yacc(1) causes a fault -- "fault VA = 0xa5a5a5b1"
Dan Nelson
dnelson at allantgroup.com
Wed May 9 18:54:11 UTC 2007
In the last episode (May 09), Scott Long said:
> Wojciech A. Koszek wrote:
> > Hi,
> > I have a file:
> > http://people.freebsd.org/~wkoszek/traces/grammar.y
> > I run this command:
> > yacc -d -o grammar.c grammar.y
> > While I get a following warning on RELENG_6 machines:
> > $ yacc -d -o grammar.c grammar.y
> > yacc: w - line 36 of "grammar.y", the default action assigns an
> > undefined value to $$
> > yacc: w - the symbol NUMBER is undefined
> > On various -CURRENT boxes I see:
> > $ yacc -d -o grammar.c grammar.y
> > fatal process exception: page fault, fault VA = 0xa5a5a5b1
> > zsh: segmentation fault (core dumped) yacc -d -o grammar.c grammar.y
> > Sounds like a regression in malloc(3) ?
> > Thanks,
>
> No, that looks like a use-after-free, with malloc filling the freed
> memory with trash. It's a debugging option that is turned off in
> RELENG_N branches and left on in HEAD, for precisely this reason.
HEAD fills memory with 0xa5 on malloc, and 0x5a on free, so it's
actually a "use-before-set". I can get it to core on 6.x too by
setting MALLOC_OPTIONS=J. valgrind (with MALLOC_OPTIONS=j) says:
==52609== Conditional jump or move depends on uninitialised value(s)
==52609== at 0x8052B40: end_rule (reader.c:1260)
==52609== by 0x805393C: read_grammar (reader.c:1621)
==52609== by 0x80546C4: reader (reader.c:1926)
==52609== by 0x804C3DB: main (main.c:434)
--
Dan Nelson
dnelson at allantgroup.com
More information about the freebsd-current
mailing list