Issue #11674 has been updated by D.E. Akers.


Well, this is very strange indeed. The problem does start at 11 keyword arguments and continues to present all the way up to 25, but then 26 to 35 keyword arguments are all kosher, then 36 to 42 have the problem, and then it doesn't happen again until 69. I have no idea what's going on, but here's the program I used to determine these ranges:

```ruby
p 100.times.select { |n|
  vars = n.times.map { |i| :"v#{i}" }
  eval "def foo #{vars.map { |v| "#{v}: 1" } * ?,}
          local_variables
        end"
  foo != vars
}

# => [11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 36, 37, 38, 39, 40, 41, 42, 69, 70, 71, 72, 74]
```


----------------------------------------
Bug #11674: `local_variables` returns buffer-overflow garbage with methods with > 10 keyword arguments
https://bugs.ruby-lang.org/issues/11674#change-54810

* Author: KJ Tsanaktsidis
* Status: Open
* Priority: Normal
* Assignee: 
* ruby -v: ruby 2.2.3p173 (2015-08-18 revision 51636) [x86_64-darwin15]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
The following program appears to demonstrate a buffer overflow in `rb_f_local_variables`

~~~ruby
def with_kwargs_10(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:)
    p local_variables
end

def with_kwargs_11(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:, v11:)
    p local_variables
end

def with_kwargs_12(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:, v11:, v12:)
    p local_variables
end

def with_args_11(v1,v2,v3,v4,v5,v6,v7,v8,v9,v10,v11)
    p local_variables
end

with_kwargs_10(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10)
with_kwargs_11(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10,v11:11)
with_kwargs_12(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10,v11:11,v12:12)
with_args_11(1,2,3,4,5,6,7,8,9,10,11)
~~~

Output:

~~~
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :!]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :v12, :"\""]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11]
~~~

Expected output:

~~~
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :v12]
[:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11]
~~~

There appears to be a buffer overflow, because the symbol :"\"" is next in ASCII order to :!

I'm not familiar with the MRI interpreter internals; I spent a few hours trying to debug the problem but to no avail. It appears that in `vm_eval.c:2072`, `cfp->iseq->local_table_size` is 12 (in `with_kwargs_11`) even though there are only 11 kwargs and no other locals. However, that's as far as I got.



-- 
https://bugs.ruby-lang.org/