segfault of bison with some parser input

bug-bison
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
segfault of bison with some parser input

From:	tys lefering
Subject:	segfault of bison with some parser input
Date:	Tue, 8 Jun 2010 02:16:38 +0200
User-agent:	SquirrelMail/1.4.18
Hi,

Getting segfault and glibc message "invalid free()" in Bison:

*** glibc detected *** bison: free(): invalid pointer: 0x00000000006733a0 ***

A call to named_ref_free() in symbol_list_free()
in symlist.c seems to be the reason.

This is the input parser z9.y:

%%

start[as]: foo
 | /* empty */
 ;

%%

/* see also this test in named-refs.at:
 *
 * AT_SETUP([Redundant words in LHS brackets])
 * AT_DATA_GRAMMAR([test.y],
 * [[
 * %%
 * start[a s]: foo
 * ]])
 * AT_BISON_CHECK([-o test.c test.y], 1, [],
 * [[test.y:11.9: unexpected identifier in bracketed name: `s'
 * ]])
 * AT_CLEANUP
 */

in symlist.c:

/*-----------------------------------------------.
| Free the LIST, but not the items it contains.  |
`-----------------------------------------------*/

void
symbol_list_free (symbol_list *list)
{
  symbol_list *node, *next;
  for (node = list; node; node = next)
    {
      next = node->next;
      if (node->named_ref)
        named_ref_free (node->named_ref); <-- (symlist.c:155)
      free (node);
    }
}

running :
valgrind --tool=memcheck --leak-check=full bison z9.y

==11101== Memcheck, a memory error detector
==11101== Copyright (C) 2002-2009, and GNU GPL'd, by Julian Seward et al.
==11101== Using Valgrind-3.5.0 and LibVEX; rerun with -h for copyright info
==11101== Command: bison z9.y
==11101==
z9.y:4.12-14: symbol foo is used, but is not defined as a token and has no
rules
==11101== Invalid free() / delete / delete[]
==11101==    at 0x4C25F7B: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==11101==    by 0x42F30A: symbol_list_free (symlist.c:155)
==11101==    by 0x4222E4: reader (reader.c:737)
==11101==    by 0x40D568: main (main.c:82)
==11101==  Address 0x51a5630 is 0 bytes inside a block of size 40 free'd
==11101==    at 0x4C25F7B: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==11101==    by 0x42F30A: symbol_list_free (symlist.c:155)
==11101==    by 0x4222E4: reader (reader.c:737)
==11101==    by 0x40D568: main (main.c:82)
==11101==
==11101==
==11101== HEAP SUMMARY:
==11101==     in use at exit: 54,873 bytes in 63 blocks
==11101==   total heap usage: 821 allocs, 759 frees, 114,823 bytes allocated
==11101==
==11101== 28 bytes in 1 blocks are possibly lost in loss record 25 of 61
==11101==    at 0x4C26C3A: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==11101==    by 0x443CF8: xmalloc (xmalloc.c:45)
==11101==    by 0x421D9D: reader (xalloc.h:126)
==11101==    by 0x40D568: main (main.c:82)
==11101==
==11101== LEAK SUMMARY:
==11101==    definitely lost: 0 bytes in 0 blocks
==11101==    indirectly lost: 0 bytes in 0 blocks
==11101==      possibly lost: 28 bytes in 1 blocks
==11101==    still reachable: 54,845 bytes in 62 blocks
==11101==         suppressed: 0 bytes in 0 blocks
==11101== Reachable blocks (those to which a pointer was found) are not
shown.
==11101== To see them, rerun with: --leak-check=full --show-reachable=yes
==11101==
==11101== For counts of detected and suppressed errors, rerun with: -v
==11101== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 2 from 2)

running 'bison z9.y' gives:

