All crashes are due to a nil dereference in line 137 of execute.c. Shortest test case to date:
$ printf '1L1\n+1||||1\n' | bc (standard_in) 1: illegal character: L (standard_in) 1: syntax error Segmentation fault (core dumped) $ gdb ./bc ./core [...] Program terminated with signal SIGSEGV, Segmentation fault. #0 0x0000000000404c7a in execute () at execute.c:137 137 pc.pc_addr = gp->l_adrs[l_off]; (gdb) bt #0 0x0000000000404c7a in execute () at execute.c:137 #1 0x0000000000407f15 in run_code () at util.c:309 #2 0x0000000000401cf6 in yyparse () at bc.y:135 #3 0x0000000000401203 in main (argc=1, argv=0x7fff0e5cc9d8) at main.c:259 (gdb) list 132 || (inst == 'Z' && !c_code)) { 133 gp = functions[pc.pc_func].f_label; 134 l_gp = label_num >> BC_LABEL_LOG; 135 l_off = label_num % BC_LABEL_GROUP; 136 while (l_gp-- > 0) gp = gp->l_next; 137 pc.pc_addr = gp->l_adrs[l_off]; 138 } 139 break; 140 141 case 'C' : /* Call a function. */ (gdb) print pc.pc_func $1 = 0 (gdb) print functions[pc.pc_func] $2 = {f_defined = 0 '\000', f_void = 0 '\000', f_body = 0xfca730 "1B\001", f_body_size = 1024, f_code_size = 11, f_label = 0x0, f_params = 0x0, f_autos = 0x0} (gdb) print gp $1 = (bc_label_group *) 0x0 (gdb) So... it seems like the lexer/parser is leaving junk on the state machine input after the syntax error/illegal character error which then tries branch instruction to somewhere that cannot exist. Tempting to say "fail hard on the first error" but this wouldn't be appropriate in the interactive usage scenario and the crash also occurs there. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org