh1 379*5486feefSafresh1 380*5486feefSafresh1# GH #15398: "Specific array shifting causes panic" 381*5486feefSafresh1# 382*5486feefSafresh1# Seems to have been fixed in 5.26 383*5486feefSafresh1 384*5486feefSafresh1fresh_perl_is( 385*5486feefSafresh1 q{sub o { shift; @a = (shift,shift); } o(@a); o(@a);}, 386*5486feefSafresh1 "", 387*5486feefSafresh1 {stderr => 1}, 388*5486feefSafresh1 "GH #15398" 389*5486feefSafresh1); 390*5486feefSafresh1 391*5486feefSafresh1 392*5486feefSafresh1# GH #15447: "Unexpected: Use of freed value in iteration at ..." 393*5486feefSafresh1 394*5486feefSafresh1fresh_perl_is( 395*5486feefSafresh1 q{my $h = {qw(a 1 b 2)}; for (sort values %$h) { delete $h->{ b }; }}, 396*5486feefSafresh1 "", 397*5486feefSafresh1 {stderr => 1}, 398*5486feefSafresh1 "GH #15447" 399*5486feefSafresh1); 400*5486feefSafresh1 401*5486feefSafresh1 402*5486feefSafresh1# GH #15556: "null ptr deref, segfault Perl_sv_setsv_flags (sv.c:4558)" 403*5486feefSafresh1# 404*5486feefSafresh1# Seems to have been fixed in 5.26 405*5486feefSafresh1 406*5486feefSafresh1fresh_perl_is( 407*5486feefSafresh1 q{*z=%::=$a=@b=0}, 408*5486feefSafresh1 "", 409*5486feefSafresh1 {stderr => 1}, 410*5486feefSafresh1 "GH #15556" 411*5486feefSafresh1); 412*5486feefSafresh1 413*5486feefSafresh1 414*5486feefSafresh1# GH #15607: " null ptr deref, segfault in S_rv2gv (pp.c:296)" 415*5486feefSafresh1# This still fails on an ASAN on a PERL_RC_STACK build 416*5486feefSafresh1# Since its a bit unlreliable as to whether it fails or not, 417*5486feefSafresh1# just ignore for now. 418*5486feefSafresh1# 419*5486feefSafresh1# fresh_perl_is( 420*5486feefSafresh1# q{no warnings 'experimental'; use feature "refaliasing"; \$::{foo} = \undef; *{"foo"};}, 421*5486feefSafresh1# "", 422*5486feefSafresh1# {stderr => 1}, 423*5486feefSafresh1# "GH #15607" 424*5486feefSafresh1# ); 425*5486feefSafresh1 426*5486feefSafresh1 427*5486feefSafresh1# GH #15663: " gv.c:1492: HV *S_gv_stashsvpvn_cached( 428*5486feefSafresh1# SV *, const char *, U32, I32): 429*5486feefSafresh1# Assertion 430*5486feefSafresh1# `PL_valid_types_IVX[((svtype)((_svivx)->sv_flags & 0xff)) & 431*5486feefSafresh1# 0xf]' failed" 432*5486feefSafresh1 433*5486feefSafresh1fresh_perl_like( 434*5486feefSafresh1 q{map xx->yy, (@z = 1), (@z = ());}, 435*5486feefSafresh1 qr/^Can't locate object method "yy"/, 436*5486feefSafresh1 {stderr => 1}, 437*5486feefSafresh1 "GH #15663" 438*5486feefSafresh1); 439*5486feefSafresh1 440*5486feefSafresh1 441*5486feefSafresh1# GH #15684: "heap-use-after-free in Perl_sv_setpv (sv.c:4990)" 442*5486feefSafresh1# 443*5486feefSafresh1# Seems to have been fixed in 5.24 444*5486feefSafresh1 445*5486feefSafresh1fresh_perl_is( 446*5486feefSafresh1 q{($0+=(*0)=@0=($0)=N)=@0=(($0)=0)=@0=()}, 447*5486feefSafresh1 "", 448*5486feefSafresh1 {stderr => 1}, 449*5486feefSafresh1 "GH #15684" 450*5486feefSafresh1); 451*5486feefSafresh1 452*5486feefSafresh1 453*5486feefSafresh1# GH #15687: "heap-use-after-free in S_unshare_hek_or_pvn (hv.c:2857)" 454*5486feefSafresh1 455*5486feefSafresh1fresh_perl_like( 456*5486feefSafresh1 q{*p= *$p= $| = *$p = $p |= *$p = *p = $p = \p}, 457*5486feefSafresh1 qr/^Can't use an undefined value as a symbol reference/, 458*5486feefSafresh1 {stderr => 1}, 459*5486feefSafresh1 "GH #15687" 460*5486feefSafresh1); 461*5486feefSafresh1 462*5486feefSafresh1 463*5486feefSafresh1# GH #15740: "null ptr deref + segfault in Perl_sv_setpv_bufsize (sv.c:4956)" 464*5486feefSafresh1# 465*5486feefSafresh1# Seems to have been fixed in 5.36 466*5486feefSafresh1 467*5486feefSafresh1fresh_perl_is( 468*5486feefSafresh1 q{$$.=$A=*$=0}, 469*5486feefSafresh1 "", 470*5486feefSafresh1 {stderr => 1}, 471*5486feefSafresh1 "GH #15740" 472*5486feefSafresh1); 473*5486feefSafresh1 474*5486feefSafresh1 475*5486feefSafresh1# GH #15747: "heap-use-after-free Perl_sv_setpv_bufsize (sv.c:4956)" 476*5486feefSafresh1# 477*5486feefSafresh1# Seems to have been fixed in 5.36 478*5486feefSafresh1 479*5486feefSafresh1fresh_perl_is( 480*5486feefSafresh1 q{@0=$0|=*0=H or()}, 481*5486feefSafresh1 "", 482*5486feefSafresh1 {stderr => 1}, 483*5486feefSafresh1 "GH #15747" 484*5486feefSafresh1); 485*5486feefSafresh1 486*5486feefSafresh1 487*5486feefSafresh1# GH #15752: "fuzzing testcase triggers LeakSanitizer 488*5486feefSafresh1# over 101 byte memory leak" 489*5486feefSafresh1# 490*5486feefSafresh1# Seems to have been fixed in 5.36 491*5486feefSafresh1 492*5486feefSafresh1fresh_perl_is( 493*5486feefSafresh1 q{$$0 ^= ($0 |= (*0 = *H)), *& = ($$0 ^= ($0 |= (*0 = *H = *& = *a6))) for 'a9', 'a9'}, 494*5486feefSafresh1 "", 495*5486feefSafresh1 {stderr => 1}, 496*5486feefSafresh1 "GH #15752" 497*5486feefSafresh1); 498*5486feefSafresh1 499*5486feefSafresh1 500*5486feefSafresh1# GH #15755: "Perl_sv_clear(SV *const): Assertion 501*5486feefSafresh1# `((svtype)((sv)->sv_flags & 0xff)) != (svtype)0xff' 502*5486feefSafresh1# failed (sv.c:6540)" 503*5486feefSafresh1 504*5486feefSafresh1fresh_perl_is( 505*5486feefSafresh1 q{map@0=%0=0,%0=D..T;}, 506*5486feefSafresh1 "", 507*5486feefSafresh1 {stderr => 1}, 508*5486feefSafresh1 "GH #15755" 509*5486feefSafresh1); 510*5486feefSafresh1 511*5486feefSafresh1 512*5486feefSafresh1# GH #15756: "Null pointer dereference + segfault in Perl_pp_subst 513*5486feefSafresh1# (pp_hot.c:3368)" 514*5486feefSafresh1 515*5486feefSafresh1fresh_perl_is( 516*5486feefSafresh1 q{map 1, (%x) = (1..3), (%x) = ();}, 517*5486feefSafresh1 "", 518*5486feefSafresh1 {stderr => 1}, 519*5486feefSafresh1 "GH #15756" 520*5486feefSafresh1); 521*5486feefSafresh1 