Issue #15246 has been updated by bannable (Joe Truba). nobu (Nobuyoshi Nakada) wrote: > Maybe fixed by r65190? Yes, looks fixed. ~~~ $ ASAN_OPTIONS=detect_leaks=0 ./ruby -v ruby 2.6.0dev (2018-10-24 trunk 65097) [x86_64-linux] $ ASAN_OPTIONS=detect_leaks=0 ./ruby ../repro2 ../repro2:1: warning: encountered \r in middle of line, treated as a mere space ../repro2:1: warning: in a**b, b may be too big $ ~~~ It looks like most of the hangs that my fuzzer found are fixed as well, including #15237 (which was rejected). ---------------------------------------- Bug #15246: Invalid read (SEGV on indeterminate address) in id_table.c https://bugs.ruby-lang.org/issues/15246#change-74603 * Author: bannable (Joe Truba) * Status: Open * Priority: Normal * Assignee: * Target version: * ruby -v: ruby 2.6.0dev (2018-10-16 trunk 65097) [x86_64-linux] * Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN ---------------------------------------- This one does not crash a normal ruby build, but results in ASAN SEGVing on an unknown address. Valgrind doesn't seem to catch anything other than a large amount of memory leakage with this, so this *could* be an ASAN bug. Reproducer: ~~~ $ xxd ../repro2 00000000: 382e 2a2a 3830 3830 3030 2e2a 0d2d 3730 8.**808000.*.-70 00000010: 2e2a 302e 2a2a 3830 3030 302e 2a2a 202d .*0.**80000.** - 00000020: 3730 2e2a 0d2d 382e 2a2a 382a 2a2d 38 70.*.-8.**8**-8 $ ~~~ ~~~ $ ./ruby ../repro2 ../repro2:1: warning: encountered \r in middle of line, treated as a mere space AddressSanitizer:DEADLYSIGNAL ================================================================= ==4416==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55d5503ca139 bp 0x7fff14dc8830 sp 0x7fff14dc8720 T0) ==4416==The signal is caused by a READ memory access. ==4416==Hint: address points to the zero page. #0 0x55d5503ca138 in hash_table_index /home/jtruba/rubies/ruby-trunk-asan/./id_table.c:131:14 #1 0x55d5503ca138 in rb_id_table_lookup /home/jtruba/rubies/ruby-trunk-asan/./id_table.c:229 #2 0x55d5504d214b in lookup_method_table /home/jtruba/rubies/ruby-trunk-asan/./vm_method.c:183:9 #3 0x55d5504d214b in search_method /home/jtruba/rubies/ruby-trunk-asan/./vm_method.c:726 #4 0x55d5504d214b in method_entry_get_without_cache /home/jtruba/rubies/ruby-trunk-asan/./vm_method.c:751 #5 0x55d5504d214b in method_entry_get /home/jtruba/rubies/ruby-trunk-asan/./vm_method.c:815 #6 0x55d5504dbb37 in vm_respond_to /home/jtruba/rubies/ruby-trunk-asan/./vm_method.c:1987:2 #7 0x55d5504e4af2 in check_funcall_respond_to /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:350:12 #8 0x55d5504e4af2 in rb_check_funcall_default /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:405 #9 0x55d5500bee25 in do_coerce /home/jtruba/rubies/ruby-trunk-asan/numeric.c:424:17 #10 0x55d5500cec3d in rb_num_coerce_bin /home/jtruba/rubies/ruby-trunk-asan/numeric.c:446:5 #11 0x55d5500cec3d in fix_mul /home/jtruba/rubies/ruby-trunk-asan/numeric.c:3655 #12 0x55d5500cec3d in rb_int_mul /home/jtruba/rubies/ruby-trunk-asan/numeric.c:3663 #13 0x55d5504dfc0e in vm_call0_cfunc_with_frame /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:86:8 #14 0x55d5504dfc0e in vm_call0_cfunc /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:100 #15 0x55d5504dfc0e in vm_call0_body /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:131 #16 0x55d5504d876e in rb_vm_call0 /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:60:12 #17 0x55d5504d876e in rb_call0 /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:300 #18 0x55d5504d876e in rb_call /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:593 #19 0x55d5504d876e in rb_funcallv /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:815 #20 0x55d5506fd991 in f_mul /home/jtruba/rubies/ruby-trunk-asan/complex.c:118:12 #21 0x55d5506fd991 in nucomp_expt /home/jtruba/rubies/ruby-trunk-asan/complex.c:924 #22 0x55d5504dfc0e in vm_call0_cfunc_with_frame /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:86:8 #23 0x55d5504dfc0e in vm_call0_cfunc /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:100 #24 0x55d5504dfc0e in vm_call0_body /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:131 #25 0x55d5504d876e in rb_vm_call0 /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:60:12 #26 0x55d5504d876e