This repository was archived by the owner on Jan 29, 2025. It is now read-only.
This repository was archived by the owner on Jan 29, 2025. It is now read-only.
WGSL front end crashes on malformed input #90
Description
Minimal reproduction: feed the WGSL parser the following string:
"\"\u{2}ПЀ\u{0}\""
Leads to the following panic in wgsl::lex::consume_token:
thread '<unnamed>' panicked at 'byte index 4 is not a char boundary; it is inside 'Ѐ' (bytes 3..5) of `ПЀ"`', /home/gabriel/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libcore/str/mod.rs:1987:47
stack backtrace:
0: backtrace::backtrace::libunwind::trace
at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.46/src/backtrace/libunwind.rs:86
1: backtrace::backtrace::trace_unsynchronized
at /cargo/registry/src/github.com-1ecc6299db9ec823/backtrace-0.3.46/src/backtrace/mod.rs:66
2: std::sys_common::backtrace::_print_fmt
at src/libstd/sys_common/backtrace.rs:78
3: <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt
at src/libstd/sys_common/backtrace.rs:59
4: core::fmt::write
at src/libcore/fmt/mod.rs:1076
5: std::io::Write::write_fmt
at src/libstd/io/mod.rs:1537
6: std::sys_common::backtrace::_print
at src/libstd/sys_common/backtrace.rs:62
7: std::sys_common::backtrace::print
at src/libstd/sys_common/backtrace.rs:49
8: std::panicking::default_hook::{{closure}}
at src/libstd/panicking.rs:198
9: std::panicking::default_hook
at src/libstd/panicking.rs:217
10: libfuzzer_sys::initialize::{{closure}}
11: std::panicking::rust_panic_with_hook
at src/libstd/panicking.rs:524
12: rust_begin_unwind
at src/libstd/panicking.rs:431
13: core::panicking::panic_fmt
at src/libcore/panicking.rs:85
14: core::str::slice_error_fail
at src/libcore/str/mod.rs:0
15: core::str::traits::<impl core::slice::SliceIndex<str> for core::ops::range::RangeTo<usize>>::index::{{closure}}
16: naga::front::wgsl::lex::consume_token
17: naga::front::wgsl::Parser::parse_global_decl
18: naga::front::wgsl::Parser::parse
19: rust_fuzzer_test_input
20: __rust_try
21: LLVMFuzzerTestOneInput
22: _ZN6fuzzer6Fuzzer15ExecuteCallbackEPKhm
23: _ZN6fuzzer10RunOneTestEPNS_6FuzzerEPKcm
24: _ZN6fuzzer12FuzzerDriverEPiPPPcPFiPKhmE
25: main
26: __libc_start_main
27: _start
The panic is likely from this indexing here:
Line 101 in 1f5008f