522*5486feefSafresh1 523*5486feefSafresh1# GH #15757: "Perl_sv_backoff(SV *const): Assertion 524*5486feefSafresh1# `((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV' 525*5486feefSafresh1# failed (sv.c:1516)" 526*5486feefSafresh1 527*5486feefSafresh1fresh_perl_is( 528*5486feefSafresh1 q{map( ($_ = $T % 1), ((%x) = 'T'), ((%x) = 'T'), %$T);}, 529*5486feefSafresh1 "", 530*5486feefSafresh1 {stderr => 1}, 531*5486feefSafresh1 "GH #15757" 532*5486feefSafresh1); 533*5486feefSafresh1 534*5486feefSafresh1 535*5486feefSafresh1# GH #15758: "Perl_sv_2nv_flags(SV *const, const I32): Assertion 536*5486feefSafresh1# `((svtye)((sv)->sv_flags & 0xff)) != SVt_PVAV 537*5486feefSafresh1# && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVHV 538*5486feefSafresh1# && ((svtype)((sv)->sv_flags & 0xff)) != SVt_PVFM' 539*5486feefSafresh1# fail" 540*5486feefSafresh1 541*5486feefSafresh1fresh_perl_is( 542*5486feefSafresh1 q{map( 1, (%_) = ('D', 'E'), (%_) = (),);}, 543*5486feefSafresh1 "", 544*5486feefSafresh1 {stderr => 1}, 545*5486feefSafresh1 "GH #15758" 546*5486feefSafresh1); 547*5486feefSafresh1 548*5486feefSafresh1 549*5486feefSafresh1# GH #15759: "segfault in Perl_mg_magical (mg.c:144)" 550*5486feefSafresh1 551*5486feefSafresh1fresh_perl_is( 552*5486feefSafresh1 q{map( ((%^H) = ('D'..'FT')), (%_) = ('D'..'G'), (%_) = ());}, 553*5486feefSafresh1 "", 554*5486feefSafresh1 {stderr => 1}, 555*5486feefSafresh1 "GH #15759" 556*5486feefSafresh1); 557*5486feefSafresh1 558*5486feefSafresh1 559*5486feefSafresh1# GH #15762: "heap-buffer-overflow Perl_vivify_ref (pp_hot.c:4362)" 560*5486feefSafresh1 561*5486feefSafresh1fresh_perl_is( 562*5486feefSafresh1 q{map$$_=0,%$T=%::}, 563*5486feefSafresh1 "", 564*5486feefSafresh1 {stderr => 1}, 565*5486feefSafresh1 "GH #15762" 566*5486feefSafresh1); 567*5486feefSafresh1 568*5486feefSafresh1 569*5486feefSafresh1# GH #15765: "double-free affecting multiple Perl versions" 570*5486feefSafresh1 571*5486feefSafresh1fresh_perl_like( 572*5486feefSafresh1 q{map*$_= $#$_=8,%_=D.. FD,%_=D.. F}, 573*5486feefSafresh1 qr/^Not a GLOB reference at/, 574*5486feefSafresh1 {stderr => 1}, 575*5486feefSafresh1 "GH #15765" 576*5486feefSafresh1); 577*5486feefSafresh1 578*5486feefSafresh1 579*5486feefSafresh1# GH #15769: "attempting free on address which was not malloc()-ed" 580*5486feefSafresh1 581*5486feefSafresh1SKIP: { 582*5486feefSafresh1 skip_if_miniperl('miniperl: ERRNO hash is read only'); 583*5486feefSafresh1 fresh_perl_is( 584*5486feefSafresh1 # this combines both failing statements from this ticket 585*5486feefSafresh1 q{map%$_= %_= %$_,%::; map %$_ = %_, *::, $::{Internals::};}, 586*5486feefSafresh1 "", 587*5486feefSafresh1 {stderr => 1}, 588*5486feefSafresh1 "GH #15769" 589*5486feefSafresh1 ); 590*5486feefSafresh1} 591*5486feefSafresh1 