From: fumfi.255@...
Date: 2017-07-13T10:20:47+00:00
Subject: [ruby-core:82029] [Ruby trunk Bug#13742] SIGSEGV in parser_yyerror()

Issue #13742 has been reported by fumfel (Kamil Frankowicz).

----------------------------------------
Bug #13742: SIGSEGV in parser_yyerror()
https://bugs.ruby-lang.org/issues/13742

* Author: fumfel (Kamil Frankowicz)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.5.0dev (2017-07-13 trunk 59320) [x86_64-linux]
* Backport: 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: UNKNOWN
----------------------------------------
After some fuzz testing I found a crashing test case.

To reproduce: miniruby ruby_sigsegv_parser_yyerror

Valgrind Context:

==20061== Memcheck, a memory error detector
==20061== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==20061== Using Valgrind-3.13.0 and LibVEX; rerun with -h for copyright info
==20061== Command: ruby/miniruby id5_min
==20061== 
==20061== Warning: client switching stacks?  SP change: 0x1ffefffd60 --> 0x1ffe8020e0
==20061==          to suppress, use: --max-stackframe=8379520 or greater
==20061== Invalid write of size 1
==20061==    at 0x2E2BF5: reserve_stack (thread_pthread.c:722)
==20061==    by 0x2EA057: ruby_init_stack (thread_pthread.c:757)
==20061==    by 0x12CAD4: main (main.c:40)
==20061==  Address 0x1ffe8020e0 is on thread 1's stack
==20061==  in frame #0, created by reserve_stack (thread_pthread.c:677)
==20061== 
==20061== Warning: client switching stacks?  SP change: 0x1ffe8020e0 --> 0x1ffefffe80
==20061==          to suppress, use: --max-stackframe=8379808 or greater
ruby/miniruby: warning: failed to load encoding (Windows-31J); use ASCII-8BIT instead
ruby/miniruby: warning: failed to load encoding (Windows-31J); use ASCII-8BIT instead
ruby_sigsegv_parser_yyerror: invalid Unicode escape
000000000000000000000000
^~~~~~~~~~~~~~~~~~~~~~~~
==20061== Invalid read of size 1
==20061==    at 0x22DC98: parser_yyerror (parse.y:5076)
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==  Address 0x5f27fd8 is 0 bytes after a block of size 16,344 alloc'd
==20061==    at 0x4C2E256: memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20061==    by 0x4C2E371: posix_memalign (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==20061==    by 0x1CC803: aligned_malloc (gc.c:7714)
==20061==    by 0x1CC803: heap_page_allocate (gc.c:1527)
==20061==    by 0x1CC803: heap_page_create (gc.c:1631)
==20061==    by 0x1CC803: heap_assign_page (gc.c:1653)
==20061==    by 0x1CC803: heap_add_pages (gc.c:1666)
==20061==    by 0x1CC803: Init_heap (gc.c:2387)
==20061==    by 0x1B1ED4: ruby_setup (eval.c:55)
==20061==    by 0x1B1FA8: ruby_init (eval.c:76)
==20061==    by 0x12CAD9: main (main.c:41)
==20061== 
==20061== Invalid write of size 1
==20061==    at 0x22DCA3: parser_yyerror (parse.y:5076)
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==    by 0x202020202020201F: ???
==20061==  Address 0x1fff001000 is not stack'd, malloc'd or (recently) free'd
==20061== 
id5_min: [BUG] Segmentation fault at 0x0000001fff001000
ruby 2.5.0dev (2017-07-13 trunk 59320) [x86_64-linux]

-- Control frame information -----------------------------------------------
c:0001 p:0000 s:0003 E:0021c0 (none) [FINISH]


-- Machine register context ------------------------------------------------
 RIP: 0x000000000022dca3 RBP: 0x0000001ffeffdd70 RSP: 0x0000001ffeffdce0
 RAX: 0x0000001fff001001 RBX: 0x0000000005f26445 RCX: 0x0000000005f5bcf0
 RDX: 0x00000000060cae10 RDI: 0x0000000005f26445 RSI: 0x0000000005f26445
  R8: 0x000000000034bccc  R9: 0x0000000000355435 R10: 0x0000000005f26445
 R11: 0x0000001ffeffdd80 R12: 0x0000000005f29766 R13: 0x0000000000000004
 R14: 0x00000000060c38a0 R15: 0x0000001ffeffdce0 EFL: 0x0000000000000085

-- C level backtrace information -------------------------------------------
==20061== Invalid read of size 1
==20061==    at 0x6217E07: x86_64_fallback_frame_state (md-unwind-support.h:58)
==20061==    by 0x6217E07: uw_frame_state_for (unwind-dw2.c:1257)
==20061==    by 0x62199B7: _Unwind_Backtrace (unwind.inc:290)
==20061==    by 0x5B31A27: backtrace (in /usr/lib/libc-2.25.so)
==20061==    by 0x33C8E2: rb_print_backtrace (vm_dump.c:671)
==20061==    by 0x33C8E2: rb_vm_bugreport (vm_dump.c:941)
==20061==    by 0x1A8CC0: rb_bug_context (error.c:534)
==20061==    by 0x2AA7E1: sigsegv (signal.c:930)
==20061==    by 0x4E4993F: ??? (in /usr/lib/libpthread-2.25.so)
==20061==    by 0x22DCA2: parser_yyerror (parse.y:5075)
==20061==  Address 0x2020202020202020 is not stack'd, malloc'd or (recently) free'd
==20061== 
==20061== 
==20061== Process terminating with default action of signal 11 (SIGSEGV): dumping core
==20061==  General Protection Fault
==20061==    at 0x6217E07: x86_64_fallback_frame_state (md-unwind-support.h:58)
==20061==    by 0x6217E07: uw_frame_state_for (unwind-dw2.c:1257)
==20061==    by 0x62199B7: _Unwind_Backtrace (unwind.inc:290)
==20061==    by 0x5B31A27: backtrace (in /usr/lib/libc-2.25.so)
==20061==    by 0x33C8E2: rb_print_backtrace (vm_dump.c:671)
==20061==    by 0x33C8E2: rb_vm_bugreport (vm_dump.c:941)
==20061==    by 0x1A8CC0: rb_bug_context (error.c:534)
==20061==    by 0x2AA7E1: sigsegv (signal.c:930)
==20061==    by 0x4E4993F: ??? (in /usr/lib/libpthread-2.25.so)
==20061==    by 0x22DCA2: parser_yyerror (parse.y:5075)
==20061== 
==20061== HEAP SUMMARY:
==20061==     in use at exit: 2,135,207 bytes in 6,100 blocks
==20061==   total heap usage: 6,531 allocs, 431 frees, 2,330,433 bytes allocated
==20061== 
==20061== LEAK SUMMARY:
==20061==    definitely lost: 8,199 bytes in 2 blocks
==20061==    indirectly lost: 0 bytes in 0 blocks
==20061==      possibly lost: 788,920 bytes in 5,888 blocks
==20061==    still reachable: 1,338,088 bytes in 210 blocks
==20061==         suppressed: 0 bytes in 0 blocks
==20061== Rerun with --leak-check=full to see details of leaked memory
==20061== 
==20061== For counts of detected and suppressed errors, rerun with: -v
==20061== ERROR SUMMARY: 6033 errors from 4 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)

---Files--------------------------------
ruby_sigsegv_parser_yyerror (46 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>