From: hanmac@... Date: 2015-11-11T06:57:45+00:00 Subject: [ruby-core:71444] [Ruby trunk - Bug #11674] `local_variables` returns buffer-overflow garbage with methods with > 10 keyword arguments Issue #11674 has been updated by Hans Mackowiak. i wanted to see what symbols does appear: ~~~ruby p 200.times.map { |n| vars = n.times.map { |i| :"v#{i}" } eval "def foo #{vars.map { |v| "#{v}: 1" } * ?,} local_variables end" foo - vars } #=> [[], [], [], [], [], [], [], [], [], [], [], [:!], [:"\""], [:"#"], [:"$"], [:%], [:&], [:"'"], [:"("], [:")"], [:*], [:+], [:","], [:-], [:"."], [:/], [], [], [], [], [], [], [], [], [], [], [:":"], [:";"], [:<], [:"="], [:>], [:"?"], [:"@"], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [:"["], [:"\\"], [:"]"], [:^], [], [:`], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [], [:"{"], [:|], [:"}"], [:~], [], [:".."], [:"..."], [:+@], [:-@], [:**], [], [:<=>], [:<<], [:>>], [:<=], [:>=], [:==], [:===], [:!=], [:=~], [:!~], [:[]], [:[]=], [:"::"], [], [:"&&"], [:"||"], [:"&."], [:""], [:empty?], [:eql?], [:respond_to?], [:respond_to_missing?], [:""], [:""], [:"core#set_method_alias"], [:"core#set_variable_alias"], [:"core#undef_method"], [:"core#define_method"], [:"core#define_singleton_method"], [:"core#set_postexe"], [:"core#hash_from_ary"], [:"co re#hash_merge_ary"], [:"core#hash_merge_ptr"], [:"core#hash_merge_kwd"], [], [], [], [:freeze], [:inspect], [:intern], [:object_id], [:const_missing], [:method_missing], [:method_added], [:singleton_method_added], [:method_removed], [:singleton_method_removed], [:method_undefined], [:singleton_method_undefined], [:length], [:size], [:gets], [:succ], [:each], [:proc], [:lambda], [:send], [:__send__], [:__attached__], [:initialize], [:initialize_copy], [:initialize_clone], [:initialize_dup], [:to_int], [:to_ary], [:to_str], [:to_sym], [:to_hash], [:to_proc], [:to_io], [:to_a], [:to_s], [:to_i], [:bt], [:bt_locations], [:call], [:mesg], [:exception], [:_], [:__autoload__], [:__classpath__], [:__tmp_classpath__], [:__classid__], [:to_f], [:dig], [:BasicObject], [:Object], [:Module]] ~~~ and because they look to well-formed to be random buffer-overflow, it seems that they are coming from "defs/id.def" but i don't know why ---------------------------------------- Bug #11674: `local_variables` returns buffer-overflow garbage with methods with > 10 keyword arguments https://bugs.ruby-lang.org/issues/11674#change-54812 * Author: KJ Tsanaktsidis * Status: Open * Priority: Normal * Assignee: Koichi Sasada * ruby -v: ruby 2.2.3p173 (2015-08-18 revision 51636) [x86_64-darwin15] * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN ---------------------------------------- The following program appears to demonstrate a buffer overflow in `rb_f_local_variables` ~~~ruby def with_kwargs_10(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:) p local_variables end def with_kwargs_11(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:, v11:) p local_variables end def with_kwargs_12(v1:, v2:, v3:, v4:, v5:, v6:, v7:, v8:, v9:, v10:, v11:, v12:) p local_variables end def with_args_11(v1,v2,v3,v4,v5,v6,v7,v8,v9,v10,v11) p local_variables end with_kwargs_10(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10) with_kwargs_11(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10,v11:11) with_kwargs_12(v1:1,v2:2,v3:3,v4:4,v5:5,v6:6,v7:7,v8:8,v9:9,v10:10,v11:11,v12:12) with_args_11(1,2,3,4,5,6,7,8,9,10,11) ~~~ Output: ~~~ [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10] [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :!] [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :v12, :"\""] [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11] ~~~ Expected output: ~~~ [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10] [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11] [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11, :v12] [:v1, :v2, :v3, :v4, :v5, :v6, :v7, :v8, :v9, :v10, :v11] ~~~ There appears to be a buffer overflow, because the symbol :"\"" is next in ASCII order to :! I'm not familiar with the MRI interpreter internals; I spent a few hours trying to debug the problem but to no avail. It appears that in `vm_eval.c:2072`, `cfp->iseq->local_table_size` is 12 (in `with_kwargs_11`) even though there are only 11 kwargs and no other locals. However, that's as far as I got. -- https://bugs.ruby-lang.org/