[Bug default/30959] New: abidiff segfault with certain regex patterns

[Bug default/30959] New: abidiff segfault with certain regex patterns

[quic_johmoo at quicinc dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30959

            Bug ID: 30959
           Summary: abidiff segfault with certain regex patterns
           Product: libabigail
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: default
          Assignee: dodji at redhat dot com
          Reporter: quic_johmoo at quicinc dot com
                CC: libabigail at sourceware dot org
  Target Milestone: ---

Created attachment 15162
  --> https://sourceware.org/bugzilla/attachment.cgi?id=15162&action=edit
GDB backtrace

When using a regular expression with range-matching in suppressions, abidiff
segfaults with a null dereference.

To reproduce, create a few binaries that have a diff in a structure, but keep
the same size:

% cat test_1.c
struct foo {
        char p[8];
};

int main(void) { return 0; }

% cat test_2.c
struct foo {
        int x;
        char p[4];
};

int main(void) { return 0; }

% gcc -g -fno-eliminate-unused-debug-types -o test_1.o test_1.c
% gcc -g -fno-eliminate-unused-debug-types -o test_2.o test_2.c

Then create the following suppression file (suppr.txt):

[suppress_type]
  type_kind = struct
  has_data_member_inserted_at =
offset_of_first_data_member_regexp(.*foo[0-9]?$)

Then, run:
% abidiff --suppr suppr.txt -t test_1.o test_2.o
[1]    16928 segmentation fault  abidiff --suppr suppr.txt -t test_1.o test_2.o

It appears to be related to the range-matching pattern in the regular
expression. If I change the suppressions file to be and equivalent (using \d
instead of [0-9]):

[suppress_type]
  type_kind = struct
  has_data_member_inserted_at = offset_of_first_data_member_regexp(.*foo\d?$)

...abidiff works correctly:

% abidiff --suppr suppr.txt -t test_1.o test_2.o
Functions changes summary: 0 Removed, 0 Changed, 0 Added function
Variables changes summary: 0 Removed, 0 Changed, 0 Added variable
Unreachable types summary: 0 removed, 1 changed, 0 added type

1 changed type unreachable from any public interface:

  [C] 'struct foo' changed:
    type size hasn't changed
    1 data member insertion:
      'int x', at offset 0 (in bits) at test_2.c:2:1
    1 data member change:
      type of 'char p[8]' changed:
        type name changed from 'char[8]' to 'char[4]'
        array type size changed from 64 to 32
        array type subrange 1 changed length from 8 to 4
      and offset changed from 0 to 32 (in bits) (by +32 bits)

I've attached a GDB backtrace I captured in the failure case.

All I can gather is that in the failure case, the following line in
abg-suppression.cc is returning a NULL fn_call.

ini::function_call_expr_sptr fn_call = b->as_function_call_expr();

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug default/30959] abidiff segfault with certain regex patterns

[dodji at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30959

dodji at redhat dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2023-10-11
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |ASSIGNED

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug default/30959] abidiff segfault on function call expression considered malformed

[dodji at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30959

dodji at redhat dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|abidiff segfault with       |abidiff segfault on
                   |certain regex patterns      |function call expression
                   |                            |considered malformed

--- Comment #1 from dodji at redhat dot com ---
This issue should be fixed by the

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug default/30959] abidiff segfault on function call expression considered malformed

[dodji at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30959

dodji at redhat dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #2 from dodji at redhat dot com ---
Woops, I hit the wrong button in my previous comment, sorry.


So, strictly speaking, this should be fixed by the patch applied to the master
at https://inbox.sourceware.org/libabigail/87wmvtpdsl.fsf@redhat.com.

A subsequent patch applied to the master branch at
https://inbox.sourceware.org/libabigail/87sf6hpdoz.fsf@redhat.com/ makes the
regular expression passed in argument to the function call expression as
"offset_of_first_data_member_regexp(.*foo[0-9]?$)" be considered valid. Without
that patch, the parser was wrongly considering the characters '[' and ']' as
needing to be escaped.

The fix should be available in the libabigail 2.4 version.

Thanks for reporting this problem and sorry for the inconvenience.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug default/30959] abidiff segfault on function call expression considered malformed

[quic_johmoo at quicinc dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=30959

--- Comment #3 from John Moon <quic_johmoo at quicinc dot com> ---
Thank you Dodji for the quick response! I just tested the fix and can
cross-confirm the segfault issue is fixed on master.

-- 
You are receiving this mail because:
You are on the CC list for the bug.