https://bugs.ruby-lang.org/https://bugs.ruby-lang.org/favicon.ico?17113305112011-01-29T09:13:13ZRuby Issue Tracking SystemBackport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=155852011-01-29T09:13:13Zrhythmx (Sean Bradly)rhythmx@gmail.com
<ul></ul><p>=begin<br>
Including a gdb trace. This issue happens in the mark_load_arg function when st_foreach encounters a corrupt bin ptr. I have seen similar failures occur in marshal_dump_arg. Also, <em>very</em> rarely the st_table_entry list of one of the bins will become circularly linked, causing an infinite loop.</p>
<p>Program received signal SIGSEGV, Segmentation fault.<br>
0x001c86b6 in st_foreach (table=0x3cb3c0, func=0x178f40 <mark_entry>, arg=0) at st.c:486<br>
486 for(ptr = table->bins[i]; ptr != 0;) {<br>
(gdb) bt<br>
#0 0x001c86b6 in st_foreach (table=0x3cb3c0, func=0x178f40 <mark_entry>, arg=0) at st.c:486<br>
#1 0x001786c3 in mark_tbl (tbl=0x0) at gc.c:716<br>
#2 rb_mark_tbl (tbl=0x0) at gc.c:723<br>
#3 0x00189c04 in mark_load_arg (ptr=0xbfffca3c) at marshal.c:841<br>
#4 0x00178d7e in gc_mark_children (ptr=3086829960, lev=1) at gc.c:1025<br>
#5 0x00178a71 in mark_locations_array (x=, n=) at gc.c:684<br>
<a class="issue tracker-1 status-5 priority-4 priority-default closed behind-schedule" title="Bug: sprintf() of %f on Windows(MSVCRT) (Closed)" href="https://bugs.ruby-lang.org/issues/6">#6</a> 0x00157b95 in thread_mark (th=0x8087300) at eval.c:10466<br>
#7 0x00178d7e in gc_mark_children (ptr=3086830120, lev=3) at gc.c:1025<br>
#8 0x00178d06 in gc_mark_children (ptr=, lev=) at gc.c:1006<br>
#9 0x00178e18 in gc_mark_children (ptr=, lev=) at gc.c:1057<br>
#10 0x001791de in garbage_collect () at gc.c:1465<br>
<a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: prelude.c compilation problem on mswin32 (Closed)" href="https://bugs.ruby-lang.org/issues/11">#11</a> 0x00179be7 in rb_gc () at gc.c:1530<br>
#12 0x00179c17 in rb_gc_start () at gc.c:1547<br>
#13 0x00159a9d in call_cfunc (func=0x179c00 <rb_gc_start>, recv=3978176, len=0, argc=0, argv=0x0) at eval.c:5781<br>
<a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: test issue for ruby-1.9 (Closed)" href="https://bugs.ruby-lang.org/issues/14">#14</a> 0x00164a09 in rb_call0 (klass=, recv=, id=5313, oid=5313, argc=0, argv=0x0, body=0xb7fd88bc, flags=) at eval.c:5928<br>
#15 0x00164baa in rb_call (klass=3086846160, recv=3086846180, mid=5313, argc=0, argv=0x0, scope=0, self=3086911820) at eval.c:6176<br>
<a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: example issue for ruby-1.8 (Closed)" href="https://bugs.ruby-lang.org/issues/16">#16</a> 0x00161e7b in rb_eval (self=, n=) at eval.c:3506<br>
<a class="issue tracker-2 status-5 priority-4 priority-default closed" title="Feature: deadlock detection for 1.9 (Closed)" href="https://bugs.ruby-lang.org/issues/17">#17</a> 0x00163404 in rb_yield_0 (val=, self=, klass=0, flags=, avalue=0) at eval.c:5095<br>
#18 0x0016e657 in rb_yield (val=3) at eval.c:5179<br>
#19 0x0018e641 in int_dotimes (num=201) at numeric.c:2960<br>
#20 0x00159a9d in call_cfunc (func=0x18e5f0 <int_dotimes>, recv=3978176, len=0, argc=0, argv=0x0) at eval.c:5781<br>
<a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: should terminate @receiver_thread of Net::IMAP safely (Closed)" href="https://bugs.ruby-lang.org/issues/21">#21</a> 0x00164a09 in rb_call0 (klass=, recv=, id=5753, oid=5753, argc=0, argv=0x0, body=0xb7fe4c5c, flags=) at eval.c:5928<br>