592*5486feefSafresh1 593*5486feefSafresh1# GH #15770: "Perl_sv_pvn_force_flags(SV *const, STRLEN *const, const I32): 594*5486feefSafresh1# Assertion 595*5486feefSafresh1# `PL_valid_types_PVX[((svtype)((_svpvx)->sv_flags & 0xff)) & 0xf]' 596*5486feefSafresh1# failed (sv.c:10056)" 597*5486feefSafresh1 598*5486feefSafresh1fresh_perl_is( 599*5486feefSafresh1 q{map 1, %x = (a => 1, b => undef), %x = (Y => 'Z');}, 600*5486feefSafresh1 "", 601*5486feefSafresh1 {stderr => 1}, 602*5486feefSafresh1 "GH #15770" 603*5486feefSafresh1); 604*5486feefSafresh1 605*5486feefSafresh1 606*5486feefSafresh1# GH #15772: "heap-use-after-free S_gv_fetchmeth_internal (gv.c:782)" 607*5486feefSafresh1 608*5486feefSafresh1fresh_perl_like( 609*5486feefSafresh1 q{f { $s=1, @x=2, @x=() } 9}, 610*5486feefSafresh1 qr/^Can't locate object method .* line \d+\.$/, 611*5486feefSafresh1 {stderr => 1}, 612*5486feefSafresh1 "GH #15772" 613*5486feefSafresh1); 614*5486feefSafresh1 615*5486feefSafresh1 616*5486feefSafresh1# GH #15807: "Coredump in Perl_sv_cmp_flags type-core" 617*5486feefSafresh1 618*5486feefSafresh1fresh_perl_is( 619*5486feefSafresh1 q{@0=s//0/; @0=sort(0,@t00=0,@t00=0,@0=s///);}, 620*5486feefSafresh1 "", 621*5486feefSafresh1 {stderr => 1}, 622*5486feefSafresh1 "GH #15807" 623*5486feefSafresh1); 624*5486feefSafresh1 625*5486feefSafresh1 626*5486feefSafresh1# GH #15847: "sv.c:6545: void Perl_sv_clear(SV *const): Assertion 627*5486feefSafresh1# `SvTYPE(sv) != (svtype)SVTYPEMASK' failed" 628*5486feefSafresh1 629*5486feefSafresh1fresh_perl_is( 630*5486feefSafresh1 q{sub X::f{} f{'X',%0=local$0,%0=0}}, 631*5486feefSafresh1 "", 632*5486feefSafresh1 {stderr => 1}, 633*5486feefSafresh1 "GH #15847" 634*5486feefSafresh1); 635*5486feefSafresh1 636*5486feefSafresh1 637*5486feefSafresh1# GH #15894: "AddressSanitizer: attempting free on address in Perl_safesysfree" 638*5486feefSafresh1 639*5486feefSafresh1fresh_perl_is( 640*5486feefSafresh1 q{map $p[0][0],@z=z,@z=z,@z=z,@z=z,@z=z,@z= ~9}, 641*5486feefSafresh1 "", 642*5486feefSafresh1 {stderr => 1}, 643*5486feefSafresh1 "GH #15894" 644*5486feefSafresh1); 645*5486feefSafresh1 646*5486feefSafresh1 647*5486feefSafresh1# GH #15912: "AddressSanitizer: attempting free in Perl_vivify_ref" 648*5486feefSafresh1 649*5486feefSafresh1fresh_perl_is( 650*5486feefSafresh1 q{map $a[0][0], @a = 0, @a = 1;}, 651*5486feefSafresh1 "", 652*5486feefSafresh1 {stderr => 1}, 653*5486feefSafresh1 "GH #15912" 654*5486feefSafresh1); 655*5486feefSafresh1 656*5486feefSafresh1 657*5486feefSafresh1# GH #15930: "Perl 5.24 makes nama FTBFS due to segfault" 658*5486feefSafresh1 659*5486feefSafresh1fresh_perl_is( 660*5486feefSafresh1 q{my @a = 0..1; sub f { my $x = shift; my @b = @a; @a = @b; 1; } map{ f($_) } @a;}, 661*5486feefSafresh1 "", 