Issue #13755 has been updated by nagachika (Tomoyuki Chikanaga). Backport changed from 2.2: DONTNEED, 2.3: DONTNEED, 2.4: REQUIRED to 2.2: DONTNEED, 2.3: DONTNEED, 2.4: DONE ruby_2_4 r59507 merged revision(s) 59374. ---------------------------------------- Bug #13755: Null pointer dereference in hash_table_index() https://bugs.ruby-lang.org/issues/13755#change-66026 * Author: fumfel (Kamil Frankowicz) * Status: Closed * Priority: Normal * Assignee: * Target version: * ruby -v: ruby 2.5.0dev (2017-07-11 trunk 59311) [x86_64-linux] * Backport: 2.2: DONTNEED, 2.3: DONTNEED, 2.4: DONE ---------------------------------------- After some fuzz testing I found a crashing test case. To reproduce: miniruby ruby_null_ptr_hash_table_index Valgrind Context: ~~~ ==945== Memcheck, a memory error detector ==945== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al. ==945== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info ==945== Command: XYZ/ruby/miniruby ruby_null_ptr_hash_table_index ==945== ==945== Warning: client switching stacks? SP change: 0xfff000160 --> 0xffe8020f0 ==945== to suppress, use: --max-stackframe=8380528 or greater ==945== Invalid write of size 1 ==945== at 0x4A9350: reserve_stack (thread_pthread.c:722) ==945== by 0x4A921F: ruby_init_stack (thread_pthread.c:757) ==945== by 0x12D96D: main (main.c:40) ==945== Address 0xffe8020f0 is on thread 1's stack ==945== in frame #0, created by reserve_stack (thread_pthread.c:677) ==945== ==945== Warning: client switching stacks? SP change: 0xffe8020f0 --> 0xfff000280 ==945== to suppress, use: --max-stackframe=8380816 or greater ==945== Invalid read of size 4 ==945== at 0x4A7C2D: hash_table_index (id_table.c:131) ==945== by 0x4A7C2D: rb_id_table_lookup (id_table.c:229) ==945== by 0x52860A: lookup_method_table (vm_method.c:182) ==945== by 0x52860A: search_method (vm_method.c:699) ==945== by 0x52860A: method_entry_get_without_cache (vm_method.c:724) ==945== by 0x52860A: method_entry_get (vm_method.c:788) ==945== by 0x5288C3: rb_callable_method_entry (vm_method.c:835) ==945== by 0x51D933: vm_search_method (vm_insnhelper.c:1296) ==945== by 0x51D933: vm_exec_core (insns.def:1176) ==945== by 0x53E2D3: vm_exec (vm.c:1788) ==945== by 0x2389BC: ruby_exec_internal (eval.c:244) ==945== by 0x2389BC: ruby_exec_node (eval.c:308) ==945== by 0x2389BC: ruby_run_node (eval.c:300) ==945== by 0x12D988: main (in XYZ/ruby/miniruby) ==945== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==945== ruby_null_ptr_hash_table_index:1: [BUG] Segmentation fault at 0x0000000000000000 ruby 2.5.0dev (2017-07-11 trunk 59311) [x86_64-linux] -- Control frame information ----------------------------------------------- c:0002 p:0037 s:0008 E:000e18 EVAL ruby_null_ptr_hash_table_index:1 [FINISH] c:0001 p:0000 s:0003 E:000440 (none) [FINISH] -- Ruby level backtrace information ---------------------------------------- ruby_null_ptr_hash_table_index:1:in `<main>' -- Machine register context ------------------------------------------------ RIP: 0x00000000004a7c2d RBP: 0x0000000000b9647f RSP: 0x0000000ffefffc30 RAX: 0x00000000000099f1 RBX: 0x00000000008419e0 RCX: 0x00000000008522f0 RDX: 0x0000000ffefffc70 RDI: 0x0000000000000000 RSI: 0x000000000000002f R8: 0x00000000008419e0 R9: 0xfffffffffffffffc R10: 0x000000000000002f R11: 0xfffffffffffffffc R12: 0xfffffffffffffffc R13: 0x0000000ffefffc70 R14: 0x0000000000000000 R15: 0x0000000005cb2280 EFL: 0x0000000000000004 -- C level backtrace information ------------------------------------------- XYZ/ruby/miniruby(rb_vm_bugreport+0x2b7) [0x5673c7] vm_dump.c:671 XYZ/ruby/miniruby(rb_bug_context+0x2e6) [0x227246] error.c:534 