Extremely long SPDX comment results in a segfault

ethereum / solidity

Solidity, the Smart Contract Programming Language

https://soliditylang.org

GNU General Public License v3.0

23.06k stars 5.71k forks source link

Extremely long SPDX comment results in a segfault #12208

Open agroce opened 2 years ago

agroce commented 2 years ago

Description

segfault.zip

The attached contract produces:

../build/solc/solc segfault.sol
Segmentation fault

when compiled with solc

On master, using AFL fuzzing. Another discovery using https://github.com/agroce/afl-compiler-fuzzer

Environment

Compiler version: 0.8.10-develop.2021.10.27+commit.7ebf71f3.Linux.clang
Target EVM version (as per compiler settings): N/A
Framework/IDE (e.g. Truffle or Remix): N/A
EVM execution environment / backend / blockchain client: N/A
Operating system: Ubuntu 20.04 in docker

Steps to Reproduce

Above shows pretty clearly, I think.

cameel commented 2 years ago

Thanks for the report!

Simpler repro:

{
    printf '// SPDX-License-Identifier: '
    for i in {1..29069}; do
        printf x
    done
} | solc -

This started happening on 0.8.8. The original repro has some special chars in it and a contract but the bug seems to be specifically in the SPDX comment parsing and a very long comment is enough to trigger it. In GDB I get an enormous stack trace that just keeps printing. It's somewhere in the C++ regex library. I think it recurses too deeply. Probably the pattern we use is not very efficient and backtracks too much.

For me it starts crashing at exactly 29069 x chars in the comment. I suspect that on different machines the exact limit might be different.

hrkrshnn commented 2 years ago

Nice bug ;)

ekpyron commented 2 years ago

If it's really the regex implementation, we can consider actually pulling in and moving to https://compile-time-regular-expressions.readthedocs.io/ :-). That way we could also speed up the regex patterns in the yul optimizer (during name cleanup)...

cameel commented 2 years ago

I rather suspect catastrophic backtracking. If that's the case then it's the regex itself that's the problem and using a more efficient implementation will only make it require larger input to crash :)

We might switch to a non-backtracking engine (if there's on available) but these typically support a more limited syntax.

Marenz commented 2 years ago

Possibly related or even duplicate: https://github.com/ethereum/solidity/issues/13496

claudioantonio commented 1 week ago

This issue was used to create a Solidity compiler bug bounty that looks for new segfault errors on v0.8.27.

Marenz commented 1 week ago

Possibly already fixed by https://github.com/ethereum/solidity/pull/15209