bug-bison
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: SEGV in bison at src/lssi:297

From: Akim Demaille
Subject: Re: SEGV in bison at src/lssi:297
Date: Sat, 9 Oct 2021 10:03:53 +0200 
Hi,

> Le 4 oct. 2021 à 16:57, Irfan Ariq <irfanariqzaki@gmail.com> a écrit :
> 
> Hello,
> 
> We are currently working on fuzz testing feature, and we found a *SEGV* error
> on `bison`.
> 
> The stack traces are as follow:
> 
> ==29725==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000
>> (pc 0x5577cbd45d4a bp 0x7ffda59e9300 sp 0x7ffda59e7260 T0)
>> ==29725==The signal is caused by a READ memory access.
>> ==29725==Hint: address points to the zero page.
>>   #0 0x5577cbd45d49 in intersect src/lssi.c:297
>>   #1 0x5577cbd46333 in lssi_reverse_production src/lssi.c:361
>>   #2 0x5577cbd8ab93 in simulate_reduction src/parse-simulation.c:536
>>   #3 0x5577cbd166f2 in reduction_step src/counterexample.c:834
>>   #4 0x5577cbd1849e in generate_next_states src/counterexample.c:1047
>>   #5 0x5577cbd19417 in unifying_example src/counterexample.c:1182
>>   #6 0x5577cbd19e04 in counterexample_report src/counterexample.c:1277
>>   #7 0x5577cbd1ae65 in counterexample_report_reduce_reduce
>> src/counterexample.c:1350
>>   #8 0x5577cbd1b863 in counterexample_report_state
>> src/counterexample.c:1394
>>   #9 0x5577cbd952e0 in print_state src/print.c:366
>>   #10 0x5577cbd9617a in print_results src/print.c:473
>>   #11 0x5577cbd46ee4 in main src/main.c:188

Thanks for this bug report.  Usually bugs found by fuzzers are really 
uninteresting corner cases.  This one is different and is truly a bug somewhere 
in the counterexamples generation.

Once cleaned up from the remains of the exploration of the fuzzer, your example 
boils down to:

   %%
   input:
     line
   | input line
   :

   line:
     '\n'
   | exp '\n'
   ;

   exp: "num"
   a1:
   exp: exp '=' exp a1

   a2:
   exp: exp a2

and sadly `bison -Wcex` crashes on this.

Actually, there's something misleading in the above grammar, and I was very 
happy that -Wempty drew my attention to it.  Let's rewrite it this way:

%%
input:
 line
| input

line:
 %empty
| '\n'
| exp '\n'
;

exp: "num"
a1: %empty
exp: exp '=' exp a1

a2: %empty
exp: exp a2


I have started trying to understand the bug and how to fix it, but to no avail 
so far.  Maybe at some point I'll have to invoke the name of Vincent...

FWIW, I'm fairly confident there's only one bug, and your other reports are 
just other faces of the same coin.

Cheers!
reply via email to
[Prev in Thread] Current Thread [Next in Thread]