map modifying its own LIST causes segfault in perl-5.16 and later versions

[briang]

This is a bug report for perl from [email protected],
generated with the help of perlbug 1.41 running under perl 5.30.1.

---

[Please describe your issue here]

perl-5.30.1 segfaults when running this (much simplified) code:

@N = 1..5;
map { pop @N } @N;

Using a debugging perl gives:

perl: sv.c:6567: Perl_sv_clear: Assertion `SvTYPE(sv) != (svtype)SVTYPEMASK' failed.
Aborted (core dumped)

The only other recent perl I have installed is strawberry perl-5.30.0
on windows 10 which does not segfault.

[Please do not change anything below this line]

---

Flags:
category=core
severity=low

Site configuration information for perl 5.30.1:

Configured by brian at Thu Nov 28 16:00:28 GMT 2019.

Summary of my perl5 (revision 5 version 30 subversion 1) configuration:

Platform:
osname=linux
osvers=5.0.0-27-generic
archname=x86_64-linux
uname='linux ub1904 5.0.0-27-generic #28-ubuntu smp tue aug 20 19:53:07 utc 2019 x86_64 x86_64 x86_64 gnulinux '
config_args='-de -Dprefix=/home/cpan/perlbrew/perls/debug -Dman1dir=none -Dman3dir=none -DDEBUGGING -Aeval:scriptdir=/home/cpan/perlbrew/perls/debug/bin'
hint=recommended
useposix=true
d_sigaction=define
useithreads=undef
usemultiplicity=undef
use64bitint=define
use64bitall=define
uselongdouble=undef
usemymalloc=n
default_inc_excludes_dot=define
bincompat5005=undef
Compiler:
cc='cc'
ccflags ='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64'
optimize='-O2 -g'
cppflags='-fwrapv -DDEBUGGING -fno-strict-aliasing -pipe -fstack-protector-strong -I/usr/local/include'
ccversion=''
gccversion='8.3.0'
gccosandvers=''
intsize=4
longsize=8
ptrsize=8
doublesize=8
byteorder=12345678
doublekind=3
d_longlong=define
longlongsize=8
d_longdbl=define
longdblsize=16
longdblkind=3
ivtype='long'
ivsize=8
nvtype='double'
nvsize=8
Off_t='off_t'
lseeksize=8
alignbytes=8
prototype=define
Linker and Libraries:
ld='cc'
ldflags =' -fstack-protector-strong -L/usr/local/lib'
libpth=/usr/local/lib /usr/lib/gcc/x86_64-linux-gnu/8/include-fixed /usr/include/x86_64-linux-gnu /usr/lib /lib/x86_64-linux-gnu /lib/../lib /usr/lib/x86_64-linux-gnu /usr/lib/../lib /lib /lib64 /usr/lib64
libs=-lpthread -lnsl -lgdbm -ldb -ldl -lm -lcrypt -lutil -lc -lgdbm_compat
perllibs=-lpthread -lnsl -ldl -lm -lcrypt -lutil -lc
libc=libc-2.29.so
so=so
useshrplib=false
libperl=libperl.a
gnulibc_version='2.29'
Dynamic Linking:
dlsrc=dl_dlopen.xs
dlext=so
d_dlsymun=undef
ccdlflags='-Wl,-E'
cccdlflags='-fPIC'
lddlflags='-shared -O2 -g -L/usr/local/lib -fstack-protector-strong'

Locally applied patches:
Devel::PatchPerl 1.38

---

@inc for perl 5.30.1:
/home/cpan/perlbrew/perls/debug/lib/site_perl/5.30.1/x86_64-linux
/home/cpan/perlbrew/perls/debug/lib/site_perl/5.30.1
/home/cpan/perlbrew/perls/debug/lib/5.30.1/x86_64-linux
/home/cpan/perlbrew/perls/debug/lib/5.30.1

