From: daniel.dominguez@... Date: 2018-09-27T19:17:57+00:00 Subject: [ruby-core:89192] [Ruby trunk Bug#15169] rb_funcallv crashes when argc is -1 Issue #15169 has been updated by ddom (Daniel Dominguez). nobu (Nobuyoshi Nakada) wrote: > `argc` is the number of arguments, pointed by `argv`. > Do you want to pass -1 arguments? No, it's actually a bug in the fuzzer I'm building to pass -1 to that function. But I'm getting that crash when I do that. The actual code is more complicated that the example I provided. In my code I get some object, get a random method of the object and it's arity. The arity sometimes is -1 (in the case of varargs). If needed I can provide the code for the sample generation to aid with reproducibility. ---------------------------------------- Bug #15169: rb_funcallv crashes when argc is -1 https://bugs.ruby-lang.org/issues/15169#change-74216 * Author: ddom (Daniel Dominguez) * Status: Rejected * Priority: Normal * Assignee: * Target version: * ruby -v: ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-darwin17] * Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN ---------------------------------------- The native function rb_funcallv casues a segmentation fault on 0xffffffffffffffd8 when the argc parameter is -1. Example: ~~~ c VALUE argv[1]; argv[0] = Qnil; rb_funcallv(INT2NUM(1), rb_intern("round"), -1, argv); ~~~ Attached the dump: ~~~ bin/fuzzer:10: [BUG] Segmentation fault at 0xffffffffffffffd8 ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-darwin17] -- Crash Report log information -------------------------------------------- See Crash Report log file under the one of following: * ~/Library/Logs/DiagnosticReports * /Library/Logs/DiagnosticReports for more details. Don't forget to include the above Crash Report log file in bug reports. -- Control frame information ----------------------------------------------- c:0003 p:---- s:0010 e:000009 CFUNC :fuzz! c:0002 p:0035 s:0006 e:000005 EVAL bin/fuzzer:10 [FINISH] c:0001 p:0000 s:0003 E:0003f0 (none) [FINISH] -- Ruby level backtrace information ---------------------------------------- bin/fuzzer:10:in `
' bin/fuzzer:10:in `fuzz!' -- Machine register context ------------------------------------------------ rax: 0x00007ffeed343008 rbx: 0x00007ffeed343000 rcx: 0x0000000000025a0f rdx: 0xfffffffffffffff8 rdi: 0x00007ffeed343000 rsi: 0xfffffffffffffff8 rbp: 0x00007ffeed342ff0 rsp: 0x00007ffeed342ff0 r8: 0x0000000000000000 r9: 0x000000000000001f r10: 0x00007f9548511520 r11: 0x00007ffeed343008 r12: 0x000000000025a10c r13: 0x00007f954840a2c8 r14: 0x0000000000000003 r15: 0x00000000ffffffff rip: 0x00007fff6bdba110 rfl: 0x0000000000010282 -- C level backtrace information ------------------------------------------- 0 libruby.2.5.dylib 0x0000000102aba9d7 rb_vm_bugreport + 135 1 libruby.2.5.dylib 0x000000010293a5d8 rb_bug_context + 472 2 libruby.2.5.dylib 0x0000000102a2b5d1 sigsegv + 81 3 libsystem_platform.dylib 0x00007fff6bdb6f5a _sigtramp + 26 4 libsystem_platform.dylib 0x00007fff6bdba110 _platform_memmove$VARIANT$Haswell + 496 -- Other runtime information ----------------------------------------------- * Loaded script: bin/fuzzer * Loaded features: 0 enumerator.so 1 thread.rb 2 rational.so 3 complex.so 4 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/x86_64-darwin17/enc/encdb.bundle 5 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/x86_64-darwin17/enc/trans/transdb.bundle 6 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/x86_64-darwin17/rbconfig.rb 7 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/compatibility.rb 8 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/defaults.rb 9 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/deprecate.rb 10 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/errors.rb 11 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/version.rb 12 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/requirement.rb 13 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/platform.rb 14 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/basic_specification.rb 15 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/stub_specification.rb 16 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/util/list.rb 17 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/x86_64-darwin17/stringio.bundle 18 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/rfc2396_parser.rb 19 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/rfc3986_parser.rb 20 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/common.rb 21 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/generic.rb 22 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/ftp.rb 23 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/http.rb 24 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/https.rb 25 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/ldap.rb 26 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/ldaps.rb 27 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri/mailto.rb 28 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/uri.rb 29 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/specification.rb 30 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/exceptions.rb 31 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/util.rb 32 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/bundler_version_finder.rb 33 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/dependency.rb 34 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/core_ext/kernel_gem.rb 35 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/monitor.rb 36 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/core_ext/kernel_require.rb 37 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems.rb 38 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/site_ruby/2.5.0/rubygems/path_support.rb 39 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/version.rb 40 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/core_ext/name_error.rb 41 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/levenshtein.rb 42 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/jaro_winkler.rb 43 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checker.rb 44 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/2.5.0/delegate.rb 45 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers/class_name_checker.rb 46 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers/variable_name_checker.rb 47 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/name_error_checkers.rb 48 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/method_name_checker.rb 49 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/key_error_checker.rb 50 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/spell_checkers/null_checker.rb 51 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean/formatters/plain_formatter.rb 52 /Users/foldr/.rvm/rubies/ruby-2.5.1/lib/ruby/gems/2.5.0/gems/did_you_mean-1.2.0/lib/did_you_mean.rb 53 /Users/foldr/code/cobaya/lib/cobaya.bundle [NOTE] You may have encountered a bug in the Ruby interpreter or extension libraries. Bug reports are welcome. For details: http://www.ruby-lang.org/bugreport.html [IMPORTANT] Don't forget to include the Crash Report log file under DiagnosticReports directory in bug reports. ~~~ ---Files-------------------------------- ruby_2018-09-27-133203_wakatsuki.crash (36.7 KB) -- https://bugs.ruby-lang.org/ Unsubscribe: