Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Control flow #1

Merged
merged 19 commits into from
Feb 19, 2016
Merged

Control flow #1

merged 19 commits into from
Feb 19, 2016

Conversation

robrix
Copy link
Member

@robrix robrix commented Feb 19, 2016

while/until/if/unless

@robrix robrix changed the title [WIP] Control flow Control flow Feb 19, 2016
robrix added a commit that referenced this pull request Feb 19, 2016
@robrix
Merge pull request #1 from tree-sitter/control-flow
6c013ea 
Control flow
@robrix robrix merged commit 6c013ea into master Feb 19, 2016
@robrix robrix deleted the control-flow branch February 19, 2016 16:42
philipturnbull added a commit that referenced this pull request Jun 30, 2017
@philipturnbull
Use wide-char version of ctype.h functions
f42c117 
isalnum is only defined if the input is in the ASCII range. Nothing bad happens
on mac afaict but will cause an out-of-bounds read on Linux:

==11146== ERROR: libFuzzer: deadly signal
    #0 0x649030 in fuzzer::Fuzzer::CrashCallback() /src/libfuzzer/FuzzerLoop.cpp:195:5
    #1 0x648fd9 in fuzzer::Fuzzer::StaticCrashSignalCallback() /src/libfuzzer/FuzzerLoop.cpp:179:6
    #2 0x7f118dd6638f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1138f)
    #3 0x7f118d396d0d in isalnum (/lib/x86_64-linux-gnu/libc.so.6+0x2dd0d)
    #4 0x42d44a in (anonymous namespace)::Scanner::scan_symbol_identifier(TSLexer*) /src/tree-sitter/tree-sitter-ruby/src/scanner.cc:250:12
    #5 0x42be29 in (anonymous namespace)::Scanner::scan(TSLexer*, bool const*) /src/tree-sitter/tree-sitter-ruby/src/scanner.cc:727:18
    #6 0x62eb83 in parser__lex /src/tree-sitter/src/runtime/parser.c:271:30
    #7 0x62a05c in parser__advance /src/tree-sitter/src/runtime/parser.c:1097:21
    #8 0x629789 in parser_parse /src/tree-sitter/src/runtime/parser.c:1298:9
    #9 0x62617d in ts_document_parse_with_options /src/tree-sitter/src/runtime/document.c:136:16
    #10 0x42b053 in LLVMFuzzerTestOneInput /src/tree-sitter/../fuzzer.cc:21:3
    #11 0x64a164 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:460:13
    #12 0x64a4be in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:399:3
    #13 0x63c890 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) /src/libfuzzer/FuzzerDriver.cpp:268:6
    #14 0x64090b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:683:9
    #15 0x63c58c in main /src/libfuzzer/FuzzerMain.cpp:20:10
    #16 0x7f118d38982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #17 0x405928 in _start (/out/ruby_fuzzer+0x405928)
philipturnbull added a commit that referenced this pull request Aug 24, 2018
@philipturnbull
Avoid potential use-after-free in regex scanner
b940e72 
`literal` is a reference to the last element so it is invalidated after we call
`literal.pop_back()`. Use a temporary so we don't use `literal` after it has
been popped:

```
==14==ERROR: AddressSanitizer: container-overflow on address 0x603000000160 at pc 0x00000051bfe2 bp 0x7ffca8ec7980 sp 0x7ffca8ec7978
READ of size 4 at 0x603000000160 thread T0
SCARINESS: 17 (4-byte-read-container-overflow)
    #0 0x51bfe1 in (anonymous namespace)::Scanner::scan_literal_content(TSLexer*) /src/octofuzz/tree-sitter/test/fixtures/grammars/ruby/src/scanner.cc:669:25
    #1 0x51884f in (anonymous namespace)::Scanner::scan(TSLexer*, bool const*) /src/octofuzz/tree-sitter/test/fixtures/grammars/ruby/src/scanner.cc:726:16
    #2 0x66cda7 in ts_parser__lex /src/octofuzz/tree-sitter/src/runtime/parser.c:324:11
```
maxbrunsfeld pushed a commit that referenced this pull request Aug 28, 2018
@philipturnbull
Avoid potential use-after-free in regex scanner (#90)
5aa5450 
* Avoid potential use-after-free in regex scanner

`literal` is a reference to the last element so it is invalidated after we call
`literal.pop_back()`. Use a temporary so we don't use `literal` after it has
been popped:

```
==14==ERROR: AddressSanitizer: container-overflow on address 0x603000000160 at pc 0x00000051bfe2 bp 0x7ffca8ec7980 sp 0x7ffca8ec7978
READ of size 4 at 0x603000000160 thread T0
SCARINESS: 17 (4-byte-read-container-overflow)
    #0 0x51bfe1 in (anonymous namespace)::Scanner::scan_literal_content(TSLexer*) /src/octofuzz/tree-sitter/test/fixtures/grammars/ruby/src/scanner.cc:669:25
    #1 0x51884f in (anonymous namespace)::Scanner::scan(TSLexer*, bool const*) /src/octofuzz/tree-sitter/test/fixtures/grammars/ruby/src/scanner.cc:726:16
    #2 0x66cda7 in ts_parser__lex /src/octofuzz/tree-sitter/src/runtime/parser.c:324:11
```

* Simplify regex literal logic
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@robrix