When GNU Bison processes a malformed grammar that triggers conflict
counterexample generation, it crashes with a segmentation fault detected by
AddressSanitizer. The fault is caused by an invalid memory read from a
high-value address, indicating a dereference of an invalid or corrupted
pointer.
Reproduce:
# export CFLAGS="-g -O0 -fsanitize=address"
# ./configure
# make -j
# src/bison -L c -r all -g -x --html -t --locations -k -d -v Poc
The crash occurs in the function intersect_symbol() (src/lssi.c:276) and is
reached through the conflict counterexample generation and reporting logic.
The AddressSanitizer backtrace shows the following call sequence:
#0 intersect_symbol src/lssi.c:276#1 reduction_step
src/counterexample.c:827#2 generate_next_states
src/counterexample.c:1048#3 unifying_example
src/counterexample.c:1182#4 counterexample_report
src/counterexample.c:1276#5 counterexample_report_reduce_reduce
src/counterexample.c:1350#6
counterexample_report_state
src/counterexample.c:1394#7 print_state
src/print.c:366#8 print_results
src/print.c:473#9 main src/main.c:188
AddressSanitizer reports:
ERROR: AddressSanitizer: SEGV on unknown address
The signal is caused by a READ memory access.
Hint: this fault was caused by a dereference of a high value address.
File:
https://drive.google.com/file/d/1Wx3lZZildsA3pXD4AtuNHaBYhFPvVa1i/view?usp=drive_link
Credit:
Kaiyu Xie(UCAS)
