Hello, our fuzzer found a new SERV bug in bison, *Command* bison poc_file --report=c (poc_file is attached)
*Output (stderr)* /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:25.22: warning: symbol 'J' is used, but is not defined as a token and has no rules [-Wother] 25 | %type <Integer> exp J%nonassoc '=' /* comparison | ^ /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:53.27: warning: stray '$' [-Wother] 53 | if ($1.intValue () != $intValue ()) | ^ /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file: warning: 1 nonterminal useless in grammar [-Wother] /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:25.22: warning: nonterminal useless in grammar: J [-Wother] 25 | %type <Integer> exp J%nonassoc '=' /* comparison | ^ /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file: warning: 1 shift/reduce conflict [-Wconflicts-sr] /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file: warning: 12 reduce/reduce conflicts [-Wconflicts-rr] /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file: note: rerun with option '-Wcounterexamples' to generate conflict counterexamples /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:34.3-7: warning: rule useless in parser due to conflicts [-Wother] 34 | | input line: | ^~~~~ /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:50.3-77: warning: rule useless in parser due to conflicts [-Wother] 50 | NUM { $$ = $1; } | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:51.3-79.70: warning: rule useless in parser due to conflicts [-Wother] 51 | | exp '=' exp | ^~~~~~~~~~~ /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:81.3-83.85: warning: rule useless in parser due to conflicts [-Wother] 81 | { | ^ /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:88.3-35: warning: rule useless in parser due to conflicts [-Wother] 88 | NUM { $$ = $1; } | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:89.3-91.23: warning: rule useless in parser due to conflicts [-Wother] 89 | | exp '=' exp | ^~~~~~~~~~~ /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:93.3-95.52: warning: rule useless in parser due to conflicts [-Wother] 93 | { | ^ /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:100.3-77: warning: rule useless in parser due to conflicts [-Wother] 100 | NUM { $$ = $1; } | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ /home/youngseok/data/230411/asan_inter_30_30_shrink5_1_230308/bison/3_id:000275/poc_file:101.3-127.1: warning: rule useless in parser due to conflicts [-Wother] 101 | | exp '=' exp | ^~~~~~~~~~~ *Sanitizer Dump* ==7175==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x5555555d0b7a bp 0x7fffffffb3a0 sp 0x7fffffff9300 T0) ==7175==The signal is caused by a READ memory access. ==7175==Hint: address points to the zero page. #0 0x5555555d0b79 in intersect_symbol src/lssi.c:276 #1 0x5555555a1650 in reduction_step src/counterexample.c:831 #2 0x5555555a3487 in generate_next_states src/counterexample.c:1047 #3 0x5555555a43f5 in unifying_example src/counterexample.c:1182 #4 0x5555555a4fac in counterexample_report src/counterexample.c:1283 #5 0x5555555a600d in counterexample_report_reduce_reduce src/counterexample.c:1356 #6 0x5555555a6a0b in counterexample_report_state src/counterexample.c:1400 #7 0x5555556161c1 in print_state src/print.c:366 #8 0x555555617041 in print_results src/print.c:471 #9 0x5555555d225d in main src/main.c:188 #10 0x7ffff6a48c86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21c86) #11 0x555555588b49 in _start (/home/youngseok/subjects/latest_asan_install/bison/bin/bison+0x34b49) *Environment* OS: Ubuntu 18.04 gcc: 7.5.0 Bison: 3.8.2.46-9785 (git commit 97852f39f42a28abfcaf1c46b1f06920eae151c9) We used address sanitizer to reason the crash. Here is the build script: CFLAGS="-fsanitize=address -g -O0" ./configure Thank you Youngseok Choi
poc_file
Description: Binary data