From: Cezary Baginski <redmine@...>
Date: 2009-09-03T16:29:53+09:00
Subject: [ruby-core:25314] [Bug #2035] Segfault in parser (list_concat_gen)

Bug #2035: Segfault in parser (list_concat_gen)
http://redmine.ruby-lang.org/issues/show/2035

Author: Cezary Baginski
Status: Open, Priority: Normal
Category: core, Target version: 1.9.2
ruby -v: ruby 1.9.2dev (2009-09-02 trunk 24738) [x86_64-linux]

The following code:

    a = :a; "#{a} " "#{a} " "value #{a}"

causes a segfault in list_concat_gen.

A attached a new test (patch) for this in bootstraptest/test_literal.rb.

Here is a gdb session:
$ cat a.rb      
a = 'a'; "#{a} " "#{a} " "value #{a}"
$ gdb --args ruby a.rb
------------- (snip) ---------------
(gdb) run
Starting program: /usr/local/bin/ruby a.rb
------------- (snip) ---------------
Program received signal SIGSEGV, Segmentation fault.
0x000000000046a099 in list_concat_gen (parser=0x92f740, head=0x81b398, tail=0x81b208) at parse.y:7785
7785	    last->nd_next = tail;
(gdb) bt
#0  0x000000000046a099 in list_concat_gen (parser=0x92f740, head=0x81b398, tail=0x81b208) at parse.y:7785
#1  0x000000000046a3f1 in literal_concat_gen (parser=0x92f740, head=0x81b398, tail=0x81b208) at parse.y:7857
#2  0x000000000045f5b5 in ruby_yyparse (parser=0x92f740) at parse.y:3770
#3  0x000000000046202d in yycompile0 (arg=9631552, tracing=0) at parse.y:5004
#4  0x000000000052943a in ruby_suppress_tracing (func=0x461f0b <yycompile0>, arg=9631552, always=2) at thread.c:3862
#5  0x00000000004621b8 in yycompile (parser=0x92f740, f=0x84f428 "a.rb", line=1) at parse.y:5030
#6  0x0000000000462726 in rb_parser_compile_file (vparser=8701280, f=0x84f428 "a.rb", file=8500680, start=1) at parse.y:5159
#7  0x00000000004b0436 in load_file_internal (arg=140737488342864) at ruby.c:1585
#8  0x000000000041b7d8 in rb_ensure (b_proc=0x4afdb2 <load_file_internal>, data1=140737488342864, e_proc=0x4b04cf <restore_lineno>, data2=1) at eval.c:680
#9  0x00000000004b054a in load_file (parser=8701280, fname=0x84f428 "a.rb", script=1, opt=0x7fffffffe080) at ruby.c:1613
------------- (snip) ---------------
(gdb) inspect *head
$1 = {flags = 47644, nd_file = 0x0, u1 = {node = 0x4, id = 4, value = 4, cfunc = 0x4, tbl = 0x4}, u2 = {node = 0x81b235, id = 8499765, argc = 8499765, value = 8499765}, u3 = {node = 0x81b370, 
    id = 8500080, state = 8500080, entry = 0x81b370, cnt = 8500080, value = 8500080}}
(gdb) inspect head->u3.node
$3 = (struct RNode *) 0x81b370
(gdb) inspect *head->u3.node
$4 = {flags = 42780, nd_file = 0x0, u1 = {node = 0x81b410, id = 8500240, value = 8500240, cfunc = 0x81b410, tbl = 0x81b410}, u2 = {node = 0x1, id = 1, argc = 1, value = 1}, u3 = {node = 0x81b348, 
    id = 8500040, state = 8500040, entry = 0x81b348, cnt = 8500040, value = 8500040}}
(gdb) inspect *head->u3.node->u2.node
Cannot access memory at address 0x1
(gdb) inspect head->u3.node->u2.node
$5 = (struct RNode *) 0x1
(gdb)


----------------------------------------
http://redmine.ruby-lang.org