Bug #15169
closedrb_funcallv crashes when argc is -1
Description
The native function rb_funcallv casues a segmentation fault on 0xffffffffffffffd8 when the argc parameter is -1.
Example:
VALUE argv[1];
argv[0] = Qnil;
rb_funcallv(INT2NUM(1), rb_intern("round"), -1, argv);
Attached the dump:
bin/fuzzer:10: [BUG] Segmentation fault at 0xffffffffffffffd8
ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-darwin17]
-- Crash Report log information --------------------------------------------
See Crash Report log file under the one of following:
* ~/Library/Logs/DiagnosticReports
* /Library/Logs/DiagnosticReports
for more details.
Don't forget to include the above Crash Report log file in bug reports.
-- Control frame information -----------------------------------------------
c:0003 p:---- s:0010 e:000009 CFUNC :fuzz!
c:0002 p:0035 s:0006 e:000005 EVAL bin/fuzzer:10 [FINISH]
c:0001 p:0000 s:0003 E:0003f0 (none) [FINISH]
-- Ruby level backtrace information ----------------------------------------
bin/fuzzer:10:in `<main>'
bin/fuzzer:10:in `fuzz!'
-- Machine register context ------------------------------------------------
rax: 0x00007ffeed343008 rbx: 0x00007ffeed343000 rcx: 0x0000000000025a0f
rdx: 0xfffffffffffffff8 rdi: 0x00007ffeed343000 rsi: 0xfffffffffffffff8
rbp: 0x00007ffeed342ff0 rsp: 0x00007ffeed342ff0 r8: 0x0000000000000000
r9: 0x000000000000001f r10: 0x00007f9548511520 r11: 0x00007ffeed343008
r12: 0x000000000025a10c r13: 0x00007f954840a2c8 r14: 0x0000000000000003
r15: 0x00000000ffffffff rip: 0x00007fff6bdba110 rfl: 0x0000000000010282
-- C level backtrace information -------------------------------------------
0 libruby.2.5.dylib 0x0000000102aba9d7 rb_vm_bugreport + 135
1 libruby.2.5.dylib 0x000000010293a5d8 rb_bug_context + 472
2 libruby.2.5.dylib 0x0000000102a2b5d1 sigsegv + 81
3 libsystem_platform.dylib 0x00007fff6bdb6f5a _sigtramp + 26
4 libsystem_platform.dylib 0x00007fff6bdba110 _platform_memmove$VARIANT$Haswell + 496
-- Other runtime information -----------------------------------------------
* Loaded script: bin/fuzzer
* Loaded features:
0 enumerator.so
1 thread.rb
2 rational.so
3 complex.so
4 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/x86_64-darwin17/enc/encdb.bundle
5 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/x86_64-darwin17/enc/trans/transdb.bundle
6 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/x86_64-darwin17/rbconfig.rb
7 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/compatibility.rb
8 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/defaults.rb
9 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/deprecate.rb
10 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/errors.rb
11 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/version.rb
12 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/requirement.rb
13 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/platform.rb
14 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/basic_specification.rb
15 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/stub_specification.rb
16 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/util/list.rb
17 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/x86_64-darwin17/stringio.bundle
18 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/rfc2396_parser.rb
19 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/rfc3986_parser.rb
20 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/common.rb
21 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/generic.rb
22 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/ftp.rb
23 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/http.rb
24 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/https.rb
25 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/ldap.rb
26 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/ldaps.rb
27 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/mailto.rb
28 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri.rb
29 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/specification.rb
30 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/exceptions.rb
31 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/util.rb
32 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/bundler_version_finder.rb
33 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/dependency.rb
34 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/core_ext/kernel_gem.rb
35 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/monitor.rb
36 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/core_ext/kernel_require.rb
37 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems.rb
38 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/path_support.rb
39 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/version.rb
40 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/core_ext/name_error.rb
41 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/levenshtein.rb
42 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/jaro_winkler.rb
43 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checker.rb
44 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/delegate.rb
45 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb
46 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb
47 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers.rb
48 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/method_name_checker.rb
49 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/key_error_checker.rb
50 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/null_checker.rb
51 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/formatters/plain_formatter.rb
52 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean.rb
53 /Users/foldr/code/cobaya/lib/cobaya.bundle
[NOTE]
You may have encountered a bug in the Ruby interpreter or extension libraries.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html
[IMPORTANT]
Don't forget to include the Crash Report log file under
DiagnosticReports directory in bug reports.
Files
Updated by nobu (Nobuyoshi Nakada) over 5 years ago
- Status changed from Open to Rejected
argc
is the number of arguments, pointed by argv
.
Do you want to pass -1 arguments?
Updated by ddom (Daniel Dominguez) over 5 years ago
nobu (Nobuyoshi Nakada) wrote:
argc
is the number of arguments, pointed byargv
.
Do you want to pass -1 arguments?
No, it's actually a bug in the fuzzer I'm building to pass -1 to that function. But I'm getting that crash when I do that. The actual code is more complicated that the example I provided. In my code I get some object, get a random method of the object and it's arity. The arity sometimes is -1 (in the case of varargs). If needed I can provide the code for the sample generation to aid with reproducibility.