In the last episode (May 09), Scott Long said: > Wojciech A. Koszek wrote: > > Hi, > > I have a file: > > http://people.freebsd.org/~wkoszek/traces/grammar.y > > I run this command: > > yacc -d -o grammar.c grammar.y > > While I get a following warning on RELENG_6 machines: > > $ yacc -d -o grammar.c grammar.y > > yacc: w - line 36 of "grammar.y", the default action assigns an > > undefined value to $$ > > yacc: w - the symbol NUMBER is undefined > > On various -CURRENT boxes I see: > > $ yacc -d -o grammar.c grammar.y > > fatal process exception: page fault, fault VA = 0xa5a5a5b1 > > zsh: segmentation fault (core dumped) yacc -d -o grammar.c grammar.y > > Sounds like a regression in malloc(3) ? > > Thanks, > > No, that looks like a use-after-free, with malloc filling the freed > memory with trash. It's a debugging option that is turned off in > RELENG_N branches and left on in HEAD, for precisely this reason. HEAD fills memory with 0xa5 on malloc, and 0x5a on free, so it's actually a "use-before-set". I can get it to core on 6.x too by setting MALLOC_OPTIONS=J. valgrind (with MALLOC_OPTIONS=j) says: ==52609== Conditional jump or move depends on uninitialised value(s) ==52609== at 0x8052B40: end_rule (reader.c:1260) ==52609== by 0x805393C: read_grammar (reader.c:1621) ==52609== by 0x80546C4: reader (reader.c:1926) ==52609== by 0x804C3DB: main (main.c:434) -- Dan Nelson dnelson_at_allantgroup.comReceived on Wed May 09 2007 - 16:54:11 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:09 UTC