in rb_call0 /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:300 #27 0x55d5504d876e in rb_call /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:593 #28 0x55d5504d876e in rb_funcallv /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:815 #29 0x55d5506fd532 in f_expt /home/jtruba/rubies/ruby-trunk-asan/complex.c:183:1 #30 0x55d5506fd532 in nucomp_expt /home/jtruba/rubies/ruby-trunk-asan/complex.c:932 #31 0x55d5504dfc0e in vm_call0_cfunc_with_frame /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:86:8 #32 0x55d5504dfc0e in vm_call0_cfunc /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:100 #33 0x55d5504dfc0e in vm_call0_body /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:131 #34 0x55d5504d876e in rb_vm_call0 /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:60:12 #35 0x55d5504d876e in rb_call0 /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:300 #36 0x55d5504d876e in rb_call /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:593 #37 0x55d5504d876e in rb_funcallv /home/jtruba/rubies/ruby-trunk-asan/./vm_eval.c:815 #38 0x55d5500d2194 in rb_num_coerce_bin /home/jtruba/rubies/ruby-trunk-asan/numeric.c:447:12 #39 0x55d5500d2194 in fix_pow /home/jtruba/rubies/ruby-trunk-asan/numeric.c:4064 #40 0x55d5500d1cdb in rb_int_pow /home/jtruba/rubies/ruby-trunk-asan/numeric.c:4072:9 #41 0x55d55051f76f in vm_call_cfunc_with_frame /home/jtruba/rubies/ruby-trunk-asan/./vm_insnhelper.c:1919:11 #42 0x55d55051f76f in vm_call_cfunc /home/jtruba/rubies/ruby-trunk-asan/./vm_insnhelper.c:1935 #43 0x55d550518233 in vm_call_method_each_type /home/jtruba/rubies/ruby-trunk-asan/./vm_insnhelper.c:2257:9 #44 0x55d5505179e8 in vm_call_method /home/jtruba/rubies/ruby-trunk-asan/./vm_insnhelper.c #45 0x55d5504bc140 in vm_exec_core /home/jtruba/rubies/ruby-trunk-asan/insns.def:767:5 #46 0x55d550506dd4 in rb_vm_exec /home/jtruba/rubies/ruby-trunk-asan/vm.c #47 0x55d54ff1b286 in ruby_exec_internal /home/jtruba/rubies/ruby-trunk-asan/eval.c:261:2 #48 0x55d54ff1b286 in ruby_exec_node /home/jtruba/rubies/ruby-trunk-asan/eval.c:325 #49 0x55d54ff1aca5 in ruby_run_node /home/jtruba/rubies/ruby-trunk-asan/eval.c:317:25 #50 0x55d54ff11960 in main /home/jtruba/rubies/ruby-trunk-asan/./main.c:42:9 #51 0x7f4383977b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287 #52 0x55d54fe3b73b in _start (/home/jtruba/rubies/ruby-trunk-asan/ruby+0x13b73b) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/jtruba/rubies/ruby-trunk-asan/./id_table.c:131:14 in hash_table_index ==4416==ABORTING ~~~ Valgrind report: ~~~ $ valgrind --max-stackframe=9000000 ./ruby ../repro2 ==60726== Memcheck, a memory error detector ==60726== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==60726== Using Valgrind-3.14.0 and LibVEX; rerun with -h for copyright info ==60726== Command: ./ruby ../repro2 ==60726== ../repro2:1: warning: encountered \r in middle of line, treated as a mere space ^CTraceback (most recent call last): 4: from ../repro2:1:in `<main>' 3: from ../repro2:1:in `**' 2: from ../repro2:1:in `**' 1: from ../repro2:1:in `**' ../repro2:1:in `*': Interrupt ==60726== ==60726== Process terminating with default action of signal 2 (SIGINT) ==60726== at 0x4E4375B: raise (pt-raise.c:37) ==60726== by 0x3709D0: ruby_default_signal (signal.c:410) ==60726== by 0x135EB0: ruby_cleanup (eval.c:245) ==60726== by 0x1361EE: ruby_run_node (eval.c:317) ==60726== by 0x130E17: main (main.c:42) ==60726== ==60726== HEAP SUMMARY: ==60726== in use at exit: 55,764,375 bytes in 7,218 blocks ==60726== total heap usage: 9,657 allocs, 2,439 frees, 529,210,624 bytes allocated ==60726== ==60726== LEAK SUMMARY: ==60726== definitely lost: 2,388,027 bytes in 816 blocks ==60726== indirectly lost: 44,497 bytes in 441 blocks ==60726== possibly lost: 53,114,719 bytes in 5,160 blocks ==60726== still reachable: 217,132 bytes in 801 blocks ==60726== suppressed: 0 bytes in 0 blocks ==60726== Rerun with --leak-check=full to see details of leaked memory ==60726== ==60726== For counts of detected and suppressed errors, rerun with: -v ==60726== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0) $ ~~~ -- https://bugs.ruby-lang.org/ Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe> <http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>