662*5486feefSafresh1 {stderr => 1}, 663*5486feefSafresh1 "GH #15930" 664*5486feefSafresh1); 665*5486feefSafresh1 666*5486feefSafresh1 667*5486feefSafresh1# GH #15942: "segfault in S_mg_findext_flags()" 668*5486feefSafresh1 669*5486feefSafresh1fresh_perl_is( 670*5486feefSafresh1 q{map /x/g, (%h = ("y", 0)), (%h = ("y", 0))}, 671*5486feefSafresh1 "", 672*5486feefSafresh1 {stderr => 1}, 673*5486feefSafresh1 "GH #15942" 674*5486feefSafresh1); 675*5486feefSafresh1 676*5486feefSafresh1 677*5486feefSafresh1# GH #15959: "panic: attempt to copy freed scalar via @ARGV on stack, 678*5486feefSafresh1# Getopt::Long + Carp::longmess" 679*5486feefSafresh1# 680*5486feefSafresh1# Too much like hard work to reduce the bug report to a simple test case, 681*5486feefSafresh1# but the full script doesn't crash under PERL_RC_STACK 682*5486feefSafresh1 683*5486feefSafresh1 684*5486feefSafresh1 685*5486feefSafresh1# GH #16103: "perl: sv.c:6566: void Perl_sv_clear(SV *const): 686*5486feefSafresh1# Assertion `SvTYPE(sv) != (svtype)SVTYPEMASK' failed" 687*5486feefSafresh1# 688*5486feefSafresh1# Reproducing script had too many random control and unicode chars in 689*5486feefSafresh1# it to make a simple test which could be included here, but 690*5486feefSafresh1# the full script doesn't crash under PERL_RC_STACK 691*5486feefSafresh1 692*5486feefSafresh1 693*5486feefSafresh1 694*5486feefSafresh1# GH #16104: "Null Pointer Dereference in Perl_sv_setpv_bufsize" 695*5486feefSafresh1# 696*5486feefSafresh1# Seems to have been fixed in 5.36 697*5486feefSafresh1 698*5486feefSafresh1fresh_perl_is( 699*5486feefSafresh1 q{$_.=*_='x';}, 700*5486feefSafresh1 "", 701*5486feefSafresh1 {stderr => 1}, 702*5486feefSafresh1 "GH #16104" 703*5486feefSafresh1); 704*5486feefSafresh1 705*5486feefSafresh1 706*5486feefSafresh1# GH #16120: "heap-use-after-free in Perl_sv_setpv_bufsize" 707*5486feefSafresh1# 708*5486feefSafresh1# Seems to have been fixed in 5.36 709*5486feefSafresh1 710*5486feefSafresh1fresh_perl_is( 711*5486feefSafresh1 q{$~|=*~='a';}, 712*5486feefSafresh1 "", 713*5486feefSafresh1 {stderr => 1}, 714*5486feefSafresh1 "GH #16120" 715*5486feefSafresh1); 716*5486feefSafresh1 717*5486feefSafresh1 718*5486feefSafresh1# GH #16320: "PERL-5.26.1 heap_buffer_overflow READ of size 8" 719*5486feefSafresh1# 720*5486feefSafresh1# This crashed prior to 5.36.0 721*5486feefSafresh1 722*5486feefSafresh1fresh_perl_like( 723*5486feefSafresh1 q{*^V = "*main::"; 1 for Y $\ = $\ = $~ = *\ = $\ = *^ = %^V = *^V;}, 724*5486feefSafresh1 qr/^Can't locate object method "Y"/, 725*5486feefSafresh1 {stderr => 1}, 726*5486feefSafresh1 "GH #16320" 727*5486feefSafresh1); 728*5486feefSafresh1 729*5486feefSafresh1 730*5486feefSafresh1# GH #16321: "PERL-5.26.1 heap_use_after_free READ of size 8" 731*5486feefSafresh1# 732*5486feefSafresh1# This failed under ASAN 733*5486feefSafresh1 734*5486feefSafresh1fresh_perl_like( 735*5486feefSafresh1 q{"x" . $x . pack "Wu", ~qr{}, !