Project

General

Profile

Actions
Copy link

Bug #17141

closed

Crash when parsing malformed input

Added by tumdum (Tomasz Kłak) over 3 years ago. Updated over 3 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux]
Backport:
2.5: DONTNEED, 2.6: DONTNEED, 2.7: DONE
[ruby-core:99825]

Description

Calling "ruby crash_small.rb" crashes ruby - see attached crash log

Files

Download all files
crash_small.rb (6 Bytes) crash_small.rb tumdum (Tomasz Kłak), 09/01/2020 08:08 PM
log.txt (16.8 KB) log.txt crash log tumdum (Tomasz Kłak), 09/01/2020 08:08 PM

Related issues 1 (0 open1 closed)

Is duplicate of Ruby master - Bug #16603: Passing number or symbol to kwargs splat causes segmentation fualtClosedActions
Actions
Copy link
 #1 [ruby-core:99830]

Updated by jeremyevans0 (Jeremy Evans) over 3 years ago

  • Backport changed from 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN to 2.5: DONTNEED, 2.6: DONTNEED, 2.7: REQUIRED
  • Status changed from Open to Closed

I can confirm this crash in Ruby 2.7.1, 2.7.0, and the ruby_2_7 branch. It is not present in master.

Here's the backtrace on ruby_2_7 branch:

0x00000a3c357f2d7c in CALLER_REMOVE_EMPTY_KW_SPLAT (cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, ci=0x7f7ffffc28c0) at ./vm_insnhelper.c:1996
1996            if (RHASH_EMPTY_P(cfp->sp[-1])) {
(gdb) bt
#0  0x00000a3c357f2d7c in CALLER_REMOVE_EMPTY_KW_SPLAT (cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, ci=0x7f7ffffc28c0) at ./vm_insnhelper.c:1996
#1  0x00000a3c357f2751 in vm_call_cfunc (ec=0xa3c0ec6fe50, reg_cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, cd=0x7f7ffffc2880) at ./vm_insnhelper.c:2535
#2  0x00000a3c357f1db3 in vm_call_method_each_type (ec=0xa3c0ec6fe50, cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, cd=0x7f7ffffc2880) at ./vm_insnhelper.c:2925
#3  0x00000a3c357f1a96 in vm_call_method (ec=0xa3c0ec6fe50, cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, cd=0x7f7ffffc2880) at ./vm_insnhelper.c:3039
#4  0x00000a3c357f24a2 in vm_call_method_missing (ec=0xa3c0ec6fe50, reg_cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, orig_cd=0xa3b71987500) at ./vm_insnhelper.c:2744
#5  0x00000a3c357f259c in vm_call_method_nome (ec=0xa3c0ec6fe50, cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, cd=0xa3b71987500) at ./vm_insnhelper.c:3013
#6  0x00000a3c357f1c0b in vm_call_method (ec=0xa3c0ec6fe50, cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, cd=0xa3b71987500) at ./vm_insnhelper.c:3068
#7  0x00000a3c357cfd6a in vm_call_general (ec=0xa3c0ec6fe50, reg_cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, cd=0xa3b71987500) at ./vm_insnhelper.c:3076
#8  0x00000a3c35802bc3 in vm_sendish (ec=0xa3c0ec6fe50, reg_cfp=0xa3ba636ef90, cd=0xa3b71987500, block_handler=0, method_explorer=0xa3c35802c30 <vm_search_method_wrap>) at ./vm_insnhelper.c:4023
#9  0x00000a3c357d4413 in vm_exec_core (ec=0xa3c0ec6fe50, initial=0) at insns.def:801
#10 0x00000a3c357ec004 in rb_vm_exec (ec=0xa3c0ec6fe50, mjit_enable_p=1) at vm.c:1920
#11 0x00000a3c357ecfad in rb_iseq_eval_main (iseq=0xa3b4dd1afc8) at vm.c:2179
#12 0x00000a3c3557cc03 in rb_ec_exec_node (ec=0xa3c0ec6fe50, n=0xa3b4dd1afc8) at eval.c:278
#13 0x00000a3c3557ca82 in ruby_run_node (n=0xa3b4dd1afc8) at eval.c:336
#14 0x00000a394afe8cb7 in main (argc=2, argv=0x7f7ffffc4558) at ./main.c:50

Here's a possible fix:

--- a/vm_insnhelper.c
+++ b/vm_insnhelper.c
@@ -1993,7 +1993,7 @@ CALLER_REMOVE_EMPTY_KW_SPLAT(struct rb_control_frame_struct *restrict cfp,
          * the method does not have the number of required
          * arguments.
          */
-        if (RHASH_EMPTY_P(cfp->sp[-1])) {
+        if (RHASH_EMPTY_P(rb_to_hash_type(cfp->sp[-1]))) {
             cfp->sp--;
             calling->argc--;
             calling->kw_splat = 0;

Closing and marking for backport.

Actions
Copy link
 #2 [ruby-core:99939]

Updated by nagachika (Tomoyuki Chikanaga) over 3 years ago

Hi Jeremy,
The code around the patch you show is exactly same in master and ruby_2_7 branches.
Isn't the patch necessary for master branch?

Actions
Copy link
 #3 [ruby-core:99944]

Updated by jeremyevans0 (Jeremy Evans) over 3 years ago

nagachika (Tomoyuki Chikanaga) wrote in #note-2:

Hi Jeremy,
The code around the patch you show is exactly same in master and ruby_2_7 branches.
Isn't the patch necessary for master branch?

The program doesn't crash in master, so I assume the fix isn't needed in master. It's possible there is a better fix for 2.7 that fixes the problem at a higher level of the call stack, but I did not investigate where that would be.

Actions
Copy link
 #4 [ruby-core:99946]

Updated by nagachika (Tomoyuki Chikanaga) over 3 years ago

Okey, I will add a test for this case into master and backport it to ruby_2_7 with your patch.
Thanks.

Actions
Copy link
 #5

Updated by nagachika (Tomoyuki Chikanaga) over 3 years ago

  • Is duplicate of Bug #16603: Passing number or symbol to kwargs splat causes segmentation fualt added
Actions
Copy link
 #6 [ruby-core:99947]

Updated by nagachika (Tomoyuki Chikanaga) over 3 years ago

I have just found that the similar testcase was added in https://bugs.ruby-lang.org/issues/16603 and backporting git|11963da9e8e98821860fbb0c0f2adc118860c814 fixes this issue.

Actions
Copy link
 #7 [ruby-core:99949]

Updated by nagachika (Tomoyuki Chikanaga) over 3 years ago

  • Backport changed from 2.5: DONTNEED, 2.6: DONTNEED, 2.7: REQUIRED to 2.5: DONTNEED, 2.6: DONTNEED, 2.7: DONE

ruby_2_7 e778de2c82478dda930cfc8d795ed4e0e60ea775 merged revision(s) 11963da9e8e98821860fbb0c0f2adc118860c814.

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0