From owner-freebsd-current@FreeBSD.ORG Wed May 9 18:54:11 2007 Return-Path: X-Original-To: freebsd-current@freebsd.org Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 049BA16A405 for ; Wed, 9 May 2007 18:54:11 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: from dan.emsphone.com (dan.emsphone.com [199.67.51.101]) by mx1.freebsd.org (Postfix) with ESMTP id BC7C513C4AE for ; Wed, 9 May 2007 18:53:43 +0000 (UTC) (envelope-from dan@dan.emsphone.com) Received: (from dan@localhost) by dan.emsphone.com (8.14.1/8.13.8) id l49IrPjX072456; Wed, 9 May 2007 13:53:25 -0500 (CDT) (envelope-from dan) Date: Wed, 9 May 2007 13:53:25 -0500 From: Dan Nelson To: Scott Long Message-ID: <20070509185324.GB30662@dan.emsphone.com> References: <20070509185905.GA29365@FreeBSD.czest.pl> <464213F4.5030704@samsco.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <464213F4.5030704@samsco.org> X-OS: FreeBSD 6.2-STABLE User-Agent: Mutt/1.5.15 (2007-04-06) Cc: freebsd-current@freebsd.org, "Wojciech A. Koszek" , jasone@freebsd.org Subject: Re: yacc(1) causes a fault -- "fault VA = 0xa5a5a5b1" X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 May 2007 18:54:11 -0000 In the last episode (May 09), Scott Long said: > Wojciech A. Koszek wrote: > > Hi, > > I have a file: > > http://people.freebsd.org/~wkoszek/traces/grammar.y > > I run this command: > > yacc -d -o grammar.c grammar.y > > While I get a following warning on RELENG_6 machines: > > $ yacc -d -o grammar.c grammar.y > > yacc: w - line 36 of "grammar.y", the default action assigns an > > undefined value to $$ > > yacc: w - the symbol NUMBER is undefined > > On various -CURRENT boxes I see: > > $ yacc -d -o grammar.c grammar.y > > fatal process exception: page fault, fault VA = 0xa5a5a5b1 > > zsh: segmentation fault (core dumped) yacc -d -o grammar.c grammar.y > > Sounds like a regression in malloc(3) ? > > Thanks, > > No, that looks like a use-after-free, with malloc filling the freed > memory with trash. It's a debugging option that is turned off in > RELENG_N branches and left on in HEAD, for precisely this reason. HEAD fills memory with 0xa5 on malloc, and 0x5a on free, so it's actually a "use-before-set". I can get it to core on 6.x too by setting MALLOC_OPTIONS=J. valgrind (with MALLOC_OPTIONS=j) says: ==52609== Conditional jump or move depends on uninitialised value(s) ==52609== at 0x8052B40: end_rule (reader.c:1260) ==52609== by 0x805393C: read_grammar (reader.c:1621) ==52609== by 0x80546C4: reader (reader.c:1926) ==52609== by 0x804C3DB: main (main.c:434) -- Dan Nelson dnelson@allantgroup.com