Bug #15169: rb_funcallv crashes when argc is -1 - Ruby master - Ruby Issue Tracking System

Actions

Copy link

Bug #15169

closed

rb_funcallv crashes when argc is -1

Added by ddom (Daniel Dominguez) over 5 years ago. Updated over 5 years ago.

Status:

Rejected

Assignee:

Target version:

ruby -v:

ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-darwin17]

Backport:

2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN

[ruby-core:89189]

Description

The native function rb_funcallv casues a segmentation fault on 0xffffffffffffffd8 when the argc parameter is -1.

Example:

VALUE argv[1];
argv[0] = Qnil;
rb_funcallv(INT2NUM(1), rb_intern("round"), -1, argv);

Attached the dump:

bin/fuzzer:10: [BUG] Segmentation fault at 0xffffffffffffffd8
ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-darwin17]

-- Crash Report log information --------------------------------------------
   See Crash Report log file under the one of following:
     * ~/Library/Logs/DiagnosticReports
     * /Library/Logs/DiagnosticReports
   for more details.
Don't forget to include the above Crash Report log file in bug reports.

-- Control frame information -----------------------------------------------
c:0003 p:---- s:0010 e:000009 CFUNC  :fuzz!
c:0002 p:0035 s:0006 e:000005 EVAL   bin/fuzzer:10 [FINISH]
c:0001 p:0000 s:0003 E:0003f0 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
bin/fuzzer:10:in `<main>'
bin/fuzzer:10:in `fuzz!'

-- Machine register context ------------------------------------------------
 rax: 0x00007ffeed343008 rbx: 0x00007ffeed343000 rcx: 0x0000000000025a0f
 rdx: 0xfffffffffffffff8 rdi: 0x00007ffeed343000 rsi: 0xfffffffffffffff8
 rbp: 0x00007ffeed342ff0 rsp: 0x00007ffeed342ff0  r8: 0x0000000000000000
  r9: 0x000000000000001f r10: 0x00007f9548511520 r11: 0x00007ffeed343008
 r12: 0x000000000025a10c r13: 0x00007f954840a2c8 r14: 0x0000000000000003
 r15: 0x00000000ffffffff rip: 0x00007fff6bdba110 rfl: 0x0000000000010282

-- C level backtrace information -------------------------------------------
0   libruby.2.5.dylib                   0x0000000102aba9d7 rb_vm_bugreport + 135
1   libruby.2.5.dylib                   0x000000010293a5d8 rb_bug_context + 472
2   libruby.2.5.dylib                   0x0000000102a2b5d1 sigsegv + 81
3   libsystem_platform.dylib            0x00007fff6bdb6f5a _sigtramp + 26
4   libsystem_platform.dylib            0x00007fff6bdba110 _platform_memmove$VARIANT$Haswell + 496

-- Other runtime information -----------------------------------------------

* Loaded script: bin/fuzzer

* Loaded features:

    0 enumerator.so
    1 thread.rb
    2 rational.so
    3 complex.so
    4 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/x86_64-darwin17/enc/encdb.bundle
    5 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/x86_64-darwin17/enc/trans/transdb.bundle
    6 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/x86_64-darwin17/rbconfig.rb
    7 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/compatibility.rb
    8 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/defaults.rb
    9 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/deprecate.rb
   10 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/errors.rb
   11 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/version.rb
   12 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/requirement.rb
   13 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/platform.rb
   14 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/basic_specification.rb
   15 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/stub_specification.rb
   16 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/util/list.rb
   17 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/x86_64-darwin17/stringio.bundle
   18 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/rfc2396_parser.rb
   19 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/rfc3986_parser.rb
   20 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/common.rb
   21 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/generic.rb
   22 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/ftp.rb
   23 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/http.rb
   24 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/https.rb
   25 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/ldap.rb
   26 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/ldaps.rb
   27 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/mailto.rb
   28 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri.rb
   29 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/specification.rb
   30 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/exceptions.rb
   31 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/util.rb
   32 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/bundler_version_finder.rb
   33 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/dependency.rb
   34 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/core_ext/kernel_gem.rb
   35 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/monitor.rb
   36 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/core_ext/kernel_require.rb
   37 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems.rb
   38 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/path_support.rb
   39 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/version.rb
   40 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/core_ext/name_error.rb
   41 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/levenshtein.rb
   42 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/jaro_winkler.rb
   43 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checker.rb
   44 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/delegate.rb
   45 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb
   46 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb
   47 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers.rb
   48 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/method_name_checker.rb
   49 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/key_error_checker.rb
   50 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/null_checker.rb
   51 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/formatters/plain_formatter.rb
   52 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean.rb
   53 /Users/foldr/code/cobaya/lib/cobaya.bundle

[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html

[IMPORTANT]
Don't forget to include the Crash Report log file under
DiagnosticReports directory in bug reports.

Files

ruby_2018-09-27-133203_wakatsuki.crash (36.7 KB) ruby_2018-09-27-133203_wakatsuki.crash

ddom (Daniel Dominguez), 09/27/2018 11:36 AM

Actions

Copy link

#1 [ruby-core:89190]

Updated by nobu (Nobuyoshi Nakada) over 5 years ago

Status changed from Open to Rejected

argc is the number of arguments, pointed by argv.
Do you want to pass -1 arguments?

Actions

Copy link

#2 [ruby-core:89192]

Updated by ddom (Daniel Dominguez) over 5 years ago

nobu (Nobuyoshi Nakada) wrote:

argc is the number of arguments, pointed by argv.
Do you want to pass -1 arguments?

No, it's actually a bug in the fuzzer I'm building to pass -1 to that function. But I'm getting that crash when I do that. The actual code is more complicated that the example I provided. In my code I get some object, get a random method of the object and it's arity. The arity sometimes is -1 (in the case of varargs). If needed I can provide the code for the sample generation to aid with reproducibility.

Actions

Copy link

Also available in: Atom PDF

Like0

Like0Like0

Project

General

Profile

Ruby » Ruby master

Custom queries

Bug #15169

rb_funcallv crashes when argc is -1

Updated by nobu (Nobuyoshi Nakada) over 5 years ago

Updated by ddom (Daniel Dominguez) over 5 years ago