-
Notifications
You must be signed in to change notification settings - Fork 785
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Crash in kh_resize_iv #3388
Comments
From trying to make sense out of it all, it seems like it may be something that gets GC'ed so that this iv Hash isn't around anymore. These last two examples won't |
I could not reproduce the problem. Could you show us your configuration? |
I tested all of these cases with the default MRuby configuration (nothing changed in mrbconf.h). They crash on both OS X and Ubuntu 14.04. Note that the first test case should be supplied as input to mirb, and should include the blank line at the top. And the other two test cases should be supplied to mruby. |
GC.enable # crashes, works fine with GC.disabled
def shuffle(arr)for n in 0..arr.size
g=().to_f..arr.size
L&0rescue(arr.size)
arr.to_s[0]=0and(arr.size)
arr.to_s.public_methods[0]=arr.clone.to_s.singleton_class,arr.clone.to_s,p end.class
end
def pairs(a,b)shuffle(b).p b.each{shuffle(a:private_methods)}end
first=['','']
pairs(first,['','']) This exhibits the issue on OS X (Apple LLVM version 8.0.0 (clang-800.0.42.1)) using vanilla built mruby. Fails on Ubuntu (gcc (Ubuntu 5.4.0-6ubuntu1~16.04.4) 5.4.0 20160609) just as well. With some quick debugging I do see a:
and indeed, it was GC'ed earlier on:
Hope this helps! |
I think this may be happening because an exception object created in Lines 526 to 527 in a746ebe
mrb_exc_raise (Line 529 in a746ebe
mrb_exc_set which calls set_backtrace which calls back into Ruby code.
This patch seems to fix the issue: diff --git a/src/error.c b/src/error.c
index a71ee54..90b421e 100644
--- a/src/error.c
+++ b/src/error.c
@@ -526,7 +526,9 @@ mrb_no_method_error(mrb_state *mrb, mrb_sym id, mrb_value args, char const* fmt,
exc = mrb_funcall(mrb, mrb_obj_value(E_NOMETHOD_ERROR), "new", 3,
mrb_vformat(mrb, fmt, ap), mrb_symbol_value(id), args);
va_end(ap);
+ mrb_gc_register(mrb, exc);
mrb_exc_raise(mrb, exc);
+ mrb_gc_unregister(mrb, exc);
}
void @matz Is my understanding correct? |
@clayton-shopify |
Things I know now:
|
@clayton-shopify could you insert |
Try running It crashes for me on OS X and Ubuntu 16.04, in both cases building with clang in the default configuration.
The input causes a crash again when I switch to |
In case it helps, here's some details from lldb:
|
@argilo Thank you! I can reproduce now. I found out where the root cause lives. |
Thanks! I tested and the issue is fixed now. |
Supplying the following input to mirb (including the blank line at the top) results in a crash:
This appears to be a null pointer dereference in
kh_resize_iv
.This issue was reported by https://hackerone.com/ston3
Other inputs producing the same crash also been reported by https://hackerone.com/icanthack:
The text was updated successfully, but these errors were encountered: