CLEAR_ERRSV: create a new SV if the existing one isGV_with_GP

richardleach · richardleach · commit b7b77ffc1ef2 · 2025-10-03T09:30:36.000+01:00
GH #16885 is a fuzzer-identified assert in Perl_sv_grow. Besides the question of how the program should behave, the actual assertion comes via the `SvPVCLEAR()` statement in `CLEAR_ERRSV`, where `svp` is unexpectedly a PVGV with GV. This commit treats this the same as if `svp` was READONLY - the refcount is decremented and `svp` assigned a brand new SVt_PV.
diff --git a/perl.h b/perl.h
@@ -1947,7 +1947,7 @@ any magic.
     SV ** const svp = &GvSV(PL_errgv);					\
     if (!*svp) {							\
         *svp = newSVpvs("");                                            \
-    } else if (SvREADONLY(*svp)) {					\
+    } else if (SvREADONLY(*svp) || isGV_with_GP(*svp)) {		\
         SvREFCNT_dec_NN(*svp);						\
         *svp = newSVpvs("");						\
     } else {								\
diff --git a/t/op/eval.t b/t/op/eval.t
@@ -6,7 +6,7 @@ BEGIN {
     set_up_inc('../lib');
 }
 
-plan(tests => 172);
+plan(tests => 173);
 
 eval 'pass();';
 
@@ -837,3 +837,5 @@ pass("eval in freed package does not crash");
     }->();
     is($w, 0, "nested eval and closure");
 }
+
+fresh_perl_is('for$@(*0){eval}', '', undef, 'GH #16885 - isGV_with_GP(PL_errgv)');

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,7 @@ BEGIN {`
`6`	`6`	`set_up_inc('../lib');`
`7`	`7`	`}`
`8`	`8`
`9`		`-plan(tests => 172);`
	`9`	`+plan(tests => 173);`
`10`	`10`
`11`	`11`	`eval 'pass();';`
`12`	`12`
`@@ -837,3 +837,5 @@ pass("eval in freed package does not crash");`
`837`	`837`	`}->();`
`838`	`838`	`is($w, 0, "nested eval and closure");`
`839`	`839`	`}`
	`840`	`+`
	`841`	`+fresh_perl_is('for$@(*0){eval}', '', undef, 'GH #16885 - isGV_with_GP(PL_errgv)');`