#22 0x00164baa in rb_call (klass=3086896500, recv=201, mid=5753, argc=0, argv=0x0, scope=0, self=3086911820) at eval.c:6176<br>
#23 0x00161e7b in rb_eval (self=, n=) at eval.c:3506<br>
#24 0x0016292e in rb_eval (self=, n=) at eval.c:3236<br>
#25 0x00163404 in rb_yield_0 (val=, self=, klass=0, flags=, avalue=2) at eval.c:5095<br>
<a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: [DOC] Typo in enumerator.c (Enumerator.new) (Closed)" href="https://bugs.ruby-lang.org/issues/26">#26</a> 0x0016374a in rb_thread_yield (arg=3086829920, th=0x8087658) at eval.c:12553<br>
#27 0x0016c2f9 in rb_thread_start_0 (fn=, arg=, th=0x8087658) at eval.c:12471<br>
#28 0x00159ade in call_cfunc (func=0x16c420 <rb_thread_initialize>, recv=3978176, len=-2, argc=0, argv=0x0) at eval.c:5775<br>
#29 0x00164a09 in rb_call0 (klass=, recv=, id=2961, oid=2961, argc=0, argv=0x0, body=0xb7fe59b8, flags=) at eval.c:5928<br>
#30 0x00164baa in rb_call (klass=3086899740, recv=3086829940, mid=2961, argc=0, argv=0x0, scope=1, self=6) at eval.c:6176<br>
#31 0x00165459 in rb_funcall2 (recv=3978176, mid=2961, argc=0, argv=0x0) at eval.c:6312<br>
#32 0x001654f7 in rb_obj_call_init (obj=3086829940, argc=0, argv=0x0) at eval.c:7825<br>
#33 0x00165552 in rb_thread_s_new (argc=0, argv=0x0, klass=3086899740) at eval.c:12584<br>
#34 0x00159ab8 in call_cfunc (func=0x165510 <rb_thread_s_new>, recv=3978176, len=-1, argc=0, argv=0x0) at eval.c:5778<br>
#35 0x00164a09 in rb_call0 (klass=, recv=, id=3361, oid=3361, argc=0, argv=0x0, body=0xb7fe59e0, flags=) at eval.c:5928<br>
#36 0x00164baa in rb_call (klass=3086899720, recv=3086899740, mid=3361, argc=0, argv=0x0, scope=0, self=3086911820) at eval.c:6176<br>
#37 0x00161e7b in rb_eval (self=, n=) at eval.c:3506<br>
#38 0x0016292e in rb_eval (self=, n=) at eval.c:3236<br>
#39 0x0015f659 in rb_eval (self=, n=) at eval.c:3501<br>
#40 0x00170d66 in ruby_exec_internal () at eval.c:1654<br>
#41 0x00170db2 in ruby_exec () at eval.c:1674<br>
#42 0x00170df5 in ruby_run () at eval.c:1684<br>
#43 0x0804869d in main (argc=2, argv=0xbfffed24, envp=0xbfffed30) at main.c:48</p>
<p>=end</p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=155932011-01-29T12:37:56Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul><li><strong>Category</strong> set to <i>core</i></li><li><strong>Status</strong> changed from <i>Open</i> to <i>Assigned</i></li><li><strong>Assignee</strong> set to <i>shyouhei (Shyouhei Urabe)</i></li></ul><p>=begin</p>
<p>=end</p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=156312011-02-01T08:56:45Zrhythmx (Sean Bradly)rhythmx@gmail.com
<ul><li><strong>File</strong> <a href="/attachments/1458">ruby-1.8.7-trac22417.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/1458/ruby-1.8.7-trac22417.patch">ruby-1.8.7-trac22417.patch</a> added</li></ul><p>=begin<br>
Fwiw, this resolves the issue for me. The general problem is that "struct load_arg arg" is on the stack AND wrapped by an RData. When GC starts, the RData refers to arg (a stack pointer) but the current (GC) thread's stack has clobbered this address. My fix simply switches arg to be dynamically allocated, and the same for mark_dump_arg. However, it appears this will leak a small amount of memory if Marshal throws an exception. This seems ok for my application, so I'm not going to look into it any more.<br>
