[Fuzz] Second iteration #1091
Description
Following are 13 new crashes from an earlier fuzzing campaign.
For the files with _standalone the hash does not match as they had some library dependences and I have minimized them and removed the dependence.
Tested using nvc 1.15-devel (6ecfc8f) (Using LLVM 15.0.7) on ubuntu 22.04
/work/crashes_nvc_new_2/007d677403eec992d943bcd45b40bcac4d961ab3002e10253a47e93374236e59 :
input buffer overflow, can't enlarge buffer because scanner uses REJECT
/work/crashes_nvc_new_2/0c1d01dd6f3aea51f8b086c4c788132486f2bfe6079eb33e89f4e69d39945bc7 :
nvc: ../src/tree.c:998: tree_t tree_ref(tree_t): Assertion `item->object != NULL' failed.
*** Caught signal 6 (SIGABRT) ***
[0x555555613a59] /nvc/build/../src/util.c:900 signal_handler
--> show_stacktrace();
[0x7ffff0b1351f] (/usr/lib/x86_64-linux-gnu/libc.so.6)
[0x7ffff0b679fc] (/usr/lib/x86_64-linux-gnu/libc.so.6) pthread_kill
[0x7ffff0b13475] (/usr/lib/x86_64-linux-gnu/libc.so.6) raise
[0x7ffff0af97f2] (/usr/lib/x86_64-linux-gnu/libc.so.6) abort
[0x7ffff0af971a] (/usr/lib/x86_64-linux-gnu/libc.so.6)
[0x7ffff0b0ae95] (/usr/lib/x86_64-linux-gnu/libc.so.6) __assert_fail
[0x555555727f04] /nvc/build/../src/simp.c:0 simp_tree
[0x55555576c231] /nvc/build/../src/object.c:715 object_rewrite
for (;;) {
--> object_t *new = (*ctx->post_fn[object->tag])(object, ctx->context);
if (new == object || (object = object_rewrite(new, ctx)) == NULL)
[0x55555576bee5] /nvc/build/../src/object.c:779 object_rewrite
object_t *o = object->items[n].object;
--> object->items[n].object = object_rewrite(o, ctx);
object_write_barrier(object, o);
[0x55555576bfdd] /nvc/build/../src/object.c:790 object_rewrite
object_t *o = object->items[n].obj_array->items[i];
--> if ((o = object_rewrite(o, ctx))) {
object_write_barrier(object, o);
[0x5555556b4080] /nvc/build/../src/tree.c:1310 tree_rewrite
--> object_t *result = object_rewrite(&(t->object), &ctx);
free(ctx.cache);
[0x555555750ca5] ../src/simp.c:1810 analyse_file
[0x5555555f35b7] analyse
[0x5555555f35b7] /nvc/build/../src/nvc.c:2193 process_command
case 'a':
--> return analyse(argc, argv, state);
case 'e':
[0x5555555f0692] /nvc/build/../src/nvc.c:2355 main
--> const int ret = process_command(argc, argv, &state);
find: '/usr/local/bin/nvc' terminated by signal 6
/work/crashes_nvc_new_2/4458d32c108c23646b56560b972a18c380feb23e29fd65aab776d729952e77c6_standalone :
nvc: ../src/tree.c:998: tree_t tree_ref(tree_t): Assertion `item->object != NULL' failed.