---

Environment for perl 5.30.1:
HOME=/home/cpan
LANG=en_GB.UTF-8
LANGUAGE=en_GB:en
LD_LIBRARY_PATH (unset)
LOGDIR (unset)
PATH=/home/cpan/perlbrew/bin:/home/cpan/perlbrew/perls/debug/bin:/home/cpan/.cargo/bin:/home/cpan/bin:/home/cpan/.cargo/bin:/home/cpan/usr/bin/:/home/cpan/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin:/home/cpan/.rvm/bin
PERLBREW=command perlbrew
PERLBREW_HOME=/home/cpan/.perlbrew
PERLBREW_MANPATH=/home/cpan/perlbrew/perls/debug/man
PERLBREW_PATH=/home/cpan/perlbrew/bin:/home/cpan/perlbrew/perls/debug/bin
PERLBREW_PERL=debug
PERLBREW_ROOT=/home/cpan/perlbrew
PERLBREW_SHELLRC_VERSION=0.84
PERLBREW_VERSION=0.84
PERL_BADLANG (unset)
SHELL=/bin/bash

[jkeenan]

This is a bug report for perl from [email protected],
generated with the help of perlbug 1.41 running under perl 5.30.1.

[Please describe your issue here]

perl-5.30.1 segfaults when running this (much simplified) code:

@N = 1..5;
map { pop @N } @N;

Using a debugging perl gives:

perl: sv.c:6567: Perl_sv_clear: Assertion `SvTYPE(sv) != (svtype)SVTYPEMASK' failed.
Aborted (core dumped)

Bisected with the following invocation:

perl Porting/bisect.pl \
  --start=v5.14.4 \
  --end=v5.16.3 \
  --crash -- ./perl -Ilib ~/learn/perl/p5p/gh-17333-map.pl

Bisection points to:

55b5114f4ff694ab871173b736aa2d48bb095684 is the first bad commit
commit 55b5114f4ff694ab871173b736aa2d48bb095684
Author: Father Chrysostomos <[email protected]>
Date:   Sun Jan 8 18:14:03 2012 -0800
Commit:     Father Chrysostomos <[email protected]>
CommitDate: Sun Jan 8 23:13:36 2012 -0800

    [perl #92254, #92256] Fix SAVE_DEFSV to do refcounting
    
    The current definition of SAVE_DEFSV doesn’t take reference count-
    ing into account.  Every instance of it in the perl core is buggy
    as a result.
    
    Most are also followed by DEFSV_set, which is likewise buggy.
    
    This commit implements SAVE_DEFSV in terms of save_gp and
    SAVEGENERICSV if PERL_CORE is defined.  save_gp and SAVEGENERICSV are
    what local(*_) = \$foo uses.  Changing the definition for XS code is
    probably too risky this close to 5.16.  It should probably be changed
    later, though.
    
    DEFSV_set is now changed to do reference counting too.

[jkeenan]

This is a bug report for perl from [email protected],
generated with the help of perlbug 1.41 running under perl 5.30.1.
[Please describe your issue here]
perl-5.30.1 segfaults when running this (much simplified) code:

@N = 1..5;
map { pop @N } @N;

Using a debugging perl gives:

perl: sv.c:6567: Perl_sv_clear: Assertion `SvTYPE(sv) != (svtype)SVTYPEMASK' failed.
Aborted (core dumped)

Bisected with the following invocation:

perl Porting/bisect.pl \
  --start=v5.14.4 \
  --end=v5.16.3 \
  --crash -- ./perl -Ilib ~/learn/perl/p5p/gh-17333-map.pl

Bisection points to:

55b5114f4ff694ab871173b736aa2d48bb095684 is the first bad commit
commit 55b5114f4ff694ab871173b736aa2d48bb095684
Author: Father Chrysostomos <[email protected]>
Date:   Sun Jan 8 18:14:03 2012 -0800
Commit:     Father Chrysostomos <[email protected]>
CommitDate: Sun Jan 8 23:13:36 2012 -0800

    [perl #92254, #92256] Fix SAVE_DEFSV to do refcounting
    
    The current definition of SAVE_DEFSV doesn’t take reference count-
    ing into account.  Every instance of it in the perl core is buggy
    as a result.
    
    Most are also followed by DEFSV_set, which is likewise buggy.
    
    This commit implements SAVE_DEFSV in terms of save_gp and
    SAVEGENERICSV if PERL_CORE is defined.  save_gp and SAVEGENERICSV are
    what local(*_) = \$foo uses.  Changing the definition for XS code is
    probably too risky this close to 5.16.  It should probably be changed
    later, though.
    
    DEFSV_set is now changed to do reference counting too.

@cpansprout, could you take a look?

Thank you very much.
Jim Keenan

[Leont]

Looks like yet another case of the famous stack-is-not-refcounted bug @iabyn

[xsawyerx]

Not sure this is the best label for it, though.