Actions
Bug #15246
closedInvalid read (SEGV on indeterminate address) in id_table.c
Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.6.0dev (2018-10-16 trunk 65097) [x86_64-linux]
Description
This one does not crash a normal ruby build, but results in ASAN SEGVing on an unknown address. Valgrind doesn't seem to catch anything other than a large amount of memory leakage with this, so this could be an ASAN bug.
Reproducer:
$ xxd ../repro2
00000000: 382e 2a2a 3830 3830 3030 2e2a 0d2d 3730 8.**808000.*.-70
00000010: 2e2a 302e 2a2a 3830 3030 302e 2a2a 202d .*0.**80000.** -
00000020: 3730 2e2a 0d2d 382e 2a2a 382a 2a2d 38 70.*.-8.**8**-8
$
$ ./ruby ../repro2
../repro2:1: warning: encountered \r in middle of line, treated as a mere space
AddressSanitizer:DEADLYSIGNAL
=================================================================
==4416==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d5503ca139 bp 0x7fff14dc8830 sp 0x7fff14dc8720 T0)
==4416==The signal is caused by a READ memory access.
==4416==Hint: address points to the zero page.
#0 0x55d5503ca138 in hash_table_index /home/jtruba/rubies/ruby-trunk-asan/./id_table.c:131:14
#1 0x55d5503ca138 in rb_id_table_lookup /home/jtruba/rubies/ruby-trunk-asan/./id_table.c:229
#2 0x55d5504d214b in lookup_method_table /home/jtruba/rubies/ruby-trunk-asan/./vm_method.c:183:9
#3 0x55d5504d214b in search_method /home/jtruba/rubies/ruby-trunk-asan/./vm_method.c:726
#4 0x55d5504d214b in method_entry_get_without_cache /home/jtruba/rubies/ruby-trunk-asan/./vm_method.c:751
#5 0x55d5504d214b in method_entry_get /home/jtruba/rubies/ruby-trunk-asan/./vm_method.c:815
#6 0x55d5504dbb37 in vm_respond_to /home/jtruba/rubies/ruby-trunk-asan/./vm_method.c:1987:2
#7 0x55d5504e4af2 in check_funcall_respond_to /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:350:12
#8 0x55d5504e4af2 in rb_check_funcall_default /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:405
#9 0x55d5500bee25 in do_coerce /home/jtruba/rubies/ruby-trunk-asan/numeric.c:424:17
#10 0x55d5500cec3d in rb_num_coerce_bin /home/jtruba/rubies/ruby-trunk-asan/numeric.c:446:5
#11 0x55d5500cec3d in fix_mul /home/jtruba/rubies/ruby-trunk-asan/numeric.c:3655
#12 0x55d5500cec3d in rb_int_mul /home/jtruba/rubies/ruby-trunk-asan/numeric.c:3663
#13 0x55d5504dfc0e in vm_call0_cfunc_with_frame /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:86:8
#14 0x55d5504dfc0e in vm_call0_cfunc /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:100
#15 0x55d5504dfc0e in vm_call0_body /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:131
#16 0x55d5504d876e in rb_vm_call0 /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:60:12
#17 0x55d5504d876e in rb_call0 /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:300
#18 0x55d5504d876e in rb_call /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:593
#19 0x55d5504d876e in rb_funcallv /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:815
#20 0x55d5506fd991 in f_mul /home/jtruba/rubies/ruby-trunk-asan/complex.c:118:12
#21 0x55d5506fd991 in nucomp_expt /home/jtruba/rubies/ruby-trunk-asan/complex.c:924
#22 0x55d5504dfc0e in vm_call0_cfunc_with_frame /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:86:8
#23 0x55d5504dfc0e in vm_call0_cfunc /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:100
#24 0x55d5504dfc0e in vm_call0_body /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:131
#25 0x55d5504d876e in rb_vm_call0 /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:60:12
#26 0x55d5504d876e in rb_call0 /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:300
#27 0x55d5504d876e in rb_call /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:593
#28 0x55d5504d876e in rb_funcallv /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:815
#29 0x55d5506fd532 in f_expt /home/jtruba/rubies/ruby-trunk-asan/complex.c:183:1
#30 0x55d5506fd532 in nucomp_expt /home/jtruba/rubies/ruby-trunk-asan/complex.c:932
#31 0x55d5504dfc0e in vm_call0_cfunc_with_frame /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:86:8
#32 0x55d5504dfc0e in vm_call0_cfunc /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:100