*** Caught signal 6 (SIGABRT) ***
[0x555555613a59] /nvc/build/../src/util.c:900 signal_handler
--> show_stacktrace();
[0x7ffff0b1351f] (/usr/lib/x86_64-linux-gnu/libc.so.6)
[0x7ffff0b679fc] (/usr/lib/x86_64-linux-gnu/libc.so.6) pthread_kill
[0x7ffff0b13475] (/usr/lib/x86_64-linux-gnu/libc.so.6) raise
[0x7ffff0af97f2] (/usr/lib/x86_64-linux-gnu/libc.so.6) abort
[0x7ffff0af971a] (/usr/lib/x86_64-linux-gnu/libc.so.6)
[0x7ffff0b0ae95] (/usr/lib/x86_64-linux-gnu/libc.so.6) __assert_fail
[0x555555727f04] /nvc/build/../src/simp.c:0 simp_tree
[0x55555576c231] /nvc/build/../src/object.c:715 object_rewrite
for (;;) {
--> object_t *new = (*ctx->post_fn[object->tag])(object, ctx->context);
if (new == object || (object = object_rewrite(new, ctx)) == NULL)
[0x55555576bee5] /nvc/build/../src/object.c:779 object_rewrite
object_t *o = object->items[n].object;
--> object->items[n].object = object_rewrite(o, ctx);
object_write_barrier(object, o);
[0x55555576bfdd] /nvc/build/../src/object.c:790 object_rewrite
object_t *o = object->items[n].obj_array->items[i];
--> if ((o = object_rewrite(o, ctx))) {
object_write_barrier(object, o);
[0x55555576bfdd] /nvc/build/../src/object.c:790 object_rewrite
object_t *o = object->items[n].obj_array->items[i];
--> if ((o = object_rewrite(o, ctx))) {
object_write_barrier(object, o);
[0x55555576bfdd] /nvc/build/../src/object.c:790 object_rewrite
object_t *o = object->items[n].obj_array->items[i];
--> if ((o = object_rewrite(o, ctx))) {
object_write_barrier(object, o);
[0x5555556b4080] /nvc/build/../src/tree.c:1310 tree_rewrite
--> object_t *result = object_rewrite(&(t->object), &ctx);
free(ctx.cache);
[0x555555750ca5] ../src/simp.c:1810 analyse_file
[0x5555555f35b7] analyse
[0x5555555f35b7] /nvc/build/../src/nvc.c:2193 process_command
case 'a':
--> return analyse(argc, argv, state);
case 'e':
[0x5555555f0692] /nvc/build/../src/nvc.c:2355 main
--> const int ret = process_command(argc, argv, &state);
find: '/usr/local/bin/nvc' terminated by signal 6
/work/crashes_nvc_new_2/51c4a1798e1f1aeff3711fc660cc9fa9a06c8ab38777c4fb40e79b23e5682add_standalone :
nvc: ../src/sem.c:4806: _Bool sem_check_port_actual(formal_map_t *, int, tree_t, tree_t, nametab_t *): Assertion `ref != NULL && tree_kind(ref) == T_REF' failed.
*** Caught signal 6 (SIGABRT) ***
[0x555555613a59] /nvc/build/../src/util.c:900 signal_handler
--> show_stacktrace();
[0x7ffff0b1351f] (/usr/lib/x86_64-linux-gnu/libc.so.6)
[0x7ffff0b679fc] (/usr/lib/x86_64-linux-gnu/libc.so.6) pthread_kill
[0x7ffff0b13475] (/usr/lib/x86_64-linux-gnu/libc.so.6) raise
[0x7ffff0af97f2] (/usr/lib/x86_64-linux-gnu/libc.so.6) abort
[0x7ffff0af971a] (/usr/lib/x86_64-linux-gnu/libc.so.6)
[0x7ffff0b0ae95] (/usr/lib/x86_64-linux-gnu/libc.so.6) __assert_fail
[0x5555556efcb5] /nvc/build/../src/sem.c:4806 sem_check_port_map
ref = name_to_ref(ref);
--> assert(ref != NULL && tree_kind(ref) == T_REF);
[0x55555568f838] /nvc/build/../src/parse.c:10721 p_component_instantiation_statement
--> sem_check(t, nametab);
pop_scope(nametab);
[0x555555623005] p_concurrent_statement
[0x555555623005] /nvc/build/../src/parse.c:11000 p_concurrent_statement_or_psl
else
--> tree_add_stmt(parent, p_concurrent_statement());
}
[0x55555561fa10] p_architecture_statement_part
[0x55555561fa10] p_architecture_body
[0x55555561fa10] /nvc/build/../src/parse.c:13468 p_secondary_unit
