Actions
Bug #13755
closed
Null pointer dereference in hash_table_index()
Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.5.0dev (2017-07-11 trunk 59311) [x86_64-linux]
Description
After some fuzz testing I found a crashing test case.
To reproduce: miniruby ruby_null_ptr_hash_table_index
Valgrind Context:
==945== Memcheck, a memory error detector
==945== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==945== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==945== Command: XYZ/ruby/miniruby ruby_null_ptr_hash_table_index
==945==
==945== Warning: client switching stacks? SP change: 0xfff000160 --> 0xffe8020f0
==945== to suppress, use: --max-stackframe=8380528 or greater
==945== Invalid write of size 1
==945== at 0x4A9350: reserve_stack (thread_pthread.c:722)
==945== by 0x4A921F: ruby_init_stack (thread_pthread.c:757)
==945== by 0x12D96D: main (main.c:40)
==945== Address 0xffe8020f0 is on thread 1's stack
==945== in frame #0, created by reserve_stack (thread_pthread.c:677)
==945==
==945== Warning: client switching stacks? SP change: 0xffe8020f0 --> 0xfff000280
==945== to suppress, use: --max-stackframe=8380816 or greater
==945== Invalid read of size 4
==945== at 0x4A7C2D: hash_table_index (id_table.c:131)
==945== by 0x4A7C2D: rb_id_table_lookup (id_table.c:229)
==945== by 0x52860A: lookup_method_table (vm_method.c:182)
==945== by 0x52860A: search_method (vm_method.c:699)
==945== by 0x52860A: method_entry_get_without_cache (vm_method.c:724)
==945== by 0x52860A: method_entry_get (vm_method.c:788)
==945== by 0x5288C3: rb_callable_method_entry (vm_method.c:835)
==945== by 0x51D933: vm_search_method (vm_insnhelper.c:1296)
==945== by 0x51D933: vm_exec_core (insns.def:1176)
==945== by 0x53E2D3: vm_exec (vm.c:1788)
==945== by 0x2389BC: ruby_exec_internal (eval.c:244)
==945== by 0x2389BC: ruby_exec_node (eval.c:308)
==945== by 0x2389BC: ruby_run_node (eval.c:300)
==945== by 0x12D988: main (in XYZ/ruby/miniruby)
==945== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==945==
ruby_null_ptr_hash_table_index:1: [BUG] Segmentation fault at 0x0000000000000000
ruby 2.5.0dev (2017-07-11 trunk 59311) [x86_64-linux]
-- Control frame information -----------------------------------------------
c:0002 p:0037 s:0008 E:000e18 EVAL ruby_null_ptr_hash_table_index:1 [FINISH]
c:0001 p:0000 s:0003 E:000440 (none) [FINISH]
-- Ruby level backtrace information ----------------------------------------
ruby_null_ptr_hash_table_index:1:in `<main>'
-- Machine register context ------------------------------------------------
RIP: 0x00000000004a7c2d RBP: 0x0000000000b9647f RSP: 0x0000000ffefffc30
RAX: 0x00000000000099f1 RBX: 0x00000000008419e0 RCX: 0x00000000008522f0
RDX: 0x0000000ffefffc70 RDI: 0x0000000000000000 RSI: 0x000000000000002f
R8: 0x00000000008419e0 R9: 0xfffffffffffffffc R10: 0x000000000000002f
R11: 0xfffffffffffffffc R12: 0xfffffffffffffffc R13: 0x0000000ffefffc70
R14: 0x0000000000000000 R15: 0x0000000005cb2280 EFL: 0x0000000000000004
-- C level backtrace information -------------------------------------------
XYZ/ruby/miniruby(rb_vm_bugreport+0x2b7) [0x5673c7] vm_dump.c:671
XYZ/ruby/miniruby(rb_bug_context+0x2e6) [0x227246] error.c:534
XYZ/ruby/miniruby(sigsegv+0x6e) [0x42a9ee] signal.c:930
/lib/x86_64-linux-gnu/libpthread.so.0 [0x4e4b390]
XYZ/ruby/miniruby(rb_id_table_lookup+0x3d) [0x4a7c2d] ./symbol.h:60
XYZ/ruby/miniruby(method_entry_get+0x1ab) [0x52860b] ./vm_method.c:182
XYZ/ruby/miniruby(rb_callable_method_entry+0x44) [0x5288c4] ./vm_method.c:835
XYZ/ruby/miniruby(vm_exec_core+0xf894) [0x51d934] ./vm_insnhelper.c:1296
XYZ/ruby/miniruby(vm_exec+0x194) [0x53e2d4] vm.c:1788
XYZ/ruby/miniruby(ruby_run_node+0x27d) [0x2389bd] eval.c:244
XYZ/ruby/miniruby(main+0x89) [0x12d989] ./main.c:42
-- Other runtime information -----------------------------------------------
* Loaded script: ruby_null_ptr_hash_table_index
* Loaded features:
0 enumerator.so
1 thread.rb
2 rational.so
3 complex.so
* Process memory map:
00108000-0063b000 r-xp 00000000 fc:00 530955 XYZ/ruby/miniruby
0083b000-00841000 r--p 00533000 fc:00 530955 XYZ/ruby/miniruby