=end</p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=156582011-02-03T11:03:30Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul></ul><p>=begin<br>
r25230 has fixed this bug in trunk and 1.8.<br>
=end</p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=171162011-05-21T06:35:56Zshyouhei (Shyouhei Urabe)shyouhei@ruby-lang.org
<ul><li><strong>Assignee</strong> changed from <i>shyouhei (Shyouhei Urabe)</i> to <i>nobu (Nobuyoshi Nakada)</i></li></ul><p>... and r25230 has a bug. cf: <a class="issue tracker-1 status-5 priority-4 priority-default closed" title="Bug: r25230 causes SEGV arround Marshal (Closed)" href="https://bugs.ruby-lang.org/issues/2386">#2386</a></p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=171172011-05-21T06:53:10Zshyouhei (Shyouhei Urabe)shyouhei@ruby-lang.org
<ul></ul><p>Also, <a href="/issues/2385">[ruby-dev:39723]</a></p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=220402011-11-09T17:15:10Zvo.x (Vit Ondruch)v.ondruch@tiscali.cz
<ul></ul><p>Hi Shyouhei,</p>
<p>Could you please translate for me what is wrong with this patch? I'd like to apply this patch for Ruby in RHEL 6, since it fixes one bug we are facing when using mcollective.</p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=220472011-11-10T00:13:39Zshyouhei (Shyouhei Urabe)shyouhei@ruby-lang.org
<ul><li><strong>Assignee</strong> changed from <i>nobu (Nobuyoshi Nakada)</i> to <i>shyouhei (Shyouhei Urabe)</i></li></ul><p>It's a rather simple story. Instead of applying the proposed patch Nobu wrote something different (against trunk) for his own and told me to backport that. But I found Nobu's introduced a test failure. That's all.</p>
<p>So we had not take a close look at the patch attatched here (I read this one then, but didn't evaluated). Sorry. I tested it today and it seems OK. If you plan to fix this issue use the one attatched here instead of applying Nobu's. I'll also apply this in the next patchlevel.</p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=220492011-11-10T00:43:08Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul></ul><p>This patch seems to leak memory if an exception raises during dump/load.<br>
You should use Data_Make_Struct() with dfree -1, I guess.</p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=220512011-11-10T01:23:33Zkosaki (Motohiro KOSAKI)kosaki.motohiro@gmail.com
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Feedback</i></li></ul><p>Vit, please send us an updated patch.</p>
<p>thank you.</p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=222312011-11-15T23:16:37Zvo.x (Vit Ondruch)v.ondruch@tiscali.cz
<ul><li><strong>File</strong> <a href="/attachments/2243">ruby-1.8.7-marshal.patch</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/2243/ruby-1.8.7-marshal.patch">ruby-1.8.7-marshal.patch</a> added</li></ul><p>Hi,</p>
<p>Could you please review the attached patch? It is basically backported the upstream marshal.c, i.e. it contains slightly more stuff then just r25230. "make test-all" passes as well as the original reproducer. Please apply this patch to 1.8</p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=233832012-01-21T00:41:43Zvo.x (Vit Ondruch)v.ondruch@tiscali.cz
<ul></ul><p>Bump.</p>