case tARCHITECTURE:
--> p_architecture_body(unit);
break;
[0x55555561a3e3] p_library_unit
[0x55555561a3e3] p_design_unit
[0x55555561a3e3] /nvc/build/../src/parse.c:13610 parse
--> tree_t unit = p_design_unit();
[0x5555557507c7] /nvc/build/../src/common.c:2485 analyse_file
tree_t unit;
--> while (base_errors = error_count(), (unit = parse())) {
if (error_count() == base_errors) {
[0x5555555f35b7] analyse
[0x5555555f35b7] /nvc/build/../src/nvc.c:2193 process_command
case 'a':
--> return analyse(argc, argv, state);
case 'e':
[0x5555555f0692] /nvc/build/../src/nvc.c:2355 main
--> const int ret = process_command(argc, argv, &state);
find: '/usr/local/bin/nvc' terminated by signal 6
/work/crashes_nvc_new_2/87be50d057c5d498033f6e63a432d3a1aefbbfd77f8fcfd45c91b54334636c10 :
fatal: tree kind T_PSL does not have item I_FLAGS
/work/crashes_nvc_new_2/8bfa1e5ce26fbc6d552138c413ce92756ca99bc61b002b567256668c4aaf1315 :
fatal: tree kind T_PSL does not have item I_FLAGS
/work/crashes_nvc_new_2/92f257919da203705a3648c0617fd2ccb179689e7ba64d033e7a556e448da488 :
fatal: tree kind T_PSL does not have item I_FLAGS
/work/crashes_nvc_new_2/9618d8b1821db86af1bbce73263f830ebd77f2525a7ed3b1d20439d8fee97e16 :
nvc: ../src/sem.c:4806: _Bool sem_check_port_actual(formal_map_t *, int, tree_t, tree_t, nametab_t *): Assertion `ref != NULL && tree_kind(ref) == T_REF' failed.
*** Caught signal 6 (SIGABRT) ***
[0x555555613a59] /nvc/build/../src/util.c:900 signal_handler
--> show_stacktrace();
[0x7ffff0b1351f] (/usr/lib/x86_64-linux-gnu/libc.so.6)
[0x7ffff0b679fc] (/usr/lib/x86_64-linux-gnu/libc.so.6) pthread_kill
[0x7ffff0b13475] (/usr/lib/x86_64-linux-gnu/libc.so.6) raise
[0x7ffff0af97f2] (/usr/lib/x86_64-linux-gnu/libc.so.6) abort
[0x7ffff0af971a] (/usr/lib/x86_64-linux-gnu/libc.so.6)
[0x7ffff0b0ae95] (/usr/lib/x86_64-linux-gnu/libc.so.6) __assert_fail
[0x5555556efcb5] /nvc/build/../src/sem.c:4806 sem_check_port_map
ref = name_to_ref(ref);
--> assert(ref != NULL && tree_kind(ref) == T_REF);
[0x55555568f838] /nvc/build/../src/parse.c:10721 p_component_instantiation_statement
--> sem_check(t, nametab);
pop_scope(nametab);
[0x555555623005] p_concurrent_statement
[0x555555623005] /nvc/build/../src/parse.c:11000 p_concurrent_statement_or_psl
else
--> tree_add_stmt(parent, p_concurrent_statement());
}
[0x55555561fa10] p_architecture_statement_part
[0x55555561fa10] p_architecture_body
[0x55555561fa10] /nvc/build/../src/parse.c:13468 p_secondary_unit
case tARCHITECTURE:
--> p_architecture_body(unit);
break;
[0x55555561a3e3] p_library_unit
[0x55555561a3e3] p_design_unit
[0x55555561a3e3] /nvc/build/../src/parse.c:13610 parse
--> tree_t unit = p_design_unit();
[0x5555557507c7] /nvc/build/../src/common.c:2485 analyse_file
tree_t unit;
--> while (base_errors = error_count(), (unit = parse())) {
if (error_count() == base_errors) {
[0x5555555f35b7] analyse
[0x5555555f35b7] /nvc/build/../src/nvc.c:2193 process_command
case 'a':
--> return analyse(argc, argv, state);
case 'e':
[0x5555555f0692] /nvc/build/../src/nvc.c:2355 main
--> const int ret = process_command(argc, argv, &state);
find: '/usr/local/bin/nvc' terminated by signal 6
/work/crashes_nvc_new_2/a04900efaed84ebf347d7c8325e5bf9fd96b67deb31508d4149b17b558e703c0_standalone :
nvc: ../src/sem.c:3312: _Bool sem_check_call_args(tree_t, tree_t, nametab_t *): Assertion `error_count() > 0' failed.
