[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bug recap
From: |
apache2 |
Subject: |
Bug recap |
Date: |
Sat, 2 Apr 2022 02:19:17 +0200 |
User-agent: |
Mutt/1.9.3 (2018-01-21) |
Here are some of the bugs my fuzzing turned up that are still open:
1. The parser currently aborts if you give it a token that is longer than 16384
bytes long.
examples could be 111...111 [16385 times] (not very likely to turn up in a
Poke program)
or a string "aaaaaaa...aaaa" (more likely in the real world, I guess).
While it might be nice to support long string literals, a more immediate
solution to this
might be to just report it as a syntax error. That would make it easier for
me to sift through
future fuzz results, at least. :-)
2. This segfaults:
type x=struct{int[0'size*0**0];}
I don't know why, but it seems to have to do with some sort of optimization?
3. Repeating an operator like > or == or + or whatever more than 32 times
triggers an assertion:
(poke)
vm_odepth>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U>0U;
lt-poke: ../../libpoke/pkl-gen.c:2256: pkl_gen_pr_cast: Assertion
`PKL_GEN_PAYLOAD->cur_context < PKL_GEN_MAX_CTX' failed.
Again, I can't think of many cases where you would want this in a normal Poke
program, but it
would be very nice if we could turn this into a parse error instead of
dumping cores.
4. We have a really annoying bug where a syntax error in an expression that
involves a function
whose body mentions itself results in a double free (according to whichever
malloc implementation
I ended up with on debian). I've hit this by hand a few times, so this one
might be the most
realistic of the bunch. :-)
There seems to be a variant of this where "?! name_of_the_function" inside
the function body,
followed by a syntax error, results in some other way of crashing, but it
looks like the same
root cause.
I think this bug is also documented in the bug tracker?