From: laurent.farcy@...
Date: 2015-08-02T23:24:38+00:00
Subject: [ruby-core:70219] [Ruby trunk - Bug #11383] Infinite loop in str_buf_cat triggered by str_gsub

Issue #11383 has been updated by Laurent Farcy.


Nobu,

Thanks for fixing this issue.

On our side, the issue reproduced, not with the same arguments though. Anyway, I was able to get the value of *(struct RString *)str.

~~~
(gdb) display *(struct RString *)str
1: *(struct RString *)str = {basic = {flags = 4202501, klass = 30232280}, as = {heap = {len = 0, ptr = 0x0, aux = {capa = 0, shared = 0}}, ary = '\000' <repeats 23 times>}}
~~~

I wish it could be consistent with the fix you made.


----------------------------------------
Bug #11383: Infinite loop in str_buf_cat triggered by str_gsub
https://bugs.ruby-lang.org/issues/11383#change-53647

* Author: Laurent Farcy
* Status: Closed
* Priority: Normal
* Assignee: 
* ruby -v: ruby 2.2.2p95 (2015-04-13 revision 50295) [x86_64-linux]
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
I've got a Ruby program which reads some RSS/Atom feeds to load each of them into a relational database. It makes use of a modified version of SimpleRSS v1.2.

After moving to Ruby 2.2.2, I observe 100% CPU usage from time to time. Using gdb, I was able to identify the culprit: it's a call to `str_buf_cat` from `str_gsub`. Here's the section of code that loops in `string.c` (from line 2198 til line 2204).

~~~c
	while (total > capa) {
	    if (capa > LONG_MAX / 2) {
		capa = (total + 4095) / 4096 * 4096;
		break;
	    }
	    capa = 2 * capa;
	}
~~~

`capa` is equal to 0 when the while block infinitely loops. I guess it's somehow unexpected...

Unfortunately, since the VM is looping, I cannot determine the piece of 'my' code where `gsub` is used. `rb_eval`, as found in https://github.com/michaelklishin/gdb-macros-for-ruby/blob/master/gdb_macros_for_ruby, cannot work because rb_finish cannot terminate.

But I was able to dump the backtrace and all the args and locals that lead to the infinite loop.


---Files--------------------------------
bug-11383.log (22.8 KB)


-- 
https://bugs.ruby-lang.org/