From: Ulya Trofimovich <skvadrik@gmail.com>
Date: Fri, 18 Nov 2016 16:37:40 +0000 (+0000)
Subject: Skeleton: fixed comparison of transition tags during construction.
X-Git-Tag: 1.0~39^2~223
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=9e63260cebd72183c9401addbf21767edbe39176;p=re2c

Skeleton: fixed comparison of transition tags during construction.

At the time of skeleton construction DFA has just been build and
all tags in it are just raw pointers to lists of commands. These
pointers are unique for each transition (tags are not shared between
transitions). This means, comparing tags for different transitions
will always result in 'not equal', except if both transitions have
no tags (pointers are NULLs).

Found by slyfox's fuzzer. ;)
---

diff --git a/re2c/src/ir/skeleton/skeleton.cc b/re2c/src/ir/skeleton/skeleton.cc
index f2af092d..81aa5bb5 100644
--- a/re2c/src/ir/skeleton/skeleton.cc
+++ b/re2c/src/ir/skeleton/skeleton.cc
@@ -14,6 +14,11 @@ Node::Node()
 	, cmd(NULL)
 {}
 
+static bool same(const tcmd_t &x, const tcmd_t &y)
+{
+	return x.save == y.save && x.copy == y.copy;
+}
+
 void Node::init(const dfa_state_t *s, const charset_t &cs, size_t nil)
 {
 	const size_t nc = cs.size() - 1;
@@ -21,7 +26,7 @@ void Node::init(const dfa_state_t *s, const charset_t &cs, size_t nil)
 
 		size_t j = s->arcs[c];
 		const tcmd_t &t = s->tcmd[c];
-		for (; ++c < nc && s->arcs[c] == j && !s->tcmd[c].save && !s->tcmd[c].copy;);
+		for (; ++c < nc && s->arcs[c] == j && same(s->tcmd[c], t););
 		if (j == dfa_t::NIL) j = nil;
 
 		// all arcs go to default node => this node is final