Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 9 May 2007 13:53:25 -0500
From:      Dan Nelson <dnelson@allantgroup.com>
To:        Scott Long <scottl@samsco.org>
Cc:        freebsd-current@freebsd.org, "Wojciech A. Koszek" <wkoszek@freebsd.org>, jasone@freebsd.org
Subject:   Re: yacc(1) causes a fault -- "fault VA = 0xa5a5a5b1"
Message-ID:  <20070509185324.GB30662@dan.emsphone.com>
In-Reply-To: <464213F4.5030704@samsco.org>
References:  <20070509185905.GA29365@FreeBSD.czest.pl> <464213F4.5030704@samsco.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
In the last episode (May 09), Scott Long said:
>  Wojciech A. Koszek wrote:
> > Hi,
> > I have a file:
> > 	http://people.freebsd.org/~wkoszek/traces/grammar.y
> > I run this command:
> > 	yacc -d -o grammar.c grammar.y
> > While I get a following warning on RELENG_6 machines:
> > 	$ yacc -d -o grammar.c grammar.y
> > 	yacc: w - line 36 of "grammar.y", the default action assigns an
> > 	undefined value to $$
> > 	yacc: w - the symbol NUMBER is undefined
> > On various -CURRENT boxes I see:
> > 	$ yacc -d -o grammar.c grammar.y
> > 	fatal process exception: page fault, fault VA = 0xa5a5a5b1
> > 	zsh: segmentation fault (core dumped)  yacc -d -o grammar.c grammar.y
> > Sounds like a regression in malloc(3) ?
> > Thanks,
> 
>  No, that looks like a use-after-free, with malloc filling the freed
>  memory with trash.  It's a debugging option that is turned off in
>  RELENG_N branches and left on in HEAD, for precisely this reason.

HEAD fills memory with 0xa5 on malloc, and 0x5a on free, so it's
actually a "use-before-set".  I can get it to core on 6.x too by
setting MALLOC_OPTIONS=J.  valgrind (with MALLOC_OPTIONS=j) says:

==52609== Conditional jump or move depends on uninitialised value(s)
==52609==    at 0x8052B40: end_rule (reader.c:1260)
==52609==    by 0x805393C: read_grammar (reader.c:1621)
==52609==    by 0x80546C4: reader (reader.c:1926)
==52609==    by 0x804C3DB: main (main.c:434)

-- 
	Dan Nelson
	dnelson@allantgroup.com

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070509185324.GB30662>