bug-bison
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bison crash] Abort with invalid free() & assertion fail 'itemno ==


From: Akim Demaille
Subject: Re: [bison crash] Abort with invalid free() & assertion fail 'itemno == nritems'
Date: Sat, 7 Mar 2020 07:58:03 +0100


> Le 6 mars 2020 à 06:55, Ahcheong Lee <address@hidden> a écrit :
> 
> Hello, this is Ahcheong Lee
> I'm currently working on a new fuzzing technique, and I found some crashes
> on GNU bison3.5.2.
> For ease of maintenance, I'll send one crash by one by email.
> 
> There was an abortion with an invalid pointer freeing or assertion failure
> with src/reader.c:694 packgram: Assertion `itemno == nritems'.
> 
> I'm not sure why, but the abortion or assertion failure happens
> occasionally,
> so please try again if you can't reproduce it.
> 
> You can reproduce it with the following command:
> ./bison <attached file>
> 
> These are stderr messages:
> 
> ./debugger10/id:000003:57.59-69: error: invalid reference: ‘$<.i->V->ue’
>   57 | | exp '-' exp        { $$ = new Integer ($1.intValue () -
> $<.i->V->ue ());  }
>      |

This is again the same error (related to actions that contain $<....->foo) as 
the one reported in https://lists.gnu.org/r/bug-bison/2020-03/msg00009.html: 
Segmentation fault with symbol_code_props_get at src/symtab.c:457.  So it is 
also fixed by the fix I sent.

commit 641e326303753575664ca146fee7e9148d6bf5cf (HEAD -> maint)
Author: Akim Demaille <address@hidden>
Date:   Fri Mar 6 09:05:52 2020 +0100

   code: be robust to reference with invalid tags

   Because we want to support $<a->b>$, we must accept -> in type tags,
   and reject $<->$, as it is unfinished.
   Reported by Ahcheong Lee.

   * src/scan-code.l (yylex): Make sure "tag" does not end with -, since
   -> does not close the tag.
   * tests/input.at (Stray $ or @): Check this.


Cheers!




reply via email to

[Prev in Thread] Current Thread [Next in Thread]