00841000-00842000 rw-p 00539000 fc:00 530955 XYZ/ruby/miniruby
00842000-00863000 rw-p 00000000 00:00 0
04000000-04026000 r-xp 00000000 fc:00 415243 /lib/x86_64-linux-gnu/ld-2.23.so
04026000-04028000 rw-p 00000000 00:00 0
04028000-04029000 ---p 00000000 00:00 0
04029000-0402c000 rw-p 00000000 00:00 0
0402f000-04033000 rw-p 00000000 00:00 0
04033000-04055000 r--s 00000000 fc:00 415248 /lib/x86_64-linux-gnu/libpthread-2.23.so
04055000-0421e000 r--s 00000000 fc:00 415265 /lib/x86_64-linux-gnu/libc-2.23.so
04225000-04226000 r--p 00025000 fc:00 415243 /lib/x86_64-linux-gnu/ld-2.23.so
04226000-04227000 rw-p 00026000 fc:00 415243 /lib/x86_64-linux-gnu/ld-2.23.so
04227000-04228000 rw-p 00000000 00:00 0
04228000-04229000 rwxp 00000000 00:00 0
04a28000-04a29000 r-xp 00000000 fc:00 45562 /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04a29000-04c28000 ---p 00001000 fc:00 45562 /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c28000-04c29000 r--p 00000000 fc:00 45562 /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c29000-04c2a000 rw-p 00001000 fc:00 45562 /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c2a000-04c39000 r-xp 00000000 fc:00 45533 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04c39000-04e38000 ---p 0000f000 fc:00 45533 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e38000-04e39000 r--p 0000e000 fc:00 45533 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e39000-04e3a000 rw-p 0000f000 fc:00 45533 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e3a000-04e52000 r-xp 00000000 fc:00 415248 /lib/x86_64-linux-gnu/libpthread-2.23.so
04e52000-05051000 ---p 00018000 fc:00 415248 /lib/x86_64-linux-gnu/libpthread-2.23.so
05051000-05052000 r--p 00017000 fc:00 415248 /lib/x86_64-linux-gnu/libpthread-2.23.so
05052000-05053000 rw-p 00018000 fc:00 415248 /lib/x86_64-linux-gnu/libpthread-2.23.so
05053000-05057000 rw-p 00000000 00:00 0
05057000-0505a000 r-xp 00000000 fc:00 415254 /lib/x86_64-linux-gnu/libdl-2.23.so
0505a000-05259000 ---p 00003000 fc:00 415254 /lib/x86_64-linux-gnu/libdl-2.23.so
05259000-0525a000 r--p 00002000 fc:00 415254 /lib/x86_64-linux-gnu/libdl-2.23.so
0525a000-0525b000 rw-p 00003000 fc:00 415254 /lib/x86_64-linux-gnu/libdl-2.23.so
0525b000-05264000 r-xp 00000000 fc:00 415247 /lib/x86_64-linux-gnu/libcrypt-2.23.so
05264000-05463000 ---p 00009000 fc:00 415247 /lib/x86_64-linux-gnu/libcrypt-2.23.so
05463000-05464000 r--p 00008000 fc:00 415247 /lib/x86_64-linux-gnu/libcrypt-2.23.so
05464000-05465000 rw-p 00009000 fc:00 415247 /lib/x86_64-linux-gnu/libcrypt-2.23.so
05465000-05493000 rw-p 00000000 00:00 0
05493000-0559b000 r-xp 00000000 fc:00 415260 /lib/x86_64-linux-gnu/libm-2.23.so
0559b000-0579a000 ---p 00108000 fc:00 415260 /lib/x86_64-linux-gnu/libm-2.23.so
0579a000-0579b000 r--p 00107000 fc:00 415260 /lib/x86_64-linux-gnu/libm-2.23.so
0579b000-0579c000 rw-p 00108000 fc:00 415260 /lib/x86_64-linux-gnu/libm-2.23.so
0579c000-0595c000 r-xp 00000000 fc:00 415265 /lib/x86_64-linux-gnu/libc-2.23.so
0595c000-05b5c000 ---p 001c0000 fc:00 415265 /lib/x86_64-linux-gnu/libc-2.23.so
05b5c000-05b60000 r--p 001c0000 fc:00 415265 /lib/x86_64-linux-gnu/libc-2.23.so
05b60000-05b62000 rw-p 001c4000 fc:00 415265 /lib/x86_64-linux-gnu/libc-2.23.so
05b62000-05b66000 rw-p 00000000 00:00 0
05b66000-05f66000 rwxp 00000000 00:00 0
05f66000-0623e000 r--p 00000000 fc:00 15064 /usr/lib/locale/locale-archive
0623e000-06254000 r-xp 00000000 fc:00 392981 /lib/x86_64-linux-gnu/libgcc_s.so.1
06254000-06453000 ---p 00016000 fc:00 392981 /lib/x86_64-linux-gnu/libgcc_s.so.1
06453000-06454000 rw-p 00015000 fc:00 392981 /lib/x86_64-linux-gnu/libgcc_s.so.1
06454000-070bc000 r--s 00000000 fc:00 530955 XYZ/ruby/miniruby
38000000-3821f000 r-xp 00000000 fc:00 45619 /usr/lib/valgrind/memcheck-amd64-linux
3841f000-38422000 rw-p 0021f000 fc:00 45619 /usr/lib/valgrind/memcheck-amd64-linux
38422000-395d8000 rw-p 00000000 00:00 0
802001000-802ab4000 rwxp 00000000 00:00 0
802ab4000-802ab5000 rw-s 00000000 fc:00 14022 /tmp/vgdb-pipe-shared-mem-vgdb-945-by-root-on-???