~"" = "x" . $x . pack "Wu", ~"", !~"" = $^V .= *^V = ""}, 736*5486feefSafresh1 qr/^Modification of a read-only value/, 737*5486feefSafresh1 {stderr => 1}, 738*5486feefSafresh1 "GH #16321" 739*5486feefSafresh1); 740*5486feefSafresh1 741*5486feefSafresh1 742*5486feefSafresh1# GH #16322: "PERL-5.26.1 heap_use_after_free WRITE of size 1" 743*5486feefSafresh1# 744*5486feefSafresh1# This failed under ASAN, but doesn't seem to on 5.38.0 745*5486feefSafresh1 746*5486feefSafresh1fresh_perl_is( 747*5486feefSafresh1 q{$^A .= *^A = $^A .= ""}, 748*5486feefSafresh1 "", 749*5486feefSafresh1 {stderr => 1}, 750*5486feefSafresh1 "GH #16322" 751*5486feefSafresh1); 752*5486feefSafresh1 753*5486feefSafresh1 754*5486feefSafresh1# GH #16323: "PERL-5.26.1 heap_use_after_free WRITE of size 1" 755*5486feefSafresh1 756*5486feefSafresh1fresh_perl_is( 757*5486feefSafresh1 q{$$W += $W = 0;}, 758*5486feefSafresh1 "", 759*5486feefSafresh1 {stderr => 1}, 760*5486feefSafresh1 "GH #16323" 761*5486feefSafresh1); 762*5486feefSafresh1 763*5486feefSafresh1 764*5486feefSafresh1# GH #16324: "PERL-5.26.1 heap_use_after_free READ of size 8" 765*5486feefSafresh1# 766*5486feefSafresh1# This used $*, which is no longer supported 767*5486feefSafresh1 768*5486feefSafresh1 769*5486feefSafresh1 770*5486feefSafresh1# GH #16325: "PERL-5.26.1 heap_buffer_overflow READ of size 1" 771*5486feefSafresh1# 772*5486feefSafresh1# This failed under ASAN, but doesn't seem to on 5.38.0 773*5486feefSafresh1 774*5486feefSafresh1fresh_perl_is( 775*5486feefSafresh1 q{$T .= *: = *T = "*main::"}, 776*5486feefSafresh1 777*5486feefSafresh1 "", 778*5486feefSafresh1 {stderr => 1}, 779*5486feefSafresh1 "GH #16325" 780*5486feefSafresh1); 781*5486feefSafresh1 782*5486feefSafresh1 783*5486feefSafresh1# GH #16326: "PERL-5.26.1 heap_buffer_overflow READ of size 8" 784*5486feefSafresh1# 785*5486feefSafresh1# This used $*, which is no longer supported 786*5486feefSafresh1 787*5486feefSafresh1 788*5486feefSafresh1# GH #16443: "Assertion `SvTYPE(sv) != (svtype)SVTYPEMASK' failed" 789*5486feefSafresh1 790*5486feefSafresh1fresh_perl_is( 791*5486feefSafresh1 q{($a)=map[split//],G0;$0=map abs($0[$a++]),@$a;}, 792*5486feefSafresh1 "", 793*5486feefSafresh1 {stderr => 1}, 794*5486feefSafresh1 "GH #16443" 795*5486feefSafresh1); 796*5486feefSafresh1 797*5486feefSafresh1 798*5486feefSafresh1# GH #16455: "Fwd: [rt.cpan.org #124716] Use after free in sv.c:4860" 799*5486feefSafresh1# 800*5486feefSafresh1# Seems to have been fixed in 5.36 801*5486feefSafresh1 802*5486feefSafresh1fresh_perl_is( 803*5486feefSafresh1 q{$a ^= (*a = 'b');}, 804*5486feefSafresh1 "", 