From owner-freebsd-current@FreeBSD.ORG Mon Sep 24 17:56:39 2007 Return-Path: Delivered-To: freebsd-current@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E9F6E16A468 for ; Mon, 24 Sep 2007 17:56:39 +0000 (UTC) (envelope-from darrenr@freebsd.org) Received: from out1.smtp.messagingengine.com (out1.smtp.messagingengine.com [66.111.4.25]) by mx1.freebsd.org (Postfix) with ESMTP id B7D9413C467 for ; Mon, 24 Sep 2007 17:56:39 +0000 (UTC) (envelope-from darrenr@freebsd.org) Received: from compute2.internal (compute2.internal [10.202.2.42]) by out1.messagingengine.com (Postfix) with ESMTP id F2FD42F63C; Mon, 24 Sep 2007 13:56:38 -0400 (EDT) Received: from heartbeat1.messagingengine.com ([10.202.2.160]) by compute2.internal (MEProxy); Mon, 24 Sep 2007 13:56:39 -0400 X-Sasl-enc: Wb+3z063vSSdEVZs/GlXcyolzVl1KN3lU9CaZSlvMuR7 1190656598 Received: from [192.168.1.235] (64-142-85-108.dsl.dynamic.sonic.net [64.142.85.108]) by mail.messagingengine.com (Postfix) with ESMTP id 59D5F249D; Mon, 24 Sep 2007 13:56:38 -0400 (EDT) Message-ID: <46F7FA9A.30109@freebsd.org> Date: Mon, 24 Sep 2007 10:57:46 -0700 From: Darren Reed User-Agent: Thunderbird 2.0.0.0 (Windows/20070326) MIME-Version: 1.0 To: Ruslan Ermilov References: <46F6379B.9050000@freebsd.org> <46F64A4B.8000804@freebsd.org> <20070924145007.GB82735@team.vega.ru> In-Reply-To: <20070924145007.GB82735@team.vega.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: FreeBSD Current Subject: Re: yacc bug in reader.c:end_rule() X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Sep 2007 17:56:40 -0000 Ruslan Ermilov wrote: > On Sun, Sep 23, 2007 at 04:13:15AM -0700, Darren Reed wrote: > > Darren Reed wrote: > >> There's a fairly obvious bug in yacc's reader.c but I'm not sure what the > >> right fix is. > >> > >> Witness: > >> end_rule() > >> { > >> int i; > >> > >> if (!last_was_action && plhs[nrules]->tag) > >> { > >> for (i = nitems - 1; pitem[i]; --i) continue; > >> if (pitem[i + 1] == 0 || pitem[i+1]->tag != plhs[nrules]->tag) > >> ... > >> } > >> > >> ...clearly if pitem[nitems-1] == NULL (and nitems is the size of the > >> array from [0,nitems-1]) then the if() will access beyond the bounds > >> of the array. > >> > >> There's also the question of i being able to run below 0 too here. > >> > Not possible: first four pitem's are explicitly set to NULL in > reader.c:initialize_grammar(). > > >> I don't know if the bug is here or if the bug is elsewhere in yacc, > >> but I doubt that the "fix" is s/i + 1/i/. *Maybe* "i = nitems - 2;"? > >> > >> The bug can be masked by using calloc instead of malloc and similar > >> other tricks, but there is something more fundamentaly wrong here. > >> > >> Has anyone else run into this? > > > > The following sample grammar will exercise the bug: > > > > %{ > > %} > > > > %union { > > char *ptr; > > }; > > > > %type test > > %% > > > > test: | $$ = malloc(2); > > It crashes even when written "correctly" as: > > test: | { $$ = malloc(2); } > > > ; > > > > %% > > > > (The error here is that "test" has an undefined return.) > > > Try this patch. It replaces a non-sense with a fix for the bug. > It fixes my problem...but does it introduce any problems for correct grammars? Need to test it with a build world.. Darren