[bison crash] Abort with invalid free() & assertion fail 'itemno == nrit

bug-bison

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[bison crash] Abort with invalid free() & assertion fail 'itemno == nrit

From:	Ahcheong Lee
Subject:	[bison crash] Abort with invalid free() & assertion fail 'itemno == nritems'
Date:	Fri, 6 Mar 2020 14:55:25 +0900

Hello, this is Ahcheong Lee
I'm currently working on a new fuzzing technique, and I found some crashes
on GNU bison3.5.2.
For ease of maintenance, I'll send one crash by one by email.

There was an abortion with an invalid pointer freeing or assertion failure
with src/reader.c:694 packgram: Assertion `itemno == nritems'.

I'm not sure why, but the abortion or assertion failure happens
occasionally,
so please try again if you can't reproduce it.

You can reproduce it with the following command:
./bison <attached file>

These are stderr messages:

./debugger10/id:000003:57.59-69: error: invalid reference: ‘$<.i->V->ue’
   57 | | exp '-' exp        { $$ = new Integer ($1.intValue () -
$<.i->V->ue ());  }
      |
^~~~~~~~~~~
./debugger10/id:000003:57.3-77:      symbol not found in production: A
   57 | | exp '-' exp        { $$ = new Integer ($1.intValue () -
$<.i->V->ue ());  }
      |
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./debugger10/id:000003:65.42-45: error: integer out of range: ‘$111’
   65 | | '(' error ')'      { $$ = new Integer ($111);
        }
      |                                          ^~~~
*** Error in `./bison': free(): invalid pointer: 0x0000000002410010 ***
======= Backtrace: =========
/lib/x86_64-linux-gnu/libc.so.6(+0x777e5)[0x7f3a186c77e5]
/lib/x86_64-linux-gnu/libc.so.6(+0x8037a)[0x7f3a186d037a]
/lib/x86_64-linux-gnu/libc.so.6(cfree+0x4c)[0x7f3a186d453c]
./bison[0x44bfbf]
./bison[0x44bff5]
./bison[0x45fe67]
./bison[0x44e178]
./bison[0x40fc17]
./bison[0x418063]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf0)[0x7f3a18670830]
./bison[0x4028b9]
======= Memory map: ========
00400000-00487000 r-xp 00000000 08:11 37226061
/home/cheong/crashes/bison
00687000-00688000 r--p 00087000 08:11 37226061
/home/cheong/crashes/bison
00688000-00689000 rw-p 00088000 08:11 37226061
/home/cheong/crashes/bison
00689000-0068d000 rw-p 00000000 00:00 0
02402000-02423000 rw-p 00000000 00:00 0
 [heap]
7f3a14000000-7f3a14021000 rw-p 00000000 00:00 0
7f3a14021000-7f3a18000000 ---p 00000000 00:00 0
7f3a18162000-7f3a18178000 r-xp 00000000 08:11 20447370
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f3a18178000-7f3a18377000 ---p 00016000 08:11 20447370
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f3a18377000-7f3a18378000 rw-p 00015000 08:11 20447370
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f3a18378000-7f3a18650000 r--p 00000000 08:11 23200043
/usr/lib/locale/locale-archive
7f3a18650000-7f3a18810000 r-xp 00000000 08:11 20447518
/lib/x86_64-linux-gnu/libc-2.23.so
7f3a18810000-7f3a18a10000 ---p 001c0000 08:11 20447518
/lib/x86_64-linux-gnu/libc-2.23.so
7f3a18a10000-7f3a18a14000 r--p 001c0000 08:11 20447518
/lib/x86_64-linux-gnu/libc-2.23.so
7f3a18a14000-7f3a18a16000 rw-p 001c4000 08:11 20447518
/lib/x86_64-linux-gnu/libc-2.23.so
7f3a18a16000-7f3a18a1a000 rw-p 00000000 00:00 0
7f3a18a1a000-7f3a18a40000 r-xp 00000000 08:11 20447500
/lib/x86_64-linux-gnu/ld-2.23.so
7f3a18c2d000-7f3a18c30000 rw-p 00000000 00:00 0
7f3a18c37000-7f3a18c38000 rw-p 00000000 00:00 0
7f3a18c38000-7f3a18c3f000 r--s 00000000 08:11 23211621
/usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
7f3a18c3f000-7f3a18c40000 r--p 00025000 08:11 20447500
/lib/x86_64-linux-gnu/ld-2.23.so
7f3a18c40000-7f3a18c41000 rw-p 00026000 08:11 20447500
/lib/x86_64-linux-gnu/ld-2.23.so
7f3a18c41000-7f3a18c42000 rw-p 00000000 00:00 0
7ffe48b1b000-7ffe48b3c000 rw-p 00000000 00:00 0
 [stack]
7ffe48bdf000-7ffe48be1000 r--p 00000000 00:00 0
 [vvar]
7ffe48be1000-7ffe48be3000 r-xp 00000000 00:00 0
 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0
 [vsyscall]

Another stderr messages with assertion fail:
./bison_free_pointer_and_itemno:57.59-69: error: invalid reference:
‘$<.i->V->ue’
   57 | | exp '-' exp        { $$ = new Integer ($1.intValue () -
$<.i->V->ue ());  }
      |
^~~~~~~~~~~
./bison_free_pointer_and_itemno:57.3-77:      symbol not found in
production: ▒
   57 | | exp '-' exp        { $$ = new Integer ($1.intValue () -
$<.i->V->ue ());  }
      |
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
./bison_free_pointer_and_itemno:65.42-45: error: integer out of range:
‘$111’
   65 | | '(' error ')'      { $$ = new Integer ($111);
        }
      |                                          ^~~~
bison: src/reader.c:694: packgram: Assertion `itemno == nritems' failed.
Aborted


Thank you,
Ahcheong Lee
---------------------------------------------
Ahcheong Lee, Master's student
School of Computing, KAIST
Room# 2438, E3-1, KAIST
373-1 Guseong-dong, Yuseong-gu
Daejeon, South Korea 34141
Phone : 010-7350-3811
------------------------------------------------

bison_free_pointer_and_itemno
Description: Binary data

[Prev in Thread]

Current Thread

[Next in Thread]

[bison crash] Segmentation fault at fetch_type_name, Ahcheong Lee, 2020/03/06
- [bison crash] Segmentation fault at quotearg_buffer_restyled, Ahcheong Lee, 2020/03/06
  - [bison crash] Abort with invalid free() & assertion fail 'itemno == nritems', Ahcheong Lee <=
    - Re: [bison crash] Abort with invalid free() & assertion fail 'itemno == nritems', Akim Demaille, 2020/03/07
  - Re: [bison crash] Segmentation fault at quotearg_buffer_restyled, Akim Demaille, 2020/03/08
- Re: [bison crash] Segmentation fault at fetch_type_name, Akim Demaille, 2020/03/06

Prev by Date: [bison crash] Segmentation fault at quotearg_buffer_restyled
Next by Date: [bison crash] Segmentation fault with symbol_code_props_get at src/symtab.c:457
Previous by thread: [bison crash] Segmentation fault at quotearg_buffer_restyled
Next by thread: Re: [bison crash] Abort with invalid free() & assertion fail 'itemno == nritems'
Index(es):
- Date
- Thread