Actions
Bug #15191
closed
Segfault in bignum.c bigtrunc()
Description
Reproducer:
jtruba@sf201:~/crashes/ruby/crash09$ cat reproducer
?% "a"*1*1**111%11**-11911**111
jtruba@sf201:~/crashes/ruby/crash09$
Crash and valgrind report:
jtruba@sf201:~/crashes/ruby$ valgrind ~/rubies/ruby-trunk-clean/ruby --disable=gems - < crash09/reproducer
==33617== Memcheck, a memory error detector
==33617== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==33617== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==33617== Command: /home/jtruba/rubies/ruby-trunk-clean/ruby --disable=gems -
==33617==
==33617== Warning: client switching stacks? SP change: 0xffeffffd0 --> 0xffe8020e0
==33617== to suppress, use: --max-stackframe=8380144 or greater
==33617== Invalid write of size 1
==33617== at 0x27B225: reserve_stack (thread_pthread.c:855)
==33617== by 0x27FCB7: ruby_init_stack (thread_pthread.c:890)
==33617== by 0x12D904: main (main.c:40)
==33617== Address 0xffe8020e0 is on thread 1's stack
==33617== in frame #0, created by reserve_stack (thread_pthread.c:810)
==33617==
==33617== Warning: client switching stacks? SP change: 0xffe8020e0 --> 0xfff0000f0
==33617== to suppress, use: --max-stackframe=8380432 or greater
-:1: warning: in a**b, b may be too big
==33617== Invalid read of size 4
==33617== at 0x2F5048: bigtrunc (bignum.c:3080)
==33617== by 0x2F5048: big2dbl (bignum.c:5239)
==33617== by 0x2FD368: rb_big2dbl (bignum.c:5288)
==33617== by 0x1BADC4: to_float (object.c:3476)
==33617== by 0x1BADC4: rb_convert_to_float (object.c:3494)
==33617== by 0x2498C8: rb_str_format (sprintf.c:1130)
==33617== by 0x251991: rb_str_format_m (string.c:2005)
==33617== by 0x2B8DC1: vm_call_cfunc_with_frame (vm_insnhelper.c:1928)
==33617== by 0x2B8DC1: vm_call_cfunc (vm_insnhelper.c:1944)
==33617== by 0x2C3262: vm_call_method (vm_insnhelper.c:2418)
==33617== by 0x2C9F2B: vm_exec_core (insns.def:767)
==33617== by 0x2C0810: rb_vm_exec (vm.c:1812)
==33617== by 0x12E546: ruby_exec_internal (eval.c:261)
==33617== by 0x132BAA: ruby_exec_node (eval.c:325)
==33617== by 0x132BAA: ruby_run_node (eval.c:317)
==33617== by 0x12D91E: main (main.c:42)
==33617== Address 0xffbffffffffffffc is not stack'd, malloc'd or (recently) free'd
==33617== Address 0xffbffffffffffffc is not stack'd, malloc'd or (recently) free'd [86/865]
==33617==
-:1: [BUG] Segmentation fault at 0x0000000000000000
ruby 2.6.0dev (2018-10-01 trunk 64894) [x86_64-linux]
-- Control frame information -----------------------------------------------
c:0003 p:---- s:0011 e:000010 CFUNC :%
c:0002 p:0033 s:0006 e:000005 EVAL -:1 [FINISH]
c:0001 p:0000 s:0003 E:000df0 (none) [FINISH]
-- Ruby level backtrace information ----------------------------------------
-:1:in `<main>'
-:1:in `%'
-- Machine register context ------------------------------------------------
RIP: 0x00000000002f5048 RBP: 0x000000000633f530 RSP: 0x0000000ffefff9a0
RAX: 0x7fefffffffffffff RBX: 0x7ff0000000000000 RCX: 0x0000000000000000
RDX: 0x0000000000000000 RDI: 0x0000000000000804 RSI: 0x0000000000000000
R8: 0x000000000633f4f0 R9: 0x0000000000000004 R10: 0x0000000000000000
