Fuzzer failure: segfault in yaml_fuzz_to_json, seed 1597729744

[fhackett]

This came up in an unrelated CI run.

From cursory investigation, the segfault happens deep inside snmalloc, while doing the seemingly harmless action of allocating a synthetic SourceDef, as of commit 917938ee73880db75efe738d39d5667566abd8f8.

I don't know what it means, and it will require either someone with more knowledge of snmalloc, or just a deeper investigation.

For convenience, here is my VSCode debug definition (your exact folder structure/args may vary, but know at least that this reproduces the problem on my machine):

{
  "type": "lldb",
  "request": "launch",
  "name": "yaml_fuzzer to_json",
  "program": "${workspaceFolder}/out/build/debug-clang/parsers/test/yaml_fuzzer",
  "args": ["to_json", "-s", "1597729744", "-f"],
  "cwd": "${workspaceFolder}"
}

[mjp41]

Can you run with Asan enabled. If you break inside snmalloc, then you probably have a memory safety bug.

[fhackett]

I did that, and it seems this is a stack overflow in Wellformed::gen_node.

A little less scary than an allocator bug, at least. Thanks for the pointer.

I can investigate this later, unless someone gets to it first.

[fhackett]

Another sighting in the #131 PR build. Seed was 4228657190

[fhackett]

Another sighting in the #130 PR build. Seed was 1707913749

[fhackett]

Another sighting in the #130 PR build. Seed was 2943010191.