[ruby-dev:48915] [Ruby trunk - Bug #10646] wmap_final_func の xrealloc で確保するメモリのサイズが1足りないためSEGV
From:
nagachika00@...
Date:
2015-03-30 15:49:56 UTC
List:
ruby-dev #48915
Issue #10646 has been updated by Tomoyuki Chikanaga.
Backport changed from 2.0.0: DONTNEED, 2.1: REQUIRED to 2.0.0: DONTNEED, 2.=
1: DONE
Backported into `ruby_2_1` branch at r50132.
----------------------------------------
Bug #10646: wmap_final_func =E3=81=AE xrealloc =E3=81=A7=E7=A2=BA=E4=BF=9D=
=E3=81=99=E3=82=8B=E3=83=A1=E3=83=A2=E3=83=AA=E3=81=AE=E3=82=B5=E3=82=A4=E3=
=82=BA=E3=81=8C1=E8=B6=B3=E3=82=8A=E3=81=AA=E3=81=84=E3=81=9F=E3=82=81SEGV
https://bugs.ruby-lang.org/issues/10646#change-51982
* Author: Naohisa Goto
* Status: Closed
* Priority: Normal
* Assignee:=20
* ruby -v: ruby 2.2.0dev (2014-12-25) [sparc64-solaris2.10]
* Backport: 2.0.0: DONTNEED, 2.1: DONE
----------------------------------------
Solaris =E3=81=AB=E3=81=A6=E3=80=81=E4=BB=A5=E4=B8=8B=E3=81=AE=E3=82=88=E3=
=81=86=E3=81=AB=E3=83=A1=E3=83=A2=E3=83=AA=E3=83=AA=E3=83=BC=E3=82=AF=E3=82=
=92=E7=99=BA=E8=A6=8B=E3=81=99=E3=82=8B=E3=83=87=E3=83=90=E3=83=83=E3=82=B0=
=E7=94=A8=E3=81=AEmalloc=E3=82=92=E4=BD=BF=E7=94=A8=E3=81=99=E3=82=8B=E3=81=
=A8=E3=80=81WeakRef=E3=81=AEfinalize=E4=B8=AD=E3=81=ABSEGV=E3=81=8C=E7=99=
=BA=E7=94=9F=E3=81=97=E3=81=BE=E3=81=99=E3=80=82
=EF=BC=88r48972 =E3=81=AB=E3=81=A6=E7=A2=BA=E8=AA=8D=EF=BC=89
~~~
$ LD_PRELOAD=3Dlibumem.so UMEM_OPTIONS=3D"backend=3Dmmap" /usr/bin/time /XX=
XXX/bin/ruby -r weakref -e 'a =3D Object.new; 150_000.times { WeakRef.new(a=
) }'
/XXXXX/lib/ruby/2.2.0/weakref.rb:87: [BUG] Segmentation fault at 0x7fffffff=
7806a000
ruby 2.2.0dev (2014-12-24) [sparc64-solaris2.10]
-- Control frame information -----------------------------------------------
c:0008 p:---- s:0022 e:000021 CFUNC :finalize
c:0007 p:---- s:0020 e:000019 CFUNC :call
c:0006 p:0039 s:0018 e:000017 METHOD /XXXXX/lib/ruby/2.2.0/weakref.rb:87 [F=
INISH]
c:0005 p:---- s:0014 e:000013 CFUNC :new
c:0004 p:0015 s:0010 e:000009 BLOCK -e:1 [FINISH]
c:0003 p:---- s:0008 e:000007 CFUNC :times
c:0002 p:0017 s:0005 E:001398 EVAL -e:1 [FINISH]
c:0001 p:0000 s:0002 E:000e50 TOP [FINISH]
-- Ruby level backtrace information ----------------------------------------
-e:1:in `<main>'
-e:1:in `times'
-e:1:in `block in <main>'
-e:1:in `new'
/XXXXX/lib/ruby/2.2.0/weakref.rb:87:in `initialize'
/XXXXX/lib/ruby/2.2.0/weakref.rb:87:in `call'
/XXXXX/lib/ruby/2.2.0/weakref.rb:87:in `finalize'
-- Other runtime information -----------------------------------------------