R11: 0x0000000005b56e40 R12: 0x000000000633f4f0 R13: 0x0000000000000000
R14: 0x00000000003a32dc R15: 0x000000000633f4b8 EFL: 0x0000000000000014
-- C level backtrace information -------------------------------------------
/home/jtruba/rubies/ruby-trunk-clean/ruby(rb_vm_bugreport+0x53e) [0x371bae] vm_dump.c:715
/home/jtruba/rubies/ruby-trunk-clean/ruby(rb_bug_context+0xe4) [0x365bc4] error.c:610
/home/jtruba/rubies/ruby-trunk-clean/ruby(sigsegv+0x42) [0x242772] signal.c:998
/lib/x86_64-linux-gnu/libpthread.so.0(0x5065390) [0x5065390]
/home/jtruba/rubies/ruby-trunk-clean/ruby(big2dbl+0x38) [0x2f5048] bignum.c:3079
/home/jtruba/rubies/ruby-trunk-clean/ruby(rb_big2dbl+0x9) [0x2fd369] bignum.c:5288
/home/jtruba/rubies/ruby-trunk-clean/ruby(rb_convert_to_float+0x405) [0x1badc5] object.c:3476
/home/jtruba/rubies/ruby-trunk-clean/ruby(rb_str_format+0xfc9) [0x2498c9] sprintf.c:1130
/home/jtruba/rubies/ruby-trunk-clean/ruby(rb_str_format_m+0xa2) [0x251992] string.c:2005
/home/jtruba/rubies/ruby-trunk-clean/ruby(vm_call_cfunc+0x102) [0x2b8dc2] vm_insnhelper.c:1928
/home/jtruba/rubies/ruby-trunk-clean/ruby(vm_call_method+0xf3) [0x2c3263] vm_insnhelper.c:2418
/home/jtruba/rubies/ruby-trunk-clean/ruby(vm_exec_core+0x12c) [0x2c9f2c] /home/jtruba/rubies/ruby-trunk-clean/insns.def:767
/home/jtruba/rubies/ruby-trunk-clean/ruby(rb_vm_exec+0xb1) [0x2c0811] vm.c:1812
/home/jtruba/rubies/ruby-trunk-clean/ruby(ruby_exec_internal+0xd7) [0x12e547] eval.c:261
/home/jtruba/rubies/ruby-trunk-clean/ruby(ruby_run_node+0x3b) [0x132bab] eval.c:325
/home/jtruba/rubies/ruby-trunk-clean/ruby(main+0x6f) [0x12d91f] ./main.c:42
-- Other runtime information -----------------------------------------------
* Loaded script: -
* Loaded features:
0 enumerator.so
1 thread.rb
2 rational.so
3 complex.so
* Process memory map:
00108000-00459000 r-xp 00000000 00:28 1097908882 /home/jtruba/rubies/ruby-trunk-clean/ruby
00658000-0065d000 r--p 00350000 00:28 1097908882 /home/jtruba/rubies/ruby-trunk-clean/ruby
0065d000-0065e000 rw-p 00355000 00:28 1097908882 /home/jtruba/rubies/ruby-trunk-clean/ruby
0065e000-00670000 rw-p 00000000 00:00 0
04000000-04026000 r-xp 00000000 08:02 32113071 /lib/x86_64-linux-gnu/ld-2.23.so
04026000-04027000 rw-p 00000000 00:00 0
04044000-04049000 rw-p 00000000 00:00 0
04049000-0406b000 r--s 00000000 08:02 32113073 /lib/x86_64-linux-gnu/libpthread-2.23.so
04225000-04226000 r--p 00025000 08:02 32113071 /lib/x86_64-linux-gnu/ld-2.23.so
04226000-04227000 rw-p 00026000 08:02 32113071 /lib/x86_64-linux-gnu/ld-2.23.so
04227000-04228000 rw-p 00000000 00:00 0
04228000-04229000 rwxp 00000000 00:00 0
04a28000-04a29000 r-xp 00000000 08:02 49420391 /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04a29000-04c28000 ---p 00001000 08:02 49420391 /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c28000-04c29000 r--p 00000000 08:02 49420391 /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c29000-04c2a000 rw-p 00001000 08:02 49420391 /usr/lib/valgrind/vgpreload_core-amd64-linux.so
