https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67264
Bug ID: 67264
Summary: Infinite recursion of demangler on fuzzed input
Product: gcc
Version: 6.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: other
Assignee: unassigned at gcc dot gnu.org
Reporter: miyuki at gcc dot gnu.org
Target Milestone: ---
When I did fuzz-testing I had several crashes caused by infinite recursion. I
did not find an easy and good solution to fix them. Perhaps, introducing some
additional logic which would specifically target invalid inputs could help
(like maintaining a hashtable/list/whatever of visited nodes which cannot be
visited again during normal result output; substitutions would require some
additional handling).
Nevertheless, I think that the testcases are still worth being recorded. Here
are some, I believe, distinct examples:
_Z1KIStcvT_E - i.e. something like:
template<typename T>
K<std::operator T>
Normally, when demangling templated conversion operator we would print out the
template parameter, but in this case this leads to infinite recursion, because
we think that the operator itself is the parameter.
More problems with conversion operator:
_ZcvT_IIS0_EE - in substitution
_ZcvT_IZcvT_E1fE - in local name
_Z1gINcvT_EE - in nested name (probably same as std::)
_ZcvT_ILZcvDTT_EEE - template parameter in decltype
Infinite recursion when collapsing ref-qualifiers:
_Z1gIJOOT_EEOT_c
Memory hog with pointers-to-member and arrays:
_Z1KMMMMMMMMMMMMMMMA_xooooooooooooooo
(output size doubles with each M-o pair)
"pointer-to-member" and "array" are not necessarily consecutive:
_ZdvMMMMMMMMMMMMMrrrrA_DTdvfp_fp_Eededilfdfdfdfd
(I first posted this as a comment for an existing bug, which was actually
caused by a different issue, sorry for double-posting)
