Project

General

Profile

Bug #13742

Updated by nobu (Nobuyoshi Nakada) over 7 years ago

After some fuzz testing I found a crashing test case. 

 To reproduce: miniruby ruby_sigsegv_parser_yyerror 

 Valgrind Context: 

 ``` 
 ==20061== Memcheck, a memory error detector 
 ==20061== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. 
 ==20061== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info 
 ==20061== Command: ruby/miniruby id5_min 
 ==20061==  
 ==20061== Warning: client switching stacks?    SP change: 0x1ffefffd60 --> 0x1ffe8020e0 
 ==20061==            to suppress, use: --max-stackframe=8379520 or greater 
 ==20061== Invalid write of size 1 
 ==20061==      at 0x2E2BF5: reserve_stack (thread_pthread.c:722) 
 ==20061==      by 0x2EA057: ruby_init_stack (thread_pthread.c:757) 
 ==20061==      by 0x12CAD4: main (main.c:40) 
 ==20061==    Address 0x1ffe8020e0 is on thread 1's stack 
 ==20061==    in frame #0, created by reserve_stack (thread_pthread.c:677) 
 ==20061==  
 ==20061== Warning: client switching stacks?    SP change: 0x1ffe8020e0 --> 0x1ffefffe80 
 ==20061==            to suppress, use: --max-stackframe=8379808 or greater 
 ruby/miniruby: warning: failed to load encoding (Windows-31J); use ASCII-8BIT instead 
 ruby/miniruby: warning: failed to load encoding (Windows-31J); use ASCII-8BIT instead 
 ruby_sigsegv_parser_yyerror: invalid Unicode escape 
 000000000000000000000000 
 ^~~~~~~~~~~~~~~~~~~~~~~~ 
 ==20061== Invalid read of size 1 
 ==20061==      at 0x22DC98: parser_yyerror (parse.y:5076) 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==    Address 0x5f27fd8 is 0 bytes after a block of size 16,344 alloc'd 
 ==20061==      at 0x4C2E256: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 
 ==20061==      by 0x4C2E371: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) 
 ==20061==      by 0x1CC803: aligned_malloc (gc.c:7714) 
 ==20061==      by 0x1CC803: heap_page_allocate (gc.c:1527) 
 ==20061==      by 0x1CC803: heap_page_create (gc.c:1631) 
 ==20061==      by 0x1CC803: heap_assign_page (gc.c:1653) 
 ==20061==      by 0x1CC803: heap_add_pages (gc.c:1666) 
 ==20061==      by 0x1CC803: Init_heap (gc.c:2387) 
 ==20061==      by 0x1B1ED4: ruby_setup (eval.c:55) 
 ==20061==      by 0x1B1FA8: ruby_init (eval.c:76) 
 ==20061==      by 0x12CAD9: main (main.c:41) 
 ==20061==  
 ==20061== Invalid write of size 1 
 ==20061==      at 0x22DCA3: parser_yyerror (parse.y:5076) 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==      by 0x202020202020201F: ??? 
 ==20061==    Address 0x1fff001000 is not stack'd, malloc'd or (recently) free'd 
 ==20061==  
 id5_min: [BUG] Segmentation fault at 0x0000001fff001000 
 ruby 2.5.0dev (2017-07-13 trunk 59320) [x86_64-linux] 

 -- Control frame information ----------------------------------------------- 
 c:0001 p:0000 s:0003 E:0021c0 (none) [FINISH] 


 -- Machine register context ------------------------------------------------ 
  RIP: 0x000000000022dca3 RBP: 0x0000001ffeffdd70 RSP: 0x0000001ffeffdce0 
  RAX: 0x0000001fff001001 RBX: 0x0000000005f26445 RCX: 0x0000000005f5bcf0 
  RDX: 0x00000000060cae10 RDI: 0x0000000005f26445 RSI: 0x0000000005f26445 
   R8: 0x000000000034bccc    R9: 0x0000000000355435 R10: 0x0000000005f26445 
  R11: 0x0000001ffeffdd80 R12: 0x0000000005f29766 R13: 0x0000000000000004 
  R14: 0x00000000060c38a0 R15: 0x0000001ffeffdce0 EFL: 0x0000000000000085 

 -- C level backtrace information ------------------------------------------- 
 ==20061== Invalid read of size 1 
 ==20061==      at 0x6217E07: x86_64_fallback_frame_state (md-unwind-support.h:58) 
 ==20061==      by 0x6217E07: uw_frame_state_for (unwind-dw2.c:1257) 
 ==20061==      by 0x62199B7: _Unwind_Backtrace (unwind.inc:290) 
 ==20061==      by 0x5B31A27: backtrace (in /usr/lib/libc-2.25.so) 
 ==20061==      by 0x33C8E2: rb_print_backtrace (vm_dump.c:671) 
 ==20061==      by 0x33C8E2: rb_vm_bugreport (vm_dump.c:941) 
 ==20061==      by 0x1A8CC0: rb_bug_context (error.c:534) 
 ==20061==      by 0x2AA7E1: sigsegv (signal.c:930) 
 ==20061==      by 0x4E4993F: ??? (in /usr/lib/libpthread-2.25.so) 
 ==20061==      by 0x22DCA2: parser_yyerror (parse.y:5075) 
 ==20061==    Address 0x2020202020202020 is not stack'd, malloc'd or (recently) free'd 
 ==20061==  
 ==20061==  
 ==20061== Process terminating with default action of signal 11 (SIGSEGV): dumping core 
 ==20061==    General Protection Fault 
 ==20061==      at 0x6217E07: x86_64_fallback_frame_state (md-unwind-support.h:58) 
 ==20061==      by 0x6217E07: uw_frame_state_for (unwind-dw2.c:1257) 
 ==20061==      by 0x62199B7: _Unwind_Backtrace (unwind.inc:290) 
 ==20061==      by 0x5B31A27: backtrace (in /usr/lib/libc-2.25.so) 
 ==20061==      by 0x33C8E2: rb_print_backtrace (vm_dump.c:671) 
 ==20061==      by 0x33C8E2: rb_vm_bugreport (vm_dump.c:941) 
 ==20061==      by 0x1A8CC0: rb_bug_context (error.c:534) 
 ==20061==      by 0x2AA7E1: sigsegv (signal.c:930) 
 ==20061==      by 0x4E4993F: ??? (in /usr/lib/libpthread-2.25.so) 
 ==20061==      by 0x22DCA2: parser_yyerror (parse.y:5075) 
 ==20061==  
 ==20061== HEAP SUMMARY: 
 ==20061==       in use at exit: 2,135,207 bytes in 6,100 blocks 
 ==20061==     total heap usage: 6,531 allocs, 431 frees, 2,330,433 bytes allocated 
 ==20061==  
 ==20061== LEAK SUMMARY: 
 ==20061==      definitely lost: 8,199 bytes in 2 blocks 
 ==20061==      indirectly lost: 0 bytes in 0 blocks 
 ==20061==        possibly lost: 788,920 bytes in 5,888 blocks 
 ==20061==      still reachable: 1,338,088 bytes in 210 blocks 
 ==20061==           suppressed: 0 bytes in 0 blocks 
 ==20061== Rerun with --leak-check=full to see details of leaked memory 
 ==20061==  
 ==20061== For counts of detected and suppressed errors, rerun with: -v 
 ==20061== ERROR SUMMARY: 6033 errors from 4 contexts (suppressed: 0 from 0) 
 Segmentation fault (core dumped)

Back