04c2a000-04c39000 r-xp 00000000 08:02 49420362 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04c39000-04e38000 ---p 0000f000 08:02 49420362 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e38000-04e39000 r--p 0000e000 08:02 49420362 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e39000-04e3a000 rw-p 0000f000 08:02 49420362 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so
04e3a000-04e53000 r-xp 00000000 08:02 32113307 /lib/x86_64-linux-gnu/libz.so.1.2.8
04e53000-05052000 ---p 00019000 08:02 32113307 /lib/x86_64-linux-gnu/libz.so.1.2.8
05052000-05053000 r--p 00018000 08:02 32113307 /lib/x86_64-linux-gnu/libz.so.1.2.8
05053000-05054000 rw-p 00019000 08:02 32113307 /lib/x86_64-linux-gnu/libz.so.1.2.8
05054000-0506c000 r-xp 00000000 08:02 32113073 /lib/x86_64-linux-gnu/libpthread-2.23.so
0506c000-0526b000 ---p 00018000 08:02 32113073 /lib/x86_64-linux-gnu/libpthread-2.23.so
0526b000-0526c000 r--p 00017000 08:02 32113073 /lib/x86_64-linux-gnu/libpthread-2.23.so
0526c000-0526d000 rw-p 00018000 08:02 32113073 /lib/x86_64-linux-gnu/libpthread-2.23.so
0526d000-05271000 rw-p 00000000 00:00 0
05271000-05278000 r-xp 00000000 08:02 32113100 /lib/x86_64-linux-gnu/librt-2.23.so
05278000-05477000 ---p 00007000 08:02 32113100 /lib/x86_64-linux-gnu/librt-2.23.so
05477000-05478000 r--p 00006000 08:02 32113100 /lib/x86_64-linux-gnu/librt-2.23.so
05478000-05479000 rw-p 00007000 08:02 32113100 /lib/x86_64-linux-gnu/librt-2.23.so
05479000-054f8000 r-xp 00000000 08:02 49416499 /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
054f8000-056f7000 ---p 0007f000 08:02 49416499 /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
056f7000-056f8000 r--p 0007e000 08:02 49416499 /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
056f8000-056f9000 rw-p 0007f000 08:02 49416499 /usr/lib/x86_64-linux-gnu/libgmp.so.10.3.0
056f9000-056fc000 r-xp 00000000 08:02 32113076 /lib/x86_64-linux-gnu/libdl-2.23.so
056fc000-058fb000 ---p 00003000 08:02 32113076 /lib/x86_64-linux-gnu/libdl-2.23.so
058fb000-058fc000 r--p 00002000 08:02 32113076 /lib/x86_64-linux-gnu/libdl-2.23.so
058fc000-058fd000 rw-p 00003000 08:02 32113076 /lib/x86_64-linux-gnu/libdl-2.23.so
058fd000-05906000 r-xp 00000000 08:02 32113101 /lib/x86_64-linux-gnu/libcrypt-2.23.so
05906000-05b05000 ---p 00009000 08:02 32113101 /lib/x86_64-linux-gnu/libcrypt-2.23.so
05b05000-05b06000 r--p 00008000 08:02 32113101 /lib/x86_64-linux-gnu/libcrypt-2.23.so
05b06000-05b07000 rw-p 00009000 08:02 32113101 /lib/x86_64-linux-gnu/libcrypt-2.23.so
05b07000-05b35000 rw-p 00000000 00:00 0
05b35000-05c3d000 r-xp 00000000 08:02 32112668 /lib/x86_64-linux-gnu/libm-2.23.so
05c3d000-05e3c000 ---p 00108000 08:02 32112668 /lib/x86_64-linux-gnu/libm-2.23.so
05e3c000-05e3d000 r--p 00107000 08:02 32112668 /lib/x86_64-linux-gnu/libm-2.23.so
05e3d000-05e3e000 rw-p 00108000 08:02 32112668 /lib/x86_64-linux-gnu/libm-2.23.so
05e3e000-05ffe000 r-xp 00000000 08:02 32113074 /lib/x86_64-linux-gnu/libc-2.23.so
05ffe000-061fe000 ---p 001c0000 08:02 32113074 /lib/x86_64-linux-gnu/libc-2.23.so
061fe000-06202000 r--p 001c0000 08:02 32113074 /lib/x86_64-linux-gnu/libc-2.23.so
06202000-06204000 rw-p 001c4000 08:02 32113074 /lib/x86_64-linux-gnu/libc-2.23.so
06204000-06208000 rw-p 00000000 00:00 0
06208000-06608000 rwxp 00000000 00:00 0
