https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67264
Bug ID: 67264 Summary: Infinite recursion of demangler on fuzzed input Product: gcc Version: 6.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: other Assignee: unassigned at gcc dot gnu.org Reporter: miyuki at gcc dot gnu.org Target Milestone: --- When I did fuzz-testing I had several crashes caused by infinite recursion. I did not find an easy and good solution to fix them. Perhaps, introducing some additional logic which would specifically target invalid inputs could help (like maintaining a hashtable/list/whatever of visited nodes which cannot be visited again during normal result output; substitutions would require some additional handling). Nevertheless, I think that the testcases are still worth being recorded. Here are some, I believe, distinct examples: _Z1KIStcvT_E - i.e. something like: template<typename T> K<std::operator T> Normally, when demangling templated conversion operator we would print out the template parameter, but in this case this leads to infinite recursion, because we think that the operator itself is the parameter. More problems with conversion operator: _ZcvT_IIS0_EE - in substitution _ZcvT_IZcvT_E1fE - in local name _Z1gINcvT_EE - in nested name (probably same as std::) _ZcvT_ILZcvDTT_EEE - template parameter in decltype Infinite recursion when collapsing ref-qualifiers: _Z1gIJOOT_EEOT_c Memory hog with pointers-to-member and arrays: _Z1KMMMMMMMMMMMMMMMA_xooooooooooooooo (output size doubles with each M-o pair) "pointer-to-member" and "array" are not necessarily consecutive: _ZdvMMMMMMMMMMMMMrrrrA_DTdvfp_fp_Eededilfdfdfdfd (I first posted this as a comment for an existing bug, which was actually caused by a different issue, sorry for double-posting)