805*5486feefSafresh1 {stderr => 1}, 806*5486feefSafresh1 "GH #16455" 807*5486feefSafresh1); 808*5486feefSafresh1 809*5486feefSafresh1 810*5486feefSafresh1# GH #16576: "Reporting a use-after-free vulnerability in function 811*5486feefSafresh1# Perl_sv_setpv_bufsize" 812*5486feefSafresh1# 813*5486feefSafresh1# This failed under ASAN, but doesn't seem to on 5.38.0 814*5486feefSafresh1 815*5486feefSafresh1fresh_perl_is( 816*5486feefSafresh1 q{$~ |= *~ = $~;}, 817*5486feefSafresh1 "", 818*5486feefSafresh1 {stderr => 1}, 819*5486feefSafresh1 "GH #16576" 820*5486feefSafresh1); 821*5486feefSafresh1 822*5486feefSafresh1 823*5486feefSafresh1# GH #16613: "#10 AddressSanitizer: heap-use-after-free on address 824*5486feefSafresh1# 0x604000000990 at pc 0x00000114d184 bp 0x7fffdb11d170 825*5486feefSafresh1# sp 0x7fffdb11d168 WRITE of size 1 at 0x604000000990" 826*5486feefSafresh1 827*5486feefSafresh1fresh_perl_is( 828*5486feefSafresh1 q{$A .= $$B .= $B = 0}, 829*5486feefSafresh1 "", 830*5486feefSafresh1 {stderr => 1}, 831*5486feefSafresh1 "GH #16613" 832*5486feefSafresh1); 833*5486feefSafresh1 834*5486feefSafresh1 835*5486feefSafresh1# GH #16622: "Segfault on invalid script" 836*5486feefSafresh1# 837*5486feefSafresh1# This crashed prior to 5.36.0 838*5486feefSafresh1 839*5486feefSafresh1fresh_perl_like( 840*5486feefSafresh1 q{'A'->A($A .= *A = @5 = *A * 'A');}, 841*5486feefSafresh1 qr/^Can't locate object method "A"/, 842*5486feefSafresh1 {stderr => 1}, 843*5486feefSafresh1 "GH #16622" 844*5486feefSafresh1); 845*5486feefSafresh1 846*5486feefSafresh1 847*5486feefSafresh1# GH #16727: "NULL pointer deference in Perl_sv_setpv_bufsize 848*5486feefSafresh1# 849*5486feefSafresh1# Seems to have been fixed in 5.36 850*5486feefSafresh1 851*5486feefSafresh1fresh_perl_is( 852*5486feefSafresh1 q{$^ ^= *: = ** = *^= *: = ** = *^= *: = ** = *:;}, 853*5486feefSafresh1 "", 854*5486feefSafresh1 {stderr => 1}, 855*5486feefSafresh1 "GH #16727" 856*5486feefSafresh1); 857*5486feefSafresh1 858*5486feefSafresh1 859*5486feefSafresh1# GH #16742: "segfault triggered by invalid read in S_mg_findext_flags" 860*5486feefSafresh1# 861*5486feefSafresh1# Seems to have been fixed in 5.36. 862*5486feefSafresh1# The test case is very noisy, so I've skipped including here. 863*5486feefSafresh1 864*5486feefSafresh1 865*5486feefSafresh1 866*5486feefSafresh1# GH #17333: "map modifying its own LIST causes segfault in perl-5.16 and 867*5486feefSafresh1# later versions" 868*5486feefSafresh1 869*5486feefSafresh1fresh_perl_is( 870*5486feefSafresh1 q{my @a = 1..5; map { pop @a } @a;}, 871*5486feefSafresh1 "", 872*5486feefSafresh1 {stderr => 1}, 873*5486feefSafresh1 "GH #17333" 874*5486feefSafresh1); 875*5486feefSafresh1 876*5486feefSafresh1 877*5486feefSafresh1 878*5486feefSafresh1done_testing(); 879