z9.y:4.12-14: symbol foo is used, but is not defined as a token and has no
rules
*** glibc detected *** bison: free(): invalid pointer: 0x00000000006733a0 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x73226)[0x7fa391d0f226]
bison[0x42f30b]
bison[0x4222e5]
bison[0x40d569]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x7fa391cbab7d]
bison[0x402159]
======= Memory map: ========
00400000-0045d000 r-xp 00000000 08:11 827456                            
/usr/local/bin/bison
0065c000-0065d000 r--p 0005c000 08:11 827456                            
/usr/local/bin/bison
0065d000-0065e000 rw-p 0005d000 08:11 827456                            
/usr/local/bin/bison
0065e000-00683000 rw-p 00000000 00:00 0                                 
[heap]
7fa391a86000-7fa391a9b000 r-xp 00000000 08:11 11600155                  
/lib64/libgcc_s.so.1
7fa391a9b000-7fa391c9a000 ---p 00015000 08:11 11600155                  
/lib64/libgcc_s.so.1
7fa391c9a000-7fa391c9b000 r--p 00014000 08:11 11600155                  
/lib64/libgcc_s.so.1
7fa391c9b000-7fa391c9c000 rw-p 00015000 08:11 11600155                  
/lib64/libgcc_s.so.1
7fa391c9c000-7fa391df2000 r-xp 00000000 08:11 11599897                  
/lib64/libc-2.11.2.so
7fa391df2000-7fa391ff2000 ---p 00156000 08:11 11599897                  
/lib64/libc-2.11.2.so
7fa391ff2000-7fa391ff6000 r--p 00156000 08:11 11599897                  
/lib64/libc-2.11.2.so
7fa391ff6000-7fa391ff7000 rw-p 0015a000 08:11 11599897                  
/lib64/libc-2.11.2.so
7fa391ff7000-7fa391ffc000 rw-p 00000000 00:00 0
7fa391ffc000-7fa39201b000 r-xp 00000000 08:11 11599914                  
/lib64/ld-2.11.2.so
7fa392083000-7fa392084000 rw-p 00000000 00:00 0
7fa392084000-7fa3920c3000 r--p 00000000 08:11 1010457                   
/usr/lib/locale/en_US.utf8/LC_CTYPE
7fa3920c3000-7fa3921e0000 r--p 00000000 08:11 1010464                   
/usr/lib/locale/en_US.utf8/LC_COLLATE
7fa3921e0000-7fa3921e3000 rw-p 00000000 00:00 0
7fa392208000-7fa392209000 r--p 00000000 08:11 1008327                   
/usr/lib/locale/en_US.utf8/LC_NUMERIC
7fa392209000-7fa39220a000 r--p 00000000 08:11 911993                    
/usr/lib/locale/en_US.utf8/LC_TIME
7fa39220a000-7fa39220b000 r--p 00000000 08:11 911992                    
/usr/lib/locale/en_US.utf8/LC_MONETARY
7fa39220b000-7fa39220c000 r--p 00000000 08:11 901382                    
/usr/lib/locale/en_US.utf8/LC_MESSAGES/SYS_LC_MESSAGES
7fa39220c000-7fa39220d000 r--p 00000000 08:11 961142                    
/usr/lib/locale/en_US.utf8/LC_PAPER
7fa39220d000-7fa39220e000 r--p 00000000 08:11 964019                    
/usr/lib/locale/en_US.utf8/LC_NAME
7fa39220e000-7fa39220f000 r--p 00000000 08:11 909476                    
/usr/lib/locale/en_US.utf8/LC_ADDRESS
7fa39220f000-7fa392210000 r--p 00000000 08:11 958814                    
/usr/lib/locale/en_US.utf8/LC_TELEPHONE
7fa392210000-7fa392211000 r--p 00000000 08:11 961147                    
/usr/lib/locale/en_US.utf8/LC_MEASUREMENT
7fa392211000-7fa392218000 r--s 00000000 08:11 14411534                  
/usr/lib64/gconv/gconv-modules.cache
7fa392218000-7fa392219000 r--p 00000000 08:11 911961                    
/usr/lib/locale/en_US.utf8/LC_IDENTIFICATION
7fa392219000-7fa39221a000 rw-p 00000000 00:00 0
7fa39221a000-7fa39221b000 r--p 0001e000 08:11 11599914                  
/lib64/ld-2.11.2.so
7fa39221b000-7fa39221c000 rw-p 0001f000 08:11 11599914                  
/lib64/ld-2.11.2.so
7fa39221c000-7fa39221d000 rw-p 00000000 00:00 0
7fff64385000-7fff6439a000 rw-p 00000000 00:00 0                         
[stack]
7fff643da000-7fff643db000 r-xp 00000000 00:00 0                         
[vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                 
[vsyscall]
Aborted

Done this with bison version in branch-2.5

Thanks.
[Prev in Thread]
Current Thread
[Next in Thread]
segfault of bison with some parser input, tys lefering <=
Prev by Date: Re: Propagation of prefix change in "yylval" name
Next by Date: incorrect call generated to yydestruct-wrong number of parameters
Previous by thread: Re: Propagation of prefix change in "yylval" name
Next by thread: incorrect call generated to yydestruct-wrong number of parameters
Index(es):
- Date
- Thread