From: "ktsj (Kazuki Tsujimoto)" <kazuki@...>
Date: 2012-12-16T23:56:18+09:00
Subject: [ruby-dev:46752] [ruby-trunk - Bug #953] 深い入れ子の配列の取り扱いで落ちる


Issue #953 has been updated by ktsj (Kazuki Tsujimoto).


[ruby-dev:46721]の詳細は以下のようになります。

  1. rb_exec_recursive等により一回マシンスタックを突き破ってSIGSEGVが発生。
  (ちなみに、このときのメモリレイアウトをhttps://gist.github.com/4249318の「#953のnest.rb実行時にSystemStackErrorとなった際の例」にまとめています)
  
  2. sigsegv関数が呼ばれるがその処理の中でaltstackを突き破っておそらくmalloc headerを破壊。
  
    Hardware watchpoint 5: *(((char*)(0x555555a55f40))-3)
    Old value = 0 '\000'
    New value = 85 'U'
    GET_THREAD () at vm_core.h:839
    (gdb) i f
    Stack level 0, frame at 0x555555a55f40:
     rip = 0x55555567d91b in GET_THREAD (vm_core.h:839); saved rip 0x55555567d93c
     called by frame at 0x555555a55f50
     source language c.
     Arglist at 0x555555a55f30, args:
     Locals at 0x555555a55f30, Previous frame's sp is 0x555555a55f40
     Saved registers:
      rip at 0x555555a55f38
    (gdb) p ruby_current_thread->altstack
    $31 = (void *) 0x555555a55f40
    (gdb) bt
    #0  GET_THREAD () at vm_core.h:839
    #1  0x000055555567d93c in rb_safe_level () at safe.c:30
    #2  0x000055555569296e in str_modifiable (str=93824999742280) at string.c:1313
    #3  0x00005555556929ab in str_independent (str=93824999742280) at string.c:1320
    #4  0x0000555555694949 in rb_str_resize (str=93824999742280, len=120) at string.c:1835
    #5  0x0000555555686c82 in ruby__sfvwrite (fp=0x555555a566b0, uio=0x555555a56150) at sprintf.c:1168
    #6  0x0000555555683c6b in BSD__sprint (fp=0x555555a566b0, uio=0x555555a56150) at vsnprintf.c:333
    #7  0x00005555556865cb in BSD_vfprintf (fp=0x555555a566b0, fmt0=0x55555571d379 "%s:%d", ap=0x555555a56720) at vsnprintf.c:1194
    #8  0x000055555568705e in rb_enc_vsprintf (enc=0x5555559f3a80, fmt=0x55555571d379 "%s:%d", ap=0x555555a56720) at sprintf.c:1242
    #9  0x0000555555687158 in rb_enc_sprintf (enc=0x5555559f3a80, format=0x55555571d379 "%s:%d") at sprintf.c:1257
    #10 0x00005555555b2f1d in setup_exception (th=0x5555559ee570, tag=6, mesg=93824997401520) at eval.c:447
    #11 0x00005555555b3456 in rb_longjmp (tag=6, mesg=93824997401520) at eval.c:519
    #12 0x00005555555b34bb in rb_exc_raise (mesg=93824997401520) at eval.c:532
    #13 0x000055555570f174 in ruby_thread_stack_overflow (th=0x5555559ee570) at thread.c:1937
    #14 0x000055555567e650 in sigsegv (sig=11, info=0x555555a56b30, ctx=0x555555a56a00) at signal.c:618
    #15 <signal handler called>
    #16 0x0000555555712d89 in exec_recursive (func=<error reading variable: Cannot access memory at address 0x7fffffbfefe8>, obj=<error reading variable: Cannot access memory at address 0x7fffffbfefe0>,
        pairid=<error reading variable: Cannot access memory at address 0x7fffffbfefd8>, arg=<error reading variable: Cannot access memory at address 0x7fffffbfefd0>,
        outer=<error reading variable: Cannot access memory at address 0x7fffffbfefcc>) at thread.c:4710
  
  3. この時点では動作に直接的な影響は起きず、SystemStackError扱いのままプロセスの終了処理へ。
  4. altstackのfree時にmalloc headerが壊れているためabort。

r38409にて2.が起こらなくなったので、きれいにSystemStackErrorで終了するようになったものと理解しています。

なお、[ruby-dev:45515]で報告した際にはそもそもSystemStackErrorにすらならなかったので
そのときに起きていた問題に対しr38409は有効ではない、というのはその通りだと思います。
こちらは詳細を追っていないので原因は分かっていません。

# 何か勘違いしてますかね？
----------------------------------------
Bug #953: 深い入れ子の配列の取り扱いで落ちる
https://bugs.ruby-lang.org/issues/953#change-34777

Author: tadf (tadayoshi funaba)
Status: Closed
Priority: Normal
Assignee: ko1 (Koichi Sasada)
Category: 
Target version: 2.0.0
ruby -v: ruby 1.9.1 (2008-12-30 patchlevel-5000 trunk 21202) [i686-linux]


=begin
 以下のスクリプトを実行すると Segmentation fault で落ちました。
 
 $ cat ./nest.rb 
 a = [0]
 10000.times do
   a = [a]
 end
 p a
 
 $ ./ruby -v ./nest.rb 
 ruby 1.9.1 (2008-12-30 patchlevel-5000 trunk 21202) [i686-linux]
 Segmentation fault
 
 (gdb) bt
 #0  0x08111407 in vm_get_ruby_level_next_cfp (th=0x81ae758, cfp=0xb7c734a8)
     at vm.c:131
 #1  0x0811159b in rb_sourceline () at vm.c:757
 #2  0x0814ead7 in rb_bug (fmt=0x81737d3 "Segmentation fault") at error.c:230
 #3  0x080d49e6 in sigsegv (sig=11, info=0x82152fc, ctx=0x821537c)
     at signal.c:600
 #4  <signal handler called>
 #5  frame_func_id (cfp=0xb7c734a8) at eval.c:730
 #6  0x0812696a in rb_exec_recursive (func=0x812d040 <inspect_ary>, 
     obj=135994660, arg=0) at thread.c:3237
 #7  0x0812d01a in rb_ary_inspect (ary=4) at array.c:1574
 #8  0x0811d854 in vm_call0 (th=0x81ae758, klass=136124880, recv=135994660, 
     id=760, oid=760, argc=0, argv=0x0, body=0x81d1818, nosuper=0)
     at vm_eval.c:70
 #9  0x0811ddb2 in rb_funcall (recv=<value optimized out>, mid=760, n=0)
     at vm_eval.c:248
 #10 0x080840aa in rb_inspect (obj=135994660) at object.c:312
 #11 0x0812d0f3 in inspect_ary (ary=135994500, dummy=0, recur=0) at array.c:1550
 #12 0x08126b5f in rb_exec_recursive (func=0x812d040 <inspect_ary>, 
     obj=135994500, arg=0) at thread.c:3273
 #13 0x0812d01a in rb_ary_inspect (ary=4) at array.c:1574
 #14 0x0811d854 in vm_call0 (th=0x81ae758, klass=136124880, recv=135994500, 
     id=760, oid=760, argc=0, argv=0x0, body=0x81d1818, nosuper=0)
 ---Type <return> to continue, or q <return> to quit---
=end



-- 
http://bugs.ruby-lang.org/