#33 0x55d5504dfc0e in vm_call0_body /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:131
#34 0x55d5504d876e in rb_vm_call0 /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:60:12
#35 0x55d5504d876e in rb_call0 /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:300
#36 0x55d5504d876e in rb_call /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:593
#37 0x55d5504d876e in rb_funcallv /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:815
#38 0x55d5500d2194 in rb_num_coerce_bin /home/jtruba/rubies/ruby-trunk-asan/numeric.c:447:12
#39 0x55d5500d2194 in fix_pow /home/jtruba/rubies/ruby-trunk-asan/numeric.c:4064
#40 0x55d5500d1cdb in rb_int_pow /home/jtruba/rubies/ruby-trunk-asan/numeric.c:4072:9
#41 0x55d55051f76f in vm_call_cfunc_with_frame /home/jtruba/rubies/ruby-trunk-asan/./vm_insnhelper.c:1919:11
#42 0x55d55051f76f in vm_call_cfunc /home/jtruba/rubies/ruby-trunk-asan/./vm_insnhelper.c:1935
#43 0x55d550518233 in vm_call_method_each_type /home/jtruba/rubies/ruby-trunk-asan/./vm_insnhelper.c:2257:9
#44 0x55d5505179e8 in vm_call_method /home/jtruba/rubies/ruby-trunk-asan/./vm_insnhelper.c
#45 0x55d5504bc140 in vm_exec_core /home/jtruba/rubies/ruby-trunk-asan/insns.def:767:5
#46 0x55d550506dd4 in rb_vm_exec /home/jtruba/rubies/ruby-trunk-asan/vm.c
#47 0x55d54ff1b286 in ruby_exec_internal /home/jtruba/rubies/ruby-trunk-asan/eval.c:261:2
#48 0x55d54ff1b286 in ruby_exec_node /home/jtruba/rubies/ruby-trunk-asan/eval.c:325
#49 0x55d54ff1aca5 in ruby_run_node /home/jtruba/rubies/ruby-trunk-asan/eval.c:317:25
#50 0x55d54ff11960 in main /home/jtruba/rubies/ruby-trunk-asan/./main.c:42:9
#51 0x7f4383977b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287
#52 0x55d54fe3b73b in _start (/home/jtruba/rubies/ruby-trunk-asan/ruby+0x13b73b)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/jtruba/rubies/ruby-trunk-asan/./id_table.c:131:14 in hash_table_index
==4416==ABORTING
Valgrind report:
$ valgrind --max-stackframe=9000000 ./ruby ../repro2
==60726== Memcheck, a memory error detector
==60726== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==60726== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info
==60726== Command: ./ruby ../repro2
==60726==
../repro2:1: warning: encountered \r in middle of line, treated as a mere space
^CTraceback (most recent call last):
4: from ../repro2:1:in `<main>'
3: from ../repro2:1:in `**'
2: from ../repro2:1:in `**'
1: from ../repro2:1:in `**'
../repro2:1:in `*': Interrupt
==60726==
==60726== Process terminating with default action of signal 2 (SIGINT)
==60726== at 0x4E4375B: raise (pt-raise.c:37)
==60726== by 0x3709D0: ruby_default_signal (signal.c:410)
==60726== by 0x135EB0: ruby_cleanup (eval.c:245)
==60726== by 0x1361EE: ruby_run_node (eval.c:317)
==60726== by 0x130E17: main (main.c:42)
==60726==
==60726== HEAP SUMMARY:
==60726== in use at exit: 55,764,375 bytes in 7,218 blocks
==60726== total heap usage: 9,657 allocs, 2,439 frees, 529,210,624 bytes allocated
==60726==
==60726== LEAK SUMMARY:
==60726== definitely lost: 2,388,027 bytes in 816 blocks
==60726== indirectly lost: 44,497 bytes in 441 blocks
==60726== possibly lost: 53,114,719 bytes in 5,160 blocks
==60726== still reachable: 217,132 bytes in 801 blocks
==60726== suppressed: 0 bytes in 0 blocks
==60726== Rerun with --leak-check=full to see details of leaked memory
==60726==
==60726== For counts of detected and suppressed errors, rerun with: -v
==60726== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
$
Updated by nobu (Nobuyoshi Nakada) over 5 years ago
Maybe fixed by r65190?
Updated by bannable (Joe Truba) over 5 years ago
nobu (Nobuyoshi Nakada) wrote:
Maybe fixed by r65190?
Yes, looks fixed.
$ ASAN_OPTIONS=detect_leaks=0 ./ruby -v
ruby 2.6.0dev (2018-10-24 trunk 65097) [x86_64-linux]
$ ASAN_OPTIONS=detect_leaks=0 ./ruby ../repro2
../repro2:1: warning: encountered \r in middle of line, treated as a mere space
../repro2:1: warning: in a**b, b may be too big
$
It looks like most of the hangs that my fuzzer found are fixed as well, including #15237 (which was rejected).
Updated by jeremyevans0 (Jeremy Evans) almost 5 years ago
- Status changed from Open to Closed
Actions
Like0
Like0Like0Like0