XYZ/ruby/miniruby(sigsegv+0x6e) [0x42a9ee] signal.c:930 /lib/x86_64-linux-gnu/libpthread.so.0 [0x4e4b390] XYZ/ruby/miniruby(rb_id_table_lookup+0x3d) [0x4a7c2d] ./symbol.h:60 XYZ/ruby/miniruby(method_entry_get+0x1ab) [0x52860b] ./vm_method.c:182 XYZ/ruby/miniruby(rb_callable_method_entry+0x44) [0x5288c4] ./vm_method.c:835 XYZ/ruby/miniruby(vm_exec_core+0xf894) [0x51d934] ./vm_insnhelper.c:1296 XYZ/ruby/miniruby(vm_exec+0x194) [0x53e2d4] vm.c:1788 XYZ/ruby/miniruby(ruby_run_node+0x27d) [0x2389bd] eval.c:244 XYZ/ruby/miniruby(main+0x89) [0x12d989] ./main.c:42 -- Other runtime information ----------------------------------------------- * Loaded script: ruby_null_ptr_hash_table_index * Loaded features: 0 enumerator.so 1 thread.rb 2 rational.so 3 complex.so * Process memory map: 00108000-0063b000 r-xp 00000000 fc:00 530955 XYZ/ruby/miniruby 0083b000-00841000 r--p 00533000 fc:00 530955 XYZ/ruby/miniruby 00841000-00842000 rw-p 00539000 fc:00 530955 XYZ/ruby/miniruby 00842000-00863000 rw-p 00000000 00:00 0 04000000-04026000 r-xp 00000000 fc:00 415243 /lib/x86_64-linux-gnu/ld-2.23.so 04026000-04028000 rw-p 00000000 00:00 0 04028000-04029000 ---p 00000000 00:00 0 04029000-0402c000 rw-p 00000000 00:00 0 0402f000-04033000 rw-p 00000000 00:00 0 04033000-04055000 r--s 00000000 fc:00 415248 /lib/x86_64-linux-gnu/libpthread-2.23.so 04055000-0421e000 r--s 00000000 fc:00 415265 /lib/x86_64-linux-gnu/libc-2.23.so 04225000-04226000 r--p 00025000 fc:00 415243 /lib/x86_64-linux-gnu/ld-2.23.so 04226000-04227000 rw-p 00026000 fc:00 415243 /lib/x86_64-linux-gnu/ld-2.23.so 04227000-04228000 rw-p 00000000 00:00 0 04228000-04229000 rwxp 00000000 00:00 0 04a28000-04a29000 r-xp 00000000 fc:00 45562 /usr/lib/valgrind/vgpreload_core-amd64-linux.so 04a29000-04c28000 ---p 00001000 fc:00 45562 /usr/lib/valgrind/vgpreload_core-amd64-linux.so 04c28000-04c29000 r--p 00000000 fc:00 45562 /usr/lib/valgrind/vgpreload_core-amd64-linux.so 04c29000-04c2a000 rw-p 00001000 fc:00 45562 /usr/lib/valgrind/vgpreload_core-amd64-linux.so 04c2a000-04c39000 r-xp 00000000 fc:00 45533 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so 04c39000-04e38000 ---p 0000f000 fc:00 45533 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so 04e38000-04e39000 r--p 0000e000 fc:00 45533 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so 04e39000-04e3a000 rw-p 0000f000 fc:00 45533 /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so 04e3a000-04e52000 r-xp 00000000 fc:00 415248 /lib/x86_64-linux-gnu/libpthread-2.23.so 04e52000-05051000 ---p 00018000 fc:00 415248 /lib/x86_64-linux-gnu/libpthread-2.23.so 05051000-05052000 r--p 00017000 fc:00 415248 /lib/x86_64-linux-gnu/libpthread-2.23.so 05052000-05053000 rw-p 00018000 fc:00 415248 /lib/x86_64-linux-gnu/libpthread-2.23.so 05053000-05057000 rw-p 00000000 00:00 0 05057000-0505a000 r-xp 00000000 fc:00 415254 /lib/x86_64-linux-gnu/libdl-2.23.so 0505a000-05259000 ---p 00003000 fc:00 415254 /lib/x86_64-linux-gnu/libdl-2.23.so 05259000-0525a000 r--p 00002000 fc:00 415254 /lib/x86_64-linux-gnu/libdl-2.23.so 0525a000-0525b000 rw-p 00003000 fc:00 415254 /lib/x86_64-linux-gnu/libdl-2.23.so 0525b000-05264000 r-xp 00000000 fc:00 415247 /lib/x86_64-linux-gnu/libcrypt-2.23.so 05264000-05463000 ---p 00009000 fc:00 415247 /lib/x86_64-linux-gnu/libcrypt-2.23.so 05463000-05464000 r--p 00008000 fc:00 415247 /lib/x86_64-linux-gnu/libcrypt-2.23.so 05464000-05465000 rw-p 00009000 fc:00 415247 /lib/x86_64-linux-gnu/libcrypt-2.23.so 05465000-05493000 rw-p 00000000 00:00 0 05493000-0559b000 r-xp 00000000 fc:00 415260 /lib/x86_64-linux-gnu/libm-2.23.so 0559b000-0579a000 ---p 00108000 fc:00 415260 /lib/x86_64-linux-gnu/libm-2.23.so 0579a000-0579b000 