* Loaded script: -e
* Loaded features:
0 enumerator.so
1 rational.so
2 complex.so
3 /XXXXX/lib/ruby/2.2.0/sparc64-solaris2.10/enc/encdb.so
4 /XXXXX/lib/ruby/2.2.0/sparc64-solaris2.10/enc/trans/transdb.so
5 /XXXXX/lib/ruby/2.2.0/unicode_normalize.rb
6 /XXXXX/lib/ruby/2.2.0/sparc64-solaris2.10/rbconfig.rb
7 thread.rb
8 /XXXXX/lib/ruby/2.2.0/sparc64-solaris2.10/thread.so
9 /XXXXX/lib/ruby/2.2.0/rubygems/compatibility.rb
10 /XXXXX/lib/ruby/2.2.0/rubygems/defaults.rb
11 /XXXXX/lib/ruby/2.2.0/rubygems/deprecate.rb
12 /XXXXX/lib/ruby/2.2.0/rubygems/errors.rb
13 /XXXXX/lib/ruby/2.2.0/rubygems/version.rb
14 /XXXXX/lib/ruby/2.2.0/rubygems/requirement.rb
15 /XXXXX/lib/ruby/2.2.0/rubygems/platform.rb
16 /XXXXX/lib/ruby/2.2.0/rubygems/basic_specification.rb
17 /XXXXX/lib/ruby/2.2.0/rubygems/stub_specification.rb
18 /XXXXX/lib/ruby/2.2.0/rubygems/util/stringio.rb
19 /XXXXX/lib/ruby/2.2.0/rubygems/specification.rb
20 /XXXXX/lib/ruby/2.2.0/rubygems/exceptions.rb
21 /XXXXX/lib/ruby/2.2.0/rubygems/core_ext/kernel_gem.rb
22 /XXXXX/lib/ruby/2.2.0/monitor.rb
23 /XXXXX/lib/ruby/2.2.0/rubygems/core_ext/kernel_require.rb
24 /XXXXX/lib/ruby/2.2.0/rubygems.rb
25 /XXXXX/lib/ruby/2.2.0/delegate.rb
26 /XXXXX/lib/ruby/2.2.0/weakref.rb
[NOTE]
You may have encountered a bug in the Ruby interpreter or extension librari=
es.
Bug reports are welcome.
For details: http://www.ruby-lang.org/bugreport.html
time: command terminated abnormally.
real 33.2
user 21.3
sys 11.5
$=20
~~~
=E3=83=87=E3=83=90=E3=83=83=E3=82=AC=E4=B8=8A=E3=81=AB=E3=81=A6=E8=B5=B7=E5=
=8B=95=E3=81=99=E3=82=8B=E3=81=A8=E7=99=BA=E7=94=9F=E4=BD=8D=E7=BD=AE=E3=82=
=92=E7=89=B9=E5=AE=9A=E3=81=A7=E3=81=8D=E3=81=BE=E3=81=97=E3=81=9F=E3=80=82
=E9=85=8D=E5=88=97=E3=81=AE=E7=AF=84=E5=9B=B2=E5=A4=96=E3=81=AB=E3=82=A2=E3=
=82=AF=E3=82=BB=E3=82=B9=E3=81=97=E3=81=A6=E3=81=84=E3=81=BE=E3=81=97=E3=81=
=9F=E3=80=82
~~~
$ dbx /XXXXX/bin/ruby=20
For information about new features see `help changes'
To remove this message, put `dbxenv suppress_startup_message 7.5' in your .=
dbxrc
Reading ruby
Reading ld.so.1
Reading libumem.so.1
Reading libpthread.so.1
Reading librt.so.1
Reading libgmp.so.10.1.3
Reading libsocket.so.1
Reading libdl.so.1
Reading libcrypt_d.so.1
Reading libm.so.2
Reading libc.so.1
Reading libaio.so.1
Reading libmd.so.1
Reading libnsl.so.1
Reading libgen.so.1
(dbx) run -r weakref -e 'a =3D Object.new; 150_000.times { WeakRef.new(a) =
}'
Running: ruby -r weakref -e "a =3D Object.new; 150_000.times { WeakRef.new(=
a) }"=20
(process id 6241)
Reading libc_psr.so.1
