Reproduce
# export CFLAGS="-g -O0 -fsanitize=address"
# ./configure
# make -j
# src/bison -L java -r all -g -t -v -k Poc
Description
When GNU Bison processes a malformed grammar that triggers conflict
counterexample generation, it crashes with a segmentation fault detected by
AddressSanitizer. The crash is caused by an invalid memory read from a
high-value address, indicating a dereference of an invalid or corrupted
pointer.
The fault occurs in the function intersect() (src/lssi.c:297) and is
reached through the reduction simulation and counterexample reporting
logic. The AddressSanitizer backtrace shows the following call sequence:
#0 intersect src/lssi.c:297#1
lssi_reverse_production src/lssi.c:361#2 simulate_reduction
src/parse-simulation.c:536#3 reduction_step
src/counterexample.c:835#4 generate_next_states
src/counterexample.c:1048#5 unifying_example
src/counterexample.c:1182#6 counterexample_report
src/counterexample.c:1276#7 counterexample_report_reduce_reduce
src/counterexample.c:1350#8
counterexample_report_state
src/counterexample.c:1394#9
print_state src/print.c:366#10 print_results
src/print.c:473#11 main src/main.c:188
AddressSanitizer reports:
ERROR: AddressSanitizer: SEGV on unknown address
The signal is caused by a READ memory access.
Hint: this fault was caused by a dereference of a high value address.
This indicates that Bison does not robustly handle certain malformed
grammars during the conflict counterexample computation and reduction
simulation phases. Instead of gracefully reporting an error, internal data
structures are dereferenced without sufficient validation, leading to a
segmentation fault and process termination.
File:
https://drive.google.com/file/d/1j8pn13mC9oC-EEiBOQpJNIpaTenIx19G/view?usp=drive_link
Credit:
Kaiyu Xie(UCAS)