r--p 00107000 fc:00 415260 /lib/x86_64-linux-gnu/libm-2.23.so 0579b000-0579c000 rw-p 00108000 fc:00 415260 /lib/x86_64-linux-gnu/libm-2.23.so 0579c000-0595c000 r-xp 00000000 fc:00 415265 /lib/x86_64-linux-gnu/libc-2.23.so 0595c000-05b5c000 ---p 001c0000 fc:00 415265 /lib/x86_64-linux-gnu/libc-2.23.so 05b5c000-05b60000 r--p 001c0000 fc:00 415265 /lib/x86_64-linux-gnu/libc-2.23.so 05b60000-05b62000 rw-p 001c4000 fc:00 415265 /lib/x86_64-linux-gnu/libc-2.23.so 05b62000-05b66000 rw-p 00000000 00:00 0 05b66000-05f66000 rwxp 00000000 00:00 0 05f66000-0623e000 r--p 00000000 fc:00 15064 /usr/lib/locale/locale-archive 0623e000-06254000 r-xp 00000000 fc:00 392981 /lib/x86_64-linux-gnu/libgcc_s.so.1 06254000-06453000 ---p 00016000 fc:00 392981 /lib/x86_64-linux-gnu/libgcc_s.so.1 06453000-06454000 rw-p 00015000 fc:00 392981 /lib/x86_64-linux-gnu/libgcc_s.so.1 06454000-070bc000 r--s 00000000 fc:00 530955 XYZ/ruby/miniruby 38000000-3821f000 r-xp 00000000 fc:00 45619 /usr/lib/valgrind/memcheck-amd64-linux 3841f000-38422000 rw-p 0021f000 fc:00 45619 /usr/lib/valgrind/memcheck-amd64-linux 38422000-395d8000 rw-p 00000000 00:00 0 802001000-802ab4000 rwxp 00000000 00:00 0 802ab4000-802ab5000 rw-s 00000000 fc:00 14022 /tmp/vgdb-pipe-shared-mem-vgdb-945-by-root-on-??? 802ab5000-802b79000 rwxp 00000000 00:00 0 802b7c000-802eb0000 rwxp 00000000 00:00 0 802eb2000-802ec2000 rwxp 00000000 00:00 0 802eea000-802f32000 rwxp 00000000 00:00 0 802f71000-8031a1000 rwxp 00000000 00:00 0 8031a1000-8031a3000 ---p 00000000 00:00 0 8031a3000-8032a3000 rwxp 00000000 00:00 0 8032a3000-8032a5000 ---p 00000000 00:00 0 8032a5000-8033a5000 rwxp 00000000 00:00 0 80345a000-8056d9000 rwxp 00000000 00:00 0 8057d9000-8058d9000 rwxp 00000000 00:00 0 8058d9000-8058db000 ---p 00000000 00:00 0 8058db000-8059db000 rwxp 00000000 00:00 0 8059db000-8059dd000 ---p 00000000 00:00 0 805ad9000-805dd9000 rwxp 00000000 00:00 0 8060ce000-8066f2000 rwxp 00000000 00:00 0 ffe802000-fff001000 rw-p 00000000 00:00 0 7ffe3c35d000-7ffe3c37e000 rw-p 00000000 00:00 0 [stack] 7ffe3c3f6000-7ffe3c3f8000 r--p 00000000 00:00 0 [vvar] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] [NOTE] You may have encountered a bug in the Ruby interpreter or extension libraries. Bug reports are welcome. For details: http://www.ruby-lang.org/bugreport.html ==945== ==945== Process terminating with default action of signal 6 (SIGABRT) ==945== at 0x57D1428: raise (raise.c:54) ==945== by 0x57D3029: abort (abort.c:89) ==945== by 0x22730C: die (error.c:506) ==945== by 0x22730C: rb_bug_context (error.c:536) ==945== by 0x42A9ED: sigsegv (signal.c:930) ==945== by 0x4E4B38F: ??? (in /lib/x86_64-linux-gnu/libpthread-2.23.so) ==945== by 0x4A7C2C: rb_id_to_serial (symbol.h:60) ==945== by 0x4A7C2C: id2key (id_table.c:25) ==945== by 0x4A7C2C: rb_id_table_lookup (id_table.c:228) ==945== ==945== HEAP SUMMARY: ==945== in use at exit: 2,132,137 bytes in 6,161 blocks ==945== total heap usage: 6,604 allocs, 443 frees, 2,325,597 bytes allocated ==945== ==945== LEAK SUMMARY: ==945== definitely lost: 341 bytes in 4 blocks ==945== indirectly lost: 2,472 bytes in 37 blocks ==945== possibly lost: 733,266 bytes in 5,650 blocks ==945== still reachable: 1,396,058 bytes in 470 blocks ==945== suppressed: 0 bytes in 0 blocks ==945== Rerun with --leak-check=full to see details of leaked memory ==945== ==945== For counts of detected and suppressed errors, rerun with: -v ==945== ERROR SUMMARY: 2 errors from 2 contexts (suppressed: 0 from 0) ~~~ ---Files-------------------------------- ruby_null_ptr_hash_table_index (34 Bytes) -- https://bugs.ruby-lang.org/ Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>