06608000-068e0000 r--p 00000000 08:02 49416224 /usr/lib/locale/locale-archive
068e0000-068f6000 r-xp 00000000 08:02 32113161 /lib/x86_64-linux-gnu/libgcc_s.so.1
068f6000-06af5000 ---p 00016000 08:02 32113161 /lib/x86_64-linux-gnu/libgcc_s.so.1
06af5000-06af6000 rw-p 00015000 08:02 32113161 /lib/x86_64-linux-gnu/libgcc_s.so.1
06af6000-07c60000 r--s 00000000 00:28 1097908882 /home/jtruba/rubies/ruby-trunk-clean/ruby
07c60000-07e29000 r--s 00000000 08:02 32113074 /lib/x86_64-linux-gnu/libc-2.23.so
38000000-3821f000 r-xp 00000000 08:02 49420448 /usr/lib/valgrind/memcheck-amd64-linux
3841f000-38422000 rw-p 0021f000 08:02 49420448 /usr/lib/valgrind/memcheck-amd64-linux
38422000-395d8000 rw-p 00000000 00:00 0
802001000-802bac000 rwxp 00000000 00:00 0
802bac000-802bae000 ---p 00000000 00:00 0
802bae000-802cae000 rwxp 00000000 00:00 0
802cae000-802cb0000 ---p 00000000 00:00 0
802cb0000-802cb1000 rw-s 00000000 08:02 32246136 /tmp/vgdb-pipe-shared-mem-vgdb-33617-by-jtruba-on-???
802cb1000-802cbd000 rwxp 00000000 00:00 0
802cbd000-802f25000 rwxp 00000000 00:00 0
802f25000-802f89000 rwxp 00000000 00:00 0
802f8b000-802faf000 rwxp 00000000 00:00 0
802fb2000-80339d000 rwxp 00000000 00:00 0
80339d000-8033b9000 rwxp 00000000 00:00 0
8033e5000-80342d000 rwxp 00000000 00:00 0
80349d000-80359d000 rwxp 00000000 00:00 0
80379b000-8059c6000 rwxp 00000000 00:00 0
805bc6000-805dc6000 rwxp 00000000 00:00 0
805fc6000-8060c6000 rwxp 00000000 00:00 0
8062bb000-8064df000 rwxp 00000000 00:00 0
8064df000-8068df000 rwxp 00000000 00:00 0
ffe802000-fff001000 rw-p 00000000 00:00 0
7ffed161e000-7ffed163f000 rw-p 00000000 00:00 0 [stack]
7ffed1647000-7ffed164a000 r--p 00000000 00:00 0 [vvar]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]
[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: https://www.ruby-lang.org/bugreport.html
==33617==
==33617== Process terminating with default action of signal 6 (SIGABRT)
==33617== at 0x5E73428: raise (raise.c:54)
==33617== by 0x5E75029: abort (abort.c:89)
==33617== by 0x365BD0: die (error.c:582)
==33617== by 0x365BD0: rb_bug_context (error.c:612)
==33617== by 0x242771: sigsegv (signal.c:998)
==33617== by 0x506538F: ??? (in /lib/x86_64-linux-gnu/libpthread-2.23.so)
==33617== by 0x2F5047: bigtrunc (bignum.c:3079)
==33617== by 0x2F5047: big2dbl (bignum.c:5239)
==33617==
==33617== HEAP SUMMARY:
==33617== in use at exit: 2,142,307 bytes in 6,512 blocks
==33617== total heap usage: 7,149 allocs, 637 frees, 2,364,757 bytes allocated
==33617==
==33617== LEAK SUMMARY:
==33617== definitely lost: 8,544 bytes in 3 blocks
==33617== indirectly lost: 2,798 bytes in 40 blocks
==33617== possibly lost: 1,865,857 bytes in 6,247 blocks
==33617== still reachable: 265,108 bytes in 222 blocks
==33617== suppressed: 0 bytes in 0 blocks
==33617== Rerun with --leak-check=full to see details of leaked memory
==33617==
==33617== For counts of detected and suppressed errors, rerun with: -v
==33617== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0)
Aborted (core dumped)
Backtrace:
Stopped reason: SIGSEGV
0x0000555555978191 in bigtrunc (x=<optimized out>) at bignum.c:3080
3080 while (--len && !ds[len]);
