Bison 3.8: abort "Cannot find shortest path to conflict state" on crafted grammar (core dump)

kittener White Thu, 25 Dec 2025 00:46:15 -0800

This seems to be triggered during conflict handling/reporting, and Bison
should not core dump on malformed/untrusted input.


Reproduce:
# export CFLAGS="-g -O0 -fsanitize=address"
# ./configure
# make -j

# src/bison -L c -r all -g -x --html -t --locations -k -d -v Poc

Description:

afl++/out/flag_1/default/crashes/id:000001: warning: 2 shift/reduce
conflicts [-Wconflicts-sr]
afl++/out/flag_1/default/crashes/id:000001: warning: 27 reduce/reduce
conflicts [-Wconflicts-rr]
afl++/out/flag_1/default/crashes/id:000001: note: rerun with option
'-Wcounterexamples' to generate conflict counterexamples
afl++/out/flag_1/default/crashes/id:000001:1:1.36-55: warning: rule
useless in parser due to conflicts [-Wother]
    1 | 
%%I:|"""""""%%I:|""""""""""I|I"""I|""""""""""""""""""""|""I"I|"""I|""""I|"""""""""""""""""""""""""""""""""""""""""""""""""%%...
     |                                    ^~~~~~~~~~~~~~~~~~~~
afl++/out/flag_1/default/crashes/id:000001:1.74-144: warning: rule
useless in parser due to conflicts [-Wother]
    1 | 
%%I:|"""""""%%I:|""""""""""I|I"""I|""""""""""""""""""""|""I"I|"""I|""""I|"""""""""""""""""""""""""""""""""""""""""""""""""%%...
     |
         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
afl++/out/flag_1/default/crashes/id:000001:1.146-178: warning: rule
useless in parser due to conflicts [-Wother]
    1 | ..."I|I"""I|""""""""""""""""""""""""""""""""I|"%%"
      |             ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cannot find shortest path to conflict state.Aborted (core dumped)


Credit:

Kaiyu Xie(UCAS)

Bison 3.8: abort "Cannot find shortest path to conflict state" on crafted grammar (core dump)

Reply via email to