Project

General

Profile

[logo] 
 
Home
News
Activity
About/Contact
Major Tools
  Dinotrace
  Verilator
  Verilog-mode
  Verilog-Perl
Other Tools
  IPC::Locker
  Parallel::Forker
  Voneline
General Info
  Papers

Issue #1590

Fuzzer: Segfault on parameter as generate condition

Added by Eric Rippey 15 days ago. Updated 13 days ago.

Status:
Closed
Priority:
Low
Assignee:
Category:
Lint
% Done:

0%


Description

Running the attached testcase with:

verilator_bin --lint-only 8.sv

On version:

Verilator 4.020 devel rev v4.020-56-gbcb766b

Produces:
%Error: 8.sv:1: Parameter without initial value is never given value (IEEE 1800-2017 6.20.1): 'P'
              : ... In instance m
module m#(parameter P);
                    ^
%Warning-WIDTH: 8.sv:4: Logical Operator GENFOR expects 1 bit on the For Test Condition, but For Test Condition's VARREF 'P' generates 32 bits.
                      : ... In instance m
    for(j=0;P;j++)
    ^~~
                ... Use "/* verilator lint_off WIDTH */" and lint_on around source to disable this message.
%Error: 8.sv:4: Non-genvar used in generate for: 'j'
              : ... In instance m
    for(j=0;P;j++)
    ^~~
Segmentation fault (core dumped)

8.sv (113 Bytes) Eric Rippey, 11/04/2019 07:48 PM

History

#1 Updated by Wilson Snyder 15 days ago

I'll look at this and the others starting tonight.

In the interest of best use of time, I'd recommend we only look for crashes where there's a crash and no earlier error message. (Versus also ones with errors and crashes before.)

#2 Updated by Wilson Snyder 15 days ago

  • Category set to Lint
  • Status changed from New to Closed
  • Assignee set to Wilson Snyder
  • Priority changed from Normal to Low

Fixed in git towards 4.022.

#3 Updated by Eric Rippey 13 days ago

Regarding only crashes with no output, that's easier said than done. I don't know of any fuzzer capable of doing that out of the box. And fuzzers tend to find many different ways to get to the same problem when a problem stays in the program.

If you still wanted to automatically find bugs effectively under that sort of constraint, you might have to go about this in completely the opposite direction where you start out with known-valid input the way that something like Csmith (https://embed.cs.utah.edu/csmith/) works. That's kind of a major project though because I don't know of an equivalent for Verilog.

#4 Updated by Wilson Snyder 13 days ago

Perhaps I'm missing some detail, but can't you just tweak actual_fail to not be interesting if there was %Error printed?

Also available in: Atom