#0 0x0000555555978191 in bigtrunc (x=<optimized out>) at bignum.c:3080
#1 big2dbl (x=<optimized out>) at bignum.c:5239
#2 0x0000555555977fdf in rb_big2dbl (x=0x555555d51530) at bignum.c:5288
#3 0x0000555555695dd1 in to_float (valp=0x7fffffffd940, raise_exception=0x55d51530) at object.c:3476
#4 0x0000555555694fe0 in rb_convert_to_float (val=0x1900000900, raise_exception=0x1) at object.c:3494
#5 0x0000555555694f6e in rb_Float (val=0x555555d51530) at object.c:3530
#6 0x00005555557c170a in rb_str_format (argc=<optimized out>, argv=<optimized out>, fmt=<optimized out>) at sprintf.c:1130
#7 0x0000555555800bb0 in rb_str_format_m (str=0x7ffff5d8f7a0, arg=0x1900000900) at string.c:2005
#8 0x0000555555904df5 in call_cfunc_1 (func=0x7fefffffffffffff, recv=0x555555d51530, argc=<optimized out>, argv=<optimized out>) at ./vm_insnhelper.c:1775
#9 0x00005555558f382d in vm_call_cfunc_with_frame (ec=<optimized out>, reg_cfp=<optimized out>, calling=<optimized out>, ci=<optimized out>, cc=<optimized out>) at ./vm_insnhelper.c:1928
#10 vm_call_cfunc (ec=<optimized out>, reg_cfp=<optimized out>, calling=<optimized out>, ci=<optimized out>, cc=<optimized out>) at ./vm_insnhelper.c:1944
#11 0x00005555558ef764 in vm_call_method_each_type (ec=<optimized out>, cfp=<optimized out>, calling=<optimized out>, ci=<optimized out>, cc=<optimized out>) at ./vm_insnhelper.c:2266
#12 0x00005555558ef3e4 in vm_call_method (ec=0x7ffff5c58648, cfp=0x7ffff5d68f90, calling=0x7fefffffffffffff, ci=0x7ffff5e24f80, cc=0x7ffff5e1e6f0) at ./vm_insnhelper.c:2392
#13 0x00005555558af59b in vm_call_general (ec=0x555555d51530 <__afl_area_initial>, reg_cfp=0x555555d51530 <__afl_area_initial>, calling=0x7fefffffffffffff, ci=0x0, cc=0x804) at ./vm_insnhelper.c:2435
#14 0x00005555558b9e1b in vm_exec_core (ec=<optimized out>, initial=<optimized out>) at /home/jtruba/rubies/ruby-trunk/insns.def:767
#15 0x00005555558e5f0e in rb_vm_exec (ec=0x7ffff5c58648, mjit_enable_p=0x1) at vm.c:1812
#16 0x00005555558e8423 in rb_iseq_eval_main (iseq=<optimized out>) at vm.c:2071
#17 0x000055555557f679 in ruby_exec_internal (n=<optimized out>) at eval.c:261
#18 ruby_exec_node (n=<optimized out>) at eval.c:325
#19 0x000055555557f3f8 in ruby_run_node (n=0x555555d51530 <__afl_area_initial>) at eval.c:317
#20 0x0000555555579f77 in main (argc=<optimized out>, argv=0x555555d51530 <__afl_area_initial>, argv@entry=0x7fffffffe348) at ./main.c:42
#21 0x00007ffff67f2830 in __libc_start_main (main=0x555555579ee0 <main>, argc=0x2, argv=0x7fffffffe348, init=<optimized out>, fini=<optimized out>, rtld_fini=<optimized out>, stack_end=0x7fffffffe338)
at ../csu/libc-start.c:291
#22 0x0000555555579dd9 in _start ()
Updated by bannable (Joe Truba) over 5 years ago
And a second, slightly different, reproducer:
5555i**-515*45E555i**-511581115i**515*45E555i**-511555i**-51E555i**-511581115i**-515*45E55 == 5**-511551158111111
Updated by nobu (Nobuyoshi Nakada) over 5 years ago
- Is duplicate of Bug #15189: Multiple OOB reads (of size 4) in rb_bigzero_p added
Updated by jeremyevans0 (Jeremy Evans) almost 5 years ago
- Status changed from Open to Closed
Actions
Like0
Like0Like0Like0