This nondeterministically underflows _sf_top_ix, causing a segfault:
http://www.sccs.swarthmore.edu/users/16/mmcconv1/dump/crash.l
The cleanest way to trigger it is:
for i in `jot 1000`
do
cat crash.l | ./lex -t > /dev/null
done
A backtrace is below.
sf_pop() is the only code that reduces _sf_top_ix. It uses
assert(_sf_top_ix > 0), but that gets removed in the build. Maybe it
should instead include a fatal syntax error, since it implies unbalanced
parens. I don't know why this is nondeterministic, though...
Found with afl. More to come, probably.
Program terminated with signal 11, Segmentation fault.
[...]
583 if (sf_skip_ws()){
(gdb) bt
#0 0x00000bb0a2436e25 in flexscan () at scan.l:583
#1 0x00000bb0a244120b in yylex () at yylex.c:52
#2 0x00000bb0a242d9cb in yyparse () at parse.c:689
#3 0x00000bb0a2428f40 in readin () at main.c:1446
#4 0x00000bb0a2425cda in flex_main (argc=2, argv=0x7f7ffffc1cd8) at main.c:175
#5 0x00000bb0a2425e58 in main (argc=2, argv=0x7f7ffffc1cd8) at main.c:223
(gdb) p _sf_top_ix
$1 = 18446744073709551615