Reading encdb.so
Reading transdb.so
Reading thread.so
t@1 (l@1) signal SEGV (access to address exceeded protections) in wmap_fina=
l_func at line 7666 in file "gc.c"
7666 if (ptr[i] !=3D wmap) {
(dbx) print i
i =3D 103422U
(dbx) print j
j =3D 103421U
(dbx) print wmap
wmap =3D 9223372034650698920U
(dbx) print ptr
ptr =3D 0x7fffffff77200010
(dbx) print ptr[0]
ptr[0] =3D 103422U
(dbx) print ptr[i]
dbx: cannot access address 0x7fffffff772ca000
(dbx) print ptr[j]
ptr[j] =3D 9223372034650719480U
(dbx) print ptr[103422]
dbx: cannot access address 0x7fffffff772ca000
(dbx) print ptr[103421]
ptr[103421] =3D 9223372034650719480U
~~~
ptr[0]=E3=81=8C=E3=81=9D=E3=81=AE=E9=85=8D=E5=88=97ptr=E3=81=AE=E8=A6=81=E7=
=B4=A0=E6=95=B0=E3=82=92=E6=A0=BC=E7=B4=8D=E3=81=99=E3=82=8B=E5=A0=B4=E6=89=
=80=E3=81=A7=E3=81=99=E3=81=8C=E3=80=81=E3=81=93=E3=81=AE=E6=95=B0=E5=AD=97=
=E3=81=AFptr[0]=E3=81=AE=E5=A0=B4=E6=89=80=E3=82=92=E8=80=83=E6=85=AE=E3=81=
=97=E3=81=AA=E3=81=84=E8=A6=81=E7=B4=A0=E6=95=B0=E3=80=81=E3=81=A4=E3=81=BE=
=E3=82=8Aptr[1]=E3=81=8B=E3=82=89ptr[ptr[0]]=E3=81=BE=E3=81=A7=E3=82=A2=E3=
=82=AF=E3=82=BB=E3=82=B9=E3=81=95=E3=82=8C=E3=82=8B=E5=8F=AF=E8=83=BD=E6=80=
=A7=E3=81=8C=E3=81=82=E3=82=8A=E3=81=BE=E3=81=99=E3=80=82
=E3=81=93=E3=81=AE=E3=81=9F=E3=82=81=E3=80=81ptr[0]=E3=81=AE=E6=95=B0+1=E3=
=81=AE=E3=83=A1=E3=83=A2=E3=83=AA=E3=82=92=E7=A2=BA=E4=BF=9D=E3=81=99=E3=82=
=8B=E5=BF=85=E8=A6=81=E3=81=8C=E3=81=82=E3=82=8A=E3=81=BE=E3=81=99=E3=81=8C=
=E3=80=81wmap_final_func() =E5=86=85=E3=81=AE ruby_sized_xrealloc2() =E3=81=
=A7=E3=81=AE=E7=A2=BA=E4=BF=9D=E6=99=82=E3=81=AB +1 =E3=81=8C=E5=BF=98=E3=
=82=8C=E5=8E=BB=E3=82=89=E3=82=8C=E3=81=A6=E3=81=84=E3=81=BE=E3=81=97=E3=81=
=9F=E3=80=82
=E4=BB=A5=E4=B8=8B=E3=81=AE=E3=83=91=E3=83=83=E3=83=81=E3=81=A7SEGV=E3=81=
=AF=E5=87=BA=E3=81=AA=E3=81=8F=E3=81=AA=E3=82=8A=E3=81=BE=E3=81=97=E3=81=9F=
=E3=80=82
~~~
Index: gc.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
--- gc.c (revision 48988)
+++ gc.c (working copy)
@@ -7672,7 +7672,7 @@
return ST_DELETE;
}
if (j < i) {
- ptr =3D ruby_sized_xrealloc2(ptr, j, sizeof(VALUE), i);
+ ptr =3D ruby_sized_xrealloc2(ptr, j + 1, sizeof(VALUE), i);
ptr[0] =3D j;
*value =3D (st_data_t)ptr;
}
~~~
=E4=BB=8A=E5=9B=9E=E3=80=81=E3=81=9F=E3=81=BE=E3=81=9F=E3=81=BESolaris=E3=
=81=AB=E3=81=A6=E9=9C=B2=E8=A6=8B=E3=81=97=E3=81=BE=E3=81=97=E3=81=9F=E3=81=
=8C=E3=80=81=E6=9C=AC=E6=9D=A5=E3=81=AFOS=E3=82=84CPU=E3=81=A8=E3=81=AF=E7=
=84=A1=E9=96=A2=E4=BF=82=E3=81=AE=E3=83=90=E3=82=B0=E3=81=A7=E3=81=99=E3=80=
=82
--=20
https://bugs.ruby-lang.org/