*** Caught signal 6 (SIGABRT) ***
[0x555555613a59] /nvc/build/../src/util.c:900 signal_handler
--> show_stacktrace();
[0x7ffff0b1351f] (/usr/lib/x86_64-linux-gnu/libc.so.6)
[0x7ffff0b679fc] (/usr/lib/x86_64-linux-gnu/libc.so.6) pthread_kill
[0x7ffff0b13475] (/usr/lib/x86_64-linux-gnu/libc.so.6) raise
[0x7ffff0af97f2] (/usr/lib/x86_64-linux-gnu/libc.so.6) abort
[0x7ffff0af971a] (/usr/lib/x86_64-linux-gnu/libc.so.6)
[0x7ffff0b0ae95] (/usr/lib/x86_64-linux-gnu/libc.so.6) __assert_fail
[0x5555556c7d41] /nvc/build/../src/sem.c:3312 sem_check_call_args
// resolution
--> assert(error_count() > 0);
return false;
[0x5555556bd615] sem_check_pcall
[0x5555556bd615] /nvc/build/../src/sem.c:7337 sem_check
case T_PROT_PCALL:
--> return sem_check_pcall(t, tab);
case T_ATTR_SPEC:
[0x555555661b83] p_procedure_call_statement
[0x555555661b83] /nvc/build/../src/parse.c:10618 p_sequential_statement
case tPARAMETER:
--> return p_procedure_call_statement(label, name);
[0x55555562cd1f] p_sequence_of_statements
[0x55555562cd1f] /nvc/build/../src/parse.c:8341 p_subprogram_body
--> p_sequence_of_statements(spec);
[0x5555556287ff] /nvc/build/../src/parse.c:13305 p_package_body_declarative_item
else
--> tree_add_decl(parent, p_subprogram_body(spec));
}
[0x555555626f48] p_package_body_declarative_part
[0x555555626f48] /nvc/build/../src/parse.c:13438 p_package_body
--> p_package_body_declarative_part(body);
[0x55555561ec71] /nvc/build/../src/parse.c:13472 p_secondary_unit
case tPACKAGE:
--> p_package_body(unit);
break;
[0x55555561a3e3] p_library_unit
[0x55555561a3e3] p_design_unit
[0x55555561a3e3] /nvc/build/../src/parse.c:13610 parse
--> tree_t unit = p_design_unit();
[0x5555557507c7] /nvc/build/../src/common.c:2485 analyse_file
tree_t unit;
--> while (base_errors = error_count(), (unit = parse())) {
if (error_count() == base_errors) {
[0x5555555f35b7] analyse
[0x5555555f35b7] /nvc/build/../src/nvc.c:2193 process_command
case 'a':
--> return analyse(argc, argv, state);
case 'e':
[0x5555555f0692] /nvc/build/../src/nvc.c:2355 main
--> const int ret = process_command(argc, argv, &state);
find: '/usr/local/bin/nvc' terminated by signal 6
/work/crashes_nvc_new_2/b8c6cfce22dd64da3b67f277b7ec3bff6ed67e368dc47c3f7fa91a2b75751fc3_standalone :
nvc: ../src/tree.c:648: type_t tree_type(tree_t): Assertion `item->object != NULL' failed.
*** Caught signal 6 (SIGABRT) ***
[0x555555613a59] /nvc/build/../src/util.c:900 signal_handler
--> show_stacktrace();
[0x7ffff0b1351f] (/usr/lib/x86_64-linux-gnu/libc.so.6)
[0x7ffff0b679fc] (/usr/lib/x86_64-linux-gnu/libc.so.6) pthread_kill
[0x7ffff0b13475] (/usr/lib/x86_64-linux-gnu/libc.so.6) raise
[0x7ffff0af97f2] (/usr/lib/x86_64-linux-gnu/libc.so.6) abort
[0x7ffff0af971a] (/usr/lib/x86_64-linux-gnu/libc.so.6)
[0x7ffff0b0ae95] (/usr/lib/x86_64-linux-gnu/libc.so.6) __assert_fail
[0x55555567e63c] /nvc/build/../src/parse.c:0 p_formal_parameter_list
[0x55555562b3e4] /nvc/build/../src/parse.c:7161 p_subprogram_specification
if (has_param_list) {
--> p_formal_parameter_list(t, type);
consume(tRPAREN);
[0x555555668ac2] /nvc/build/../src/parse.c:8419 p_process_declarative_item
else {
--> tree_t spec = p_subprogram_specification();
if (peek() == tSEMI)
[0x55555568e2a0] p_process_declarative_part
[0x55555568e2a0] /nvc/build/../src/parse.c:8533 p_process_statement
--> p_process_declarative_part(t);
[0x555555623b3e] p_concurrent_statement
[0x555555623b3e] /nvc/build/../src/parse.c:11000 p_concurrent_statement_or_psl
else
--> tree_add_stmt(parent, p_concurrent_statement());
}
[0x55555561fa10] p_architecture_statement_part
[0x55555561fa10] p_architecture_body
[0x55555561fa10] /nvc/build/../src/parse.c:13468 p_secondary_unit
case tARCHITECTURE:
--> p_architecture_body(unit);
break;
[0x55555561a3e3] p_library_unit
[0x55555561a3e3] p_design_unit
[0x55555561a3e3] /nvc/build/../src/parse.c:13610 parse
--> tree_t unit = p_design_unit();
[0x5555557507c7] /nvc/build/../src/common.c:2485 analyse_file
tree_t unit;
--> while (base_errors = error_count(), (unit = parse())) {
if (error_count() == base_errors) {
[0x5555555f35b7] analyse
[0x5555555f35b7] /nvc/build/../src/nvc.c:2193 process_command
case 'a':
--> return analyse(argc, argv, state);
case 'e':
[0x5555555f0692] /nvc/build/../src/nvc.c:2355 main
--> const int ret = process_command(argc, argv, &state);
find: '/usr/local/bin/nvc' terminated by signal 6
/work/crashes_nvc_new_2/da346642705230c6f2c89b7c0a522d1078c44b3d0dfd5fe52e2859212edd2784 :
Kind thunk
Blocks 1
Registers 2
Types 3
Variables 0
Result 0..1
Begin
0: r0 := package init WORK.C00S03B00000P00N00I00000PKG // P<WORK.C00S03B00000P00N00I00000PKG>
r1 := const 0 // 0
fatal: missing constant array element 0
[0x55555584e75d] diag_femit
[0x55555584e75d] /nvc/build/../src/diag.c:1078 diag_emit
const diag_level_t stderr_level = opt_get_int(OPT_STDERR_LEVEL);
--> diag_femit(d, d->level >= stderr_level ? stderr : stdout);
}
[0x555555611081] /nvc/build/../src/util.c:613 fatal_trace
diag_set_consumer(NULL, NULL);
--> diag_emit(d);
fatal_exit(EXIT_FAILURE);
[0x5555557aac9f] /nvc/build/../src/lower.c:3474 lower_const_array_aggregate
vcode_dump();
--> fatal_trace("missing constant array element %d", i);
}
[0x5555557911fb] lower_array_aggregate
[0x5555557911fb] /nvc/build/../src/lower.c:4297 lower_aggregate
else if (type_is_array(type))
--> return lower_array_aggregate(lu, expr, hint);
else
[0x555555778947] /nvc/build/../src/lower.c:5152 lower_expr
case T_AGGREGATE:
--> return lower_aggregate(lu, expr, VCODE_INVALID_VAR);
case T_ARRAY_REF:
[0x55555577ef1b] /nvc/build/../src/lower.c:12907 lower_rvalue
{
--> vcode_reg_t reg = lower_expr(lu, expr, EXPR_RVALUE);
if (reg == VCODE_INVALID_REG)
[0x5555557788d4] lower_qualified
[0x5555557788d4] /nvc/build/../src/lower.c:5170 lower_expr
case T_QUALIFIED:
--> return lower_qualified(lu, expr);
case T_OPEN:
[0x55555577ef1b] /nvc/build/../src/lower.c:12907 lower_rvalue
{
--> vcode_reg_t reg = lower_expr(lu, expr, EXPR_RVALUE);
if (reg == VCODE_INVALID_REG)
[0x555555780909] /nvc/build/../src/lower.c:1266 lower_subprogram_arg
else
--> reg = lower_rvalue(lu, value);
[0x5555557a67ae] /nvc/build/../src/lower.c:2547 lower_fcall
for (int i = 0; i < nparams; i++) {
--> vcode_reg_t arg_reg = lower_subprogram_arg(lu, fcall, i);
APUSH(args, arg_reg);
[0x555555778f6d] /nvc/build/../src/lower.c:5142 lower_expr
case T_PROT_FCALL:
--> return lower_fcall(lu, expr, VCODE_INVALID_REG);
case T_LITERAL:
[0x55555577ef1b] /nvc/build/../src/lower.c:12907 lower_rvalue
{
--> vcode_reg_t reg = lower_expr(lu, expr, EXPR_RVALUE);
if (reg == VCODE_INVALID_REG)
[0x55555584552f] lower_thunk
[0x55555584552f] ../src/lower.c:221 eval_do_fold
[0x55555584502d] /nvc/build/../src/eval.c:260 eval_try_fold
--> tree_t result = eval_do_fold(jit, expr, parent, registry, context);
[0x55555576c231] /nvc/build/../src/object.c:715 object_rewrite
for (;;) {
--> object_t *new = (*ctx->post_fn[object->tag])(object, ctx->context);
if (new == object || (object = object_rewrite(new, ctx)) == NULL)
[0x55555576bee5] /nvc/build/../src/object.c:779 object_rewrite
object_t *o = object->items[n].object;
--> object->items[n].object = object_rewrite(o, ctx);
object_write_barrier(object, o);
[0x55555576bfdd] /nvc/build/../src/object.c:790 object_rewrite
object_t *o = object->items[n].obj_array->items[i];
--> if ((o = object_rewrite(o, ctx))) {
object_write_barrier(object, o);
[0x5555556b4080] /nvc/build/../src/tree.c:1310 tree_rewrite
--> object_t *result = object_rewrite(&(t->object), &ctx);
free(ctx.cache);
[0x555555750ca5] ../src/simp.c:1810 analyse_file
[0x5555555f35b7] analyse
[0x5555555f35b7] /nvc/build/../src/nvc.c:2193 process_command
case 'a':
--> return analyse(argc, argv, state);
case 'e':
[0x5555555f0692] /nvc/build/../src/nvc.c:2355 main
--> const int ret = process_command(argc, argv, &state);
/work/crashes_nvc_new_2/f0cfccae8feeecc7b26d25c107709a99fb0f1d62f901b0430813e84c30f78382 :
fatal: tree kind T_PSL does not have item I_FLAGS
/work/crashes_nvc_new_2/fc2d4e66b3ea007a59d8becdf1e6eb8a8881ff2eb3f90cd5667bf3f19fcc3471 :
find: '/usr/local/bin/nvc' terminated by signal 11