Bug #15937: Segmentation fault when String#initialize given same string with capacity field - Ruby master - Ruby Issue Tracking System

Custom queries

Backport 3.0
Backport 3.1
Backport 3.2
Backport 3.3
bugs: unassigned
DevMeeting
matz
Open issues with attachment

Actions

Copy link

Bug #15937

closed

Segmentation fault when String#initialize given same string with capacity field

Added by luke-gru (Luke Gruber) almost 5 years ago. Updated over 4 years ago.

Status:

Closed

Assignee:

Target version:

ruby -v:

Backport:

2.4: REQUIRED, 2.5: DONE, 2.6: DONE

[ruby-core:93228]

Description

Reproduction steps:

string buffer corruption:

s = "mystring"
s.__send__(:initialize, s, capacity: 1000)
puts s

segfault:

s = "mystring that can't be embedded because it's too long and therefore must be allocated"
s.__send__(:initialize, s, capacity: 1000)

Thanks for your time :)

History
Notes
Property changes
Associated revisions

Actions

Copy link

#1 [ruby-core:93229]

Updated by luke-gru (Luke Gruber) almost 5 years ago

NOTE: I didn't attach a patch or proof of concept fix because I don't know how you want to handle this edge case. The easiest thing would just be to return the original string in rb_str_init and not honor the capacity change here.

Actions

Copy link

#2 [ruby-core:93231]

Updated by nobu (Nobuyoshi Nakada) almost 5 years ago

I can't reproduce the buffer corruption nor the segfault, but found the content was cleared on a short string.
Which version did you try?

Actions

Copy link

Updated by nobu (Nobuyoshi Nakada) almost 5 years ago

Status changed from Open to Closed

Applied in changeset git|28678997e40869f5591eae60edd9757334426ffb.

Preserve the string content at self-copying

string.c (rb_str_init): preserve the embedded content when
self-copying with a capacity. [Bug #15937]

Actions

Copy link

#4 [ruby-core:93234]

Updated by luke-gru (Luke Gruber) almost 5 years ago

Sorry, I forgot puts s in second script. I still get the segfault even in trunk with your patch, but the embedded small strings case is fixed.

Thank you.

Actions

Copy link

#5 [ruby-core:93236]

Updated by luke-gru (Luke Gruber) almost 5 years ago

I no longer get the segfault if in rb_str_init, return str is added right after existing check of (orig == str), but then capacity of string won't change.

EDIT: I think I figured out what was going on. If str is a shared string, it must be made independent before realloc in rb_str_init.

check_str_modifiable(str);
if (orig == str && FL_TEST(str, STR_SHARED)) {
  str_make_independent(str);
}

Actions

Copy link

Updated by nobu (Nobuyoshi Nakada) almost 5 years ago

Backport changed from 2.4: UNKNOWN, 2.5: UNKNOWN, 2.6: UNKNOWN to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED

Actions

Copy link

#7 [ruby-core:94219]

Updated by nagachika (Tomoyuki Chikanaga) over 4 years ago

Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: REQUIRED to 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE

ruby_2_6 r67738 merged revision(s) 28678997e40869f5591eae60edd9757334426ffb,8797f48373dcfa3ff8e748667732dea8aea4347e.

Actions

Copy link

#8 [ruby-core:94578]

Updated by usa (Usaku NAKAMURA) over 4 years ago

Backport changed from 2.4: REQUIRED, 2.5: REQUIRED, 2.6: DONE to 2.4: REQUIRED, 2.5: DONE, 2.6: DONE

ruby_2_5 r67769 merged revision(s) 28678997e40869f5591eae60edd9757334426ffb,8797f48373dcfa3ff8e748667732dea8aea4347e.

Actions

Copy link

Also available in: Atom PDF

Like0

Like0Like0Like0Like0Like0Like0Like0Like0

Project

General

Profile

Ruby » Ruby master

Custom queries

Bug #15937

Segmentation fault when String#initialize given same string with capacity field

Updated by luke-gru (Luke Gruber) almost 5 years ago

Updated by nobu (Nobuyoshi Nakada) almost 5 years ago

Updated by nobu (Nobuyoshi Nakada) almost 5 years ago

Updated by luke-gru (Luke Gruber) almost 5 years ago

Updated by luke-gru (Luke Gruber) almost 5 years ago

Updated by nobu (Nobuyoshi Nakada) almost 5 years ago

Updated by nagachika (Tomoyuki Chikanaga) over 4 years ago

Updated by usa (Usaku NAKAMURA) over 4 years ago