802ab5000-802b79000 rwxp 00000000 00:00 0
802b7c000-802eb0000 rwxp 00000000 00:00 0
802eb2000-802ec2000 rwxp 00000000 00:00 0
802eea000-802f32000 rwxp 00000000 00:00 0
802f71000-8031a1000 rwxp 00000000 00:00 0
8031a1000-8031a3000 ---p 00000000 00:00 0
8031a3000-8032a3000 rwxp 00000000 00:00 0
8032a3000-8032a5000 ---p 00000000 00:00 0
8032a5000-8033a5000 rwxp 00000000 00:00 0
80345a000-8056d9000 rwxp 00000000 00:00 0
8057d9000-8058d9000 rwxp 00000000 00:00 0
8058d9000-8058db000 ---p 00000000 00:00 0
8058db000-8059db000 rwxp 00000000 00:00 0
8059db000-8059dd000 ---p 00000000 00:00 0
805ad9000-805dd9000 rwxp 00000000 00:00 0
8060ce000-8066f2000 rwxp 00000000 00:00 0
ffe802000-fff001000 rw-p 00000000 00:00 0
7ffe3c35d000-7ffe3c37e000 rw-p 00000000 00:00 0 [stack]
7ffe3c3f6000-7ffe3c3f8000 r--p 00000000 00:00 0 [vvar]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html
==945==
==945== Process terminating with default action of signal 6 (SIGABRT)
==945== at 0x57D1428: raise (raise.c:54)
==945== by 0x57D3029: abort (abort.c:89)
==945== by 0x22730C: die (error.c:506)
==945== by 0x22730C: rb_bug_context (error.c:536)
==945== by 0x42A9ED: sigsegv (signal.c:930)
==945== by 0x4E4B38F: ??? (in /lib/x86_64-linux-gnu/libpthread-2.23.so)
==945== by 0x4A7C2C: rb_id_to_serial (symbol.h:60)
==945== by 0x4A7C2C: id2key (id_table.c:25)
==945== by 0x4A7C2C: rb_id_table_lookup (id_table.c:228)
==945==
==945== HEAP SUMMARY:
==945== in use at exit: 2,132,137 bytes in 6,161 blocks
==945== total heap usage: 6,604 allocs, 443 frees, 2,325,597 bytes allocated
==945==
==945== LEAK SUMMARY:
==945== definitely lost: 341 bytes in 4 blocks
==945== indirectly lost: 2,472 bytes in 37 blocks
==945== possibly lost: 733,266 bytes in 5,650 blocks
==945== still reachable: 1,396,058 bytes in 470 blocks
==945== suppressed: 0 bytes in 0 blocks
==945== Rerun with --leak-check=full to see details of leaked memory
==945==
==945== For counts of detected and suppressed errors, rerun with: -v
==945== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Files
Updated by nobu (Nobuyoshi Nakada) over 7 years ago
- Status changed from Open to Closed
Applied in changeset trunk|r59374.
compile.c: restore stack at return
- compile.c (iseq_compile_each0): restore the stack depth after
return to the previous depth, to fix the stack depth at
returning from rescue iseq. [ruby-core:82108] [Bug #13755]
Updated by nobu (Nobuyoshi Nakada) over 7 years ago
- Related to Feature #4840: Allow returning from require added
Updated by nobu (Nobuyoshi Nakada) over 7 years ago
- Backport changed from 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: UNKNOWN to 2.2: DONTNEED, 2.3: DONTNEED, 2.4: REQUIRED
Updated by nobu (Nobuyoshi Nakada) over 7 years ago
- Has duplicate Bug #13760: Another iseq_set_sequence: adjust bug 1 < 2 added
Updated by nagachika (Tomoyuki Chikanaga) over 7 years ago
- Backport changed from 2.2: DONTNEED, 2.3: DONTNEED, 2.4: REQUIRED to 2.2: DONTNEED, 2.3: DONTNEED, 2.4: DONE
ruby_2_4 r59507 merged revision(s) 59374.
Actions
Like0
Like0Like0Like0Like0Like0