Re: [bison crash] Segmentation fault with symbol_code_props_get at src/symtab.c:457

[Akim Demaille]

> Le 6 mars 2020 à 06:58, Ahcheong Lee <dkcjd2...@gmail.com> a écrit :
> 
> Hello, this is Ahcheong Lee
> I'm currently working on a new fuzzing technique, and I found some crashes
> on GNU bison3.5.2.

Hi Ahcheong,

Thanks for the report!  I will install the following fix in maint and master.

Cheers!

commit 641e326303753575664ca146fee7e9148d6bf5cf
Author: Akim Demaille <akim.demai...@gmail.com>
Date:   Fri Mar 6 09:05:52 2020 +0100

    code: be robust to reference with invalid tags
    
    Because we want to support $<a->b>$, we must accept -> in type tags,
    and reject $<->$, as it is unfinished.
    Reported by Ahcheong Lee.
    
    * src/scan-code.l (yylex): Make sure "tag" does not end with -, since
    -> does not close the tag.
    * tests/input.at (Stray $ or @): Check this.

diff --git a/THANKS b/THANKS
index db54776a..d8ef2c0c 100644
--- a/THANKS
+++ b/THANKS
@@ -4,8 +4,9 @@ it is today without the invaluable help of these people:
 Aaro Koskinen             aaro.koski...@iki.fi
 Аскар Сафин               safinas...@mail.ru
 Adam Sampson              a...@offog.org
+Ahcheong Lee              dkcjd2...@gmail.com
 Airy Andre                airy.an...@edf.fr
-Akim Demaille             a...@lrde.epita.fr
+Akim Demaille             a...@gnu.org
 Albert Chin-A-Young       ch...@thewrittenword.com
 Alexander Belopolsky      al...@rentec.com
 Alexandre Duret-Lutz      a...@lrde.epita.fr
diff --git a/src/scan-code.l b/src/scan-code.l
index 658c25b1..ef667146 100644
--- a/src/scan-code.l
+++ b/src/scan-code.l
@@ -81,7 +81,7 @@ static bool untyped_var_seen;
    historically almost any character is allowed in a tag.  We disallow
    NUL and newline, as this simplifies our implementation.  We allow
    "->" as a means to dereference a pointer.  */
-tag      ([^\0\n>]|->)+
+tag      ([^\0\n>]|->)*[^-]
 
 /* Zero or more instances of backslash-newline.  Following GCC, allow
    white space between the backslash and the newline.  */
diff --git a/tests/input.at b/tests/input.at
index c03b282f..b004ea9e 100644
--- a/tests/input.at
+++ b/tests/input.at
@@ -2548,7 +2548,9 @@ AT_DATA_GRAMMAR([[input.y]],
 %printer        { $%; @%; } <*> exp TOK;
 %{ $ @ %} // Should not warn.
 %%
-exp: TOK        { $%; @%; $$ = $1; };
+exp: TOK        { $%; @%; $$ = $1; }
+   | 'a'        { $<->1; $$ = 1; }
+   | 'b'        { $<foo->bar>$; }
 %%
 $ @ // Should not warn.
 ]])
@@ -2562,6 +2564,7 @@ input.y:13.19: warning: stray '$' [-Wother]
 input.y:13.23: warning: stray '@' [-Wother]
 input.y:16.19: warning: stray '$' [-Wother]
 input.y:16.23: warning: stray '@' [-Wother]
+input.y:17.19: warning: stray '$' [-Wother]
 ]])
 
 AT_BISON_OPTION_POPDEFS