From: merch-redmine@... Date: 2020-09-02T01:22:18+00:00 Subject: [ruby-core:99830] [Ruby master Bug#17141] Crash when parsing malformed input Issue #17141 has been updated by jeremyevans0 (Jeremy Evans). Backport changed from 2.5: UNKNOWN, 2.6: UNKNOWN, 2.7: UNKNOWN to 2.5: DONTNEED, 2.6: DONTNEED, 2.7: REQUIRED Status changed from Open to Closed I can confirm this crash in Ruby 2.7.1, 2.7.0, and the ruby_2_7 branch. It is not present in master. Here's the backtrace on ruby_2_7 branch: ``` 0x00000a3c357f2d7c in CALLER_REMOVE_EMPTY_KW_SPLAT (cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, ci=0x7f7ffffc28c0) at ./vm_insnhelper.c:1996 1996 if (RHASH_EMPTY_P(cfp->sp[-1])) { (gdb) bt #0 0x00000a3c357f2d7c in CALLER_REMOVE_EMPTY_KW_SPLAT (cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, ci=0x7f7ffffc28c0) at ./vm_insnhelper.c:1996 #1 0x00000a3c357f2751 in vm_call_cfunc (ec=0xa3c0ec6fe50, reg_cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, cd=0x7f7ffffc2880) at ./vm_insnhelper.c:2535 #2 0x00000a3c357f1db3 in vm_call_method_each_type (ec=0xa3c0ec6fe50, cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, cd=0x7f7ffffc2880) at ./vm_insnhelper.c:2925 #3 0x00000a3c357f1a96 in vm_call_method (ec=0xa3c0ec6fe50, cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, cd=0x7f7ffffc2880) at ./vm_insnhelper.c:3039 #4 0x00000a3c357f24a2 in vm_call_method_missing (ec=0xa3c0ec6fe50, reg_cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, orig_cd=0xa3b71987500) at ./vm_insnhelper.c:2744 #5 0x00000a3c357f259c in vm_call_method_nome (ec=0xa3c0ec6fe50, cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, cd=0xa3b71987500) at ./vm_insnhelper.c:3013 #6 0x00000a3c357f1c0b in vm_call_method (ec=0xa3c0ec6fe50, cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, cd=0xa3b71987500) at ./vm_insnhelper.c:3068 #7 0x00000a3c357cfd6a in vm_call_general (ec=0xa3c0ec6fe50, reg_cfp=0xa3ba636ef90, calling=0x7f7ffffc2ad8, cd=0xa3b71987500) at ./vm_insnhelper.c:3076 #8 0x00000a3c35802bc3 in vm_sendish (ec=0xa3c0ec6fe50, reg_cfp=0xa3ba636ef90, cd=0xa3b71987500, block_handler=0, method_explorer=0xa3c35802c30 ) at ./vm_insnhelper.c:4023 #9 0x00000a3c357d4413 in vm_exec_core (ec=0xa3c0ec6fe50, initial=0) at insns.def:801 #10 0x00000a3c357ec004 in rb_vm_exec (ec=0xa3c0ec6fe50, mjit_enable_p=1) at vm.c:1920 #11 0x00000a3c357ecfad in rb_iseq_eval_main (iseq=0xa3b4dd1afc8) at vm.c:2179 #12 0x00000a3c3557cc03 in rb_ec_exec_node (ec=0xa3c0ec6fe50, n=0xa3b4dd1afc8) at eval.c:278 #13 0x00000a3c3557ca82 in ruby_run_node (n=0xa3b4dd1afc8) at eval.c:336 #14 0x00000a394afe8cb7 in main (argc=2, argv=0x7f7ffffc4558) at ./main.c:50 ``` Here's a possible fix: ```diff --- a/vm_insnhelper.c +++ b/vm_insnhelper.c @@ -1993,7 +1993,7 @@ CALLER_REMOVE_EMPTY_KW_SPLAT(struct rb_control_frame_struct *restrict cfp, * the method does not have the number of required * arguments. */ - if (RHASH_EMPTY_P(cfp->sp[-1])) { + if (RHASH_EMPTY_P(rb_to_hash_type(cfp->sp[-1]))) { cfp->sp--; calling->argc--; calling->kw_splat = 0; ``` Closing and marking for backport. ---------------------------------------- Bug #17141: Crash when parsing malformed input https://bugs.ruby-lang.org/issues/17141#change-87353 * Author: tumdum (Tomasz K��ak) * Status: Closed * Priority: Normal * ruby -v: ruby 2.7.1p83 (2020-03-31 revision a0c7c23c9c) [x86_64-linux] * Backport: 2.5: DONTNEED, 2.6: DONTNEED, 2.7: REQUIRED ---------------------------------------- Calling "ruby crash_small.rb" crashes ruby - see attached crash log ---Files-------------------------------- crash_small.rb (6 Bytes) log.txt (16.8 KB) -- https://bugs.ruby-lang.org/ Unsubscribe: