Project

General

Profile

Actions
Copy link

Bug #21832

open

segfault with argument forwarding, when combined with splat & positional arg

Bug #21832: segfault with argument forwarding, when combined with splat & positional arg

Added by inopinatus (Joshua GOODALL) about 5 hours ago. Updated about 2 hours ago.

Status:
Open
Assignee:
tenderlovemaking (Aaron Patterson)
Target version:
-
ruby -v:
ruby 4.1.0dev (2026-01-11T15:46:56Z master 61c372a1b7) +PRISM [arm64-darwin24]
Backport:
3.2: DONTNEED, 3.3: DONTNEED, 3.4: REQUIRED, 4.0: REQUIRED
[ruby-core:124475]

Description

A crash occurs when combining (...) arg forwarding, a positional argument, and an array splat. Found with 4.0.0 release, verified on 3.4.8 and 4.1.0dev, does not occur on 3.3.10. One-line crash test:

./ruby -e 'def target(*args) = args; def x = [1]; def forwarder(...); target(*x, 2, ...); end; forwarder(3)'

test builds were:

  • Ruby 4.1.0dev w/clang-1700.6.3.2 on arm64 (macOS Sequoia 15.7.1)
  • Ruby 3.4.8 w/gcc 13.3.0 on x86_64 (Ubuntu 24.04 LTS)

longer test case:

class Test
  def stdargs
    %w(--verbose)
  end

  def func(*args)
    puts "args: #{args.inspect}"
  end

  def test1(...)
    func("abc", ...)
  end

  def test2(...)
    func(stdargs, "abc", ...)
  end

  def test3(...)
    func(*stdargs, "abc")
  end

  def test4(...)
    func(*stdargs, ...)
  end

  def test5(...)
    func(*stdargs, "abc", ...)
  end
end

o = Test.new

o.test1("T1") #=> args: ["abc", "T1"]
o.test2("T2") #=> args: [["foo"], "abc", "T2"]
o.test3("T3") #=> args: ["foo", "abc"]
o.test4("T4") #=> args: ["foo", "T4"]
o.test5("T5") #=> Expected: ["foo", "abc", "T5"]  Actual: crash

Crash output:

[505] (master) joshua@coltrane:~/src/ruby-src$ ./ruby crash.rb 
`RubyGems' were not loaded.
`error_highlight' was not loaded.
`did_you_mean' was not loaded.
`syntax_suggest' was not loaded.
args: ["abc", "T1"]
args: [["--verbose"], "abc", "T2"]
args: ["--verbose", "abc"]
args: ["--verbose", "T4"]
crash.rb:28: [BUG] Segmentation fault at 0x0000000000000000
ruby 4.1.0dev (2026-01-11T15:46:56Z master 61c372a1b7) +PRISM [arm64-darwin24]

-- Crash Report log information --------------------------------------------
   See Crash Report log file in one of the following locations:             
     * ~/Library/Logs/DiagnosticReports                                     
     * /Library/Logs/DiagnosticReports                                      
   for more details.                                                        
Don't forget to include the above Crash Report log file in bug reports.     

-- Control frame information -----------------------------------------------
c:0003 p:0013 s:0017 e:000012 l:y b:0001 METHOD crash.rb:28
c:0002 p:0059 s:0007 E:002508 l:n b:---- EVAL   crash.rb:38 [FINISH]
c:0001 p:0000 s:0003 E:000010 l:y b:---- DUMMY  [FINISH]

-- Ruby level backtrace information ----------------------------------------
crash.rb:38:in '<main>'
crash.rb:28:in 'test5'

-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1

-- Machine register context ------------------------------------------------
  x0: 0x0000000160028078  x1: 0x0000000000000000  x2: 0x0000000000000010
  x3: 0x0000000160028078  x4: 0x0000000000000000  x5: 0x000000016d97a670
  x6: 0x000000016d97a648  x7: 0x000000016d97a598 x18: 0x0000000000000000
 x19: 0x0000000000000000 x20: 0x000000016d97a648 x21: 0x0000000102e9da38
 x22: 0x0000000160127f58 x23: 0x000000016d97a670 x24: 0x0000000160028078
 x25: 0x000092d100100003 x26: 0x0000000160028060 x27: 0x0000000000000001
 x28: 0x0000000000000001  lr: 0x00000001026eab50  fp: 0x000000016d97a5e0
  sp: 0x000000016d97a560

-- C level backtrace information -------------------------------------------
/Users/joshua/src/ruby-src/ruby(rb_vm_bugreport+0xbc8) [0x10271b60c] /Users/joshua/src/ruby-src/vm_dump.c:1450
/Users/joshua/src/ruby-src/ruby(rb_vm_bugreport) (null):0
/Users/joshua/src/ruby-src/ruby(rb_bug_for_fatal_signal+0x10c) [0x10254092c] /Users/joshua/src/ruby-src/error.c:1131
/Users/joshua/src/ruby-src/ruby(sigsegv+0x90) [0x102671e70] /Users/joshua/src/ruby-src/signal.c:948
/usr/lib/system/libsystem_platform.dylib(_sigtramp+0x38) [0x196be16a4]
/Users/joshua/src/ruby-src/ruby(RB_FL_TEST_RAW+0x0) [0x1026eab50] ./include/ruby/internal/memory.h:759
/Users/joshua/src/ruby-src/ruby(RB_FL_ANY_RAW) ./include/ruby/internal/fl_type.h:466
/Users/joshua/src/ruby-src/ruby(rb_array_len) ./include/ruby/internal/core/rarray.h:259
/Users/joshua/src/ruby-src/ruby(vm_caller_setup_fwd_args) ./vm_insnhelper.c:3410
/Users/joshua/src/ruby-src/ruby(vm_exec_core+0x12f0) [0x1026ed304] /Users/joshua/src/ruby-src/insns.def:877
/Users/joshua/src/ruby-src/ruby(rb_vm_exec+0x284) [0x1026ea428] /Users/joshua/src/ruby-src/vm.c:2798
/Users/joshua/src/ruby-src/ruby(rb_ec_exec_node+0x8c) [0x10254bb84] /Users/joshua/src/ruby-src/eval.c:283
/Users/joshua/src/ruby-src/ruby(ruby_run_node+0x4c) [0x10254baa4] /Users/joshua/src/ruby-src/eval.c:321
/Users/joshua/src/ruby-src/ruby(rb_main+0x1c) [0x102484980] ./main.c:42
/Users/joshua/src/ruby-src/ruby(main) ./main.c:62

Updated by inopinatus (Joshua GOODALL) about 5 hours ago Actions
Copy link
 #1 [ruby-core:124476]

please ignore where the longer test case comment says "foo" instead of "--verbose" ;-)

Updated by jeremyevans0 (Jeremy Evans) about 2 hours ago Actions
Copy link
 #2 [ruby-core:124477]

  • Assignee set to tenderlovemaking (Aaron Patterson)
  • Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN, 4.0: UNKNOWN to 3.2: DONTNEED, 3.3: DONTNEED, 3.4: REQUIRED, 4.0: REQUIRED

Very likely related to the VM_CALL_FORWARDING optimization introduced in cdf33ed5f37f9649c482c3ba1d245f0d80ac01ce.

Actions
Copy link

Also available in: PDF Atom