Number: 1442
Title: Segmentation fault with large number of nested brackets
Submitter: Marcus Granado
Date: Fri Sep 19 06:22:22 2008
Subsys: Dot
Version: 2.16
System: *-*-
Severity: critical
I was using graphviz dot 2.16-3ubuntu2 to parse huge graphs, and one of them segfaulted dot.

The graph had a deep nested structure, and it seems that dot wasn't able to cope with that. The attached example is the minimal dot file that triggers the problem.

//usage: 'dot -Tsvg'
//output: Segmentation fault

digraph "bracketbug_outputs_segmentationfault" {

node [label="a"] "b" -> {
//33 brackets are fine, but
//34 brackets trigger crash

[ellson] I can reproduce this with:

digraph "bracketbug_outputs_segmentationfault" {
node [label="a"]
"b" -> {
//33 brackets are fine, but
//34 brackets trigger crash

-Tsvg isn't needded for the crash to occur.

It crashes with or without the 'c', although without crashes in a different place, on an agstrfree("")

Program received signal SIGSEGV, Segmentation fault.
0x0000000000000013 in ?? ()
(gdb) where
#0  0x0000000000000013 in ?? ()
#1  0x00007ffff7df7f95 in agstrdup (s=0x611aa0 "c") at refstr.c:83
#2  0x00007ffff7df63b3 in aglex () at lexer.c:440
#3  0x00007ffff7df7765 in agparse () at
#4  0x00007ffff7df56d5 in agread (fp=<value optimized out>) at graphio.c:71
#5  0x000000000013fdcf in gvNextInputGraph (gvc=0x6032e0) at input.c:467
#6  0x0000000000400c68 in main (argc=<value optimized out>,
   argv=0x7fffffffde68) at dot.c:175

Nothing obvious right there.

[north] I would hazard a guess that this is due to the declaration of Gstack[32] in lib/graph/parser.y

At least a warning should be generated in push_subg(). Also this structure could be malloced.

In the new graph library, we don't have this design flaw.

[ellson] So this is a Won't Fix, because the imminent cgraph will fix it. Is that OK ?

[north] Well, maybe worth a fix since it's trivial to malloc/realloc and "imminent" involves a lot of coding we have never done before.
Owner: *
Status: *