From owner-freebsd-current@FreeBSD.ORG  Wed May  9 18:33:33 2007
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@FreeBSD.org
Delivered-To: freebsd-current@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 767C216A404
	for <freebsd-current@FreeBSD.org>; Wed,  9 May 2007 18:33:33 +0000 (UTC)
	(envelope-from scottl@samsco.org)
Received: from pooker.samsco.org (pooker.samsco.org [168.103.85.57])
	by mx1.freebsd.org (Postfix) with ESMTP id 2DD4D13C46C
	for <freebsd-current@FreeBSD.org>; Wed,  9 May 2007 18:33:33 +0000 (UTC)
	(envelope-from scottl@samsco.org)
Received: from phobos.samsco.home (phobos.samsco.home [192.168.254.11])
	(authenticated bits=0)
	by pooker.samsco.org (8.13.8/8.13.8) with ESMTP id l49IXUb1009602;
	Wed, 9 May 2007 12:33:30 -0600 (MDT)
	(envelope-from scottl@samsco.org)
Message-ID: <464213F4.5030704@samsco.org>
Date: Wed, 09 May 2007 12:33:24 -0600
From: Scott Long <scottl@samsco.org>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US;
	rv:1.8.1.2pre) Gecko/20070111 SeaMonkey/1.1
MIME-Version: 1.0
To: "Wojciech A. Koszek" <wkoszek@FreeBSD.org>, freebsd-current@FreeBSD.org,
	jasone@FreeBSD.org
References: <20070509185905.GA29365@FreeBSD.czest.pl>
In-Reply-To: <20070509185905.GA29365@FreeBSD.czest.pl>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH authentication, not delayed by
	milter-greylist-2.0.2 (pooker.samsco.org [168.103.85.57]);
	Wed, 09 May 2007 12:33:30 -0600 (MDT)
X-Spam-Status: No, score=-1.4 required=5.5 tests=ALL_TRUSTED autolearn=failed
	version=3.1.8
X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on pooker.samsco.org
Cc: 
Subject: Re: yacc(1) causes a fault -- "fault VA = 0xa5a5a5b1"
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 09 May 2007 18:33:33 -0000

Wojciech A. Koszek wrote:
> Hi,
> 
> I have a file:
> 
> 	http://people.freebsd.org/~wkoszek/traces/grammar.y
> 
> I run this command:
> 
> 	yacc -d -o grammar.c grammar.y
> 
> While I get a following warning on RELENG_6 machines:
> 
> 	$ yacc -d -o grammar.c grammar.y
> 	yacc: w - line 36 of "grammar.y", the default action assigns an
> 	undefined value to $$
> 	yacc: w - the symbol NUMBER is undefined
> 
> On various -CURRENT boxes I see:
> 
> 	$ yacc -d -o grammar.c grammar.y
> 	fatal process exception: page fault, fault VA = 0xa5a5a5b1
> 	zsh: segmentation fault (core dumped)  yacc -d -o grammar.c grammar.y
> 
> Sounds like a regression in malloc(3) ?
> 
> Thanks,
> 

No, that looks like a use-after-free, with malloc filling the freed 
memory with trash.  It's a debugging option that is turned off in
RELENG_N branches and left on in HEAD, for precisely this reason.

Scott