<p>Can somebody take look on the ruby-1.8.7-marshal.patch patch, please?</p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=234892012-02-01T17:22:50Zmeyering (Jim Meyering)jim@meyering.net
<ul></ul><p>Hello,<br>
I encountered this bug on RHEL-6's ruby-1.8.7.299 and with .352 and<br>
reported it against RHEL-6 via <a href="http://bugzilla.redhat.com/781561" class="external">http://bugzilla.redhat.com/781561</a><br>
Applying the patch,<br>
<a href="http://bugs.ruby-lang.org/attachments/2243/ruby-1.8.7-marshal.patch" class="external">http://bugs.ruby-lang.org/attachments/2243/ruby-1.8.7-marshal.patch</a><br>
solved our problem nicely. Please consider it for upstream ruby 1.8.7.</p>
<p>The reproducer, <a href="http://bugs.ruby-lang.org/attachments/1446/REPRO4.rb" class="external">http://bugs.ruby-lang.org/attachments/1446/REPRO4.rb</a><br>
also triggers a segmentation fault with Fedora 16's ruby:</p>
<pre><code>$ ruby /t/REPRO4.rb
/t/REPRO4.rb:35: [BUG] Segmentation fault
ruby 1.8.7 (2011-12-28 patchlevel 357) [x86_64-linux]
zsh: abort (core dumped) ruby /t/REPRO4.rb
</code></pre> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=242592012-03-02T10:48:09Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul><li><strong>Tracker</strong> changed from <i>Backport</i> to <i>Bug</i></li><li><strong>Project</strong> changed from <i>Backport187</i> to <i>Ruby 1.8</i></li><li><strong>Category</strong> changed from <i>core</i> to <i>core</i></li></ul> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=242612012-03-02T10:53:18Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Closed</i></li><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>This issue was solved with changeset r34866.<br>
Sean, thank you for reporting this issue.<br>
Your contribution to Ruby is greatly appreciated.<br>
May Ruby be with you.</p>
<hr>
<ul>
<li>marshal.c (mark_dump_arg): mark destination string. patch by<br>
Vit Ondruch. [Bug <a class="issue tracker-4 status-5 priority-4 priority-default closed" title="Backport: Segmentation fault during Marshal.load (Closed)" href="https://bugs.ruby-lang.org/issues/4339">#4339</a>]</li>
<li>marshal.c (clear_dump_arg, clear_load_arg): clean up also data<br>
tables as same as symbols tables.</li>
</ul> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=242632012-03-02T12:04:16Znobu (Nobuyoshi Nakada)nobu@ruby-lang.org
<ul><li><strong>Tracker</strong> changed from <i>Bug</i> to <i>Backport</i></li><li><strong>Project</strong> changed from <i>Ruby 1.8</i> to <i>Backport187</i></li><li><strong>Category</strong> changed from <i>core</i> to <i>core</i></li></ul> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=242652012-03-02T14:58:23Zvo.x (Vit Ondruch)v.ondruch@tiscali.cz
<ul></ul><p>Thank you for accepting the patch.</p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=242662012-03-02T15:02:31Zvo.x (Vit Ondruch)v.ondruch@tiscali.cz
<ul></ul><p>BTW shouldn't it go into ruby-187 branch instead of ruby_1_8?</p> Backport187 - Backport #4339: Segmentation fault during Marshal.loadhttps://bugs.ruby-lang.org/issues/4339?journal_id=242672012-03-02T15:12:09Zmarcandre (Marc-Andre Lafortune)marcandre-ruby-core@marc-andre.ca
<ul></ul><p>Hi,</p>
<p>Vit Ondruch wrote:</p>
<blockquote>
<p>BTW shouldn't it go into ruby-187 branch instead of ruby_1_8?</p>
</blockquote>
<p>Nobu applied it also to -187 as r34867</p>