Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The following input demonstrates a crash:
def to_str @b + + -> {} rescue "" end class A < to_str end
This results in recursion, but it seems to crash well before overflowing the stack:
Process 69290 stopped * thread #1: tid = 0x190397c, 0x000000010016c63b mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000ccfc) + 27227 at vm.c:1088, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x28) frame #0: 0x000000010016c63b mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000ccfc) + 27227 at vm.c:1088 1085 1086 CASE(OP_RESCUE) { 1087 /* A R(A) := exc; clear(exc) */ -> 1088 SET_OBJ_VALUE(regs[GETARG_A(i)], mrb->exc); 1089 mrb->exc = 0; 1090 NEXT; 1091 } (lldb) bt * thread #1: tid = 0x190397c, 0x000000010016c63b mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000ccfc) + 27227 at vm.c:1088, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x28) * frame #0: 0x000000010016c63b mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000ccfc) + 27227 at vm.c:1088 frame #1: 0x0000000100165a6a mruby`mrb_vm_run(mrb=0x000061400000fe40, proc=0x000062f000002dd0, self=mrb_value @ 0x00007fff5f49dcc0, stack_keep=2) + 1114 at vm.c:822 frame #2: 0x000000010015ebcf mruby`mrb_run(mrb=0x000061400000fe40, proc=0x000062f000002dd0, self=mrb_value @ 0x00007fff5f49dea0) + 1599 at vm.c:2570 frame #3: 0x000000010015c518 mruby`mrb_funcall_with_block(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f49ea00, mid=144, argc=0, argv=0x00007fff5f49ef80, blk=mrb_value @ 0x00007fff5f49e0b0) + 13496 at vm.c:454 frame #4: 0x0000000100158ee8 mruby`mrb_funcall_argv(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f49ed60, mid=144, argc=0, argv=0x00007fff5f49ef80) + 984 at vm.c:464 frame #5: 0x000000010015896f mruby`mrb_funcall(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f49ef60, name="to_str", argc=0) + 1743 at vm.c:342 frame #6: 0x0000000100106e1d mruby`mrb_str_equal(mrb=0x000061400000fe40, str1=mrb_value @ 0x00007fff5f49f460, str2=mrb_value @ 0x00007fff5f49f480) + 1661 at string.c:995 frame #7: 0x000000010011b6c5 mruby`mrb_str_equal_m(mrb=0x000061400000fe40, str1=mrb_value @ 0x00007fff5f49f760) + 853 at string.c:1019 frame #8: 0x000000010015c116 mruby`mrb_funcall_with_block(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a0240, mid=10, argc=1, argv=0x00007fff5f4a07c0, blk=mrb_value @ 0x00007fff5f49f8f0) + 12470 at vm.c:447 frame #9: 0x0000000100158ee8 mruby`mrb_funcall_argv(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a05a0, mid=10, argc=1, argv=0x00007fff5f4a07c0) + 984 at vm.c:464 frame #10: 0x000000010015896f mruby`mrb_funcall(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a07a0, name="==", argc=1) + 1743 at vm.c:342 frame #11: 0x00000001000dab77 mruby`mrb_equal(mrb=0x000061400000fe40, obj1=mrb_value @ 0x00007fff5f4a0ca0, obj2=mrb_value @ 0x00007fff5f4a0cc0) + 1351 at object.c:48 frame #12: 0x00000001000ae055 mruby`mrb_equal_m(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a0f20) + 853 at kernel.c:84 frame #13: 0x000000010016fd85 mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f000002dd0, pc=0x000060700000cd08) + 41381 at vm.c:1229 frame #14: 0x0000000100165a6a mruby`mrb_vm_run(mrb=0x000061400000fe40, proc=0x000062f000002dd0, self=mrb_value @ 0x00007fff5f4a8920, stack_keep=2) + 1114 at vm.c:822 frame #15: 0x000000010015ebcf mruby`mrb_run(mrb=0x000061400000fe40, proc=0x000062f000002dd0, self=mrb_value @ 0x00007fff5f4a8b00) + 1599 at vm.c:2570 frame #16: 0x000000010015c518 mruby`mrb_funcall_with_block(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a9660, mid=144, argc=0, argv=0x00007fff5f4a9be0, blk=mrb_value @ 0x00007fff5f4a8d10) + 13496 at vm.c:454 frame #17: 0x0000000100158ee8 mruby`mrb_funcall_argv(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a99c0, mid=144, argc=0, argv=0x00007fff5f4a9be0) + 984 at vm.c:464 frame #18: 0x000000010015896f mruby`mrb_funcall(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4a9bc0, name="to_str", argc=0) + 1743 at vm.c:342 frame #19: 0x0000000100106e1d mruby`mrb_str_equal(mrb=0x000061400000fe40, str1=mrb_value @ 0x00007fff5f4aa0c0, str2=mrb_value @ 0x00007fff5f4aa0e0) + 1661 at string.c:995 frame #20: 0x000000010011b6c5 mruby`mrb_str_equal_m(mrb=0x000061400000fe40, str1=mrb_value @ 0x00007fff5f4aa3c0) + 853 at string.c:1019 frame #21: 0x000000010015c116 mruby`mrb_funcall_with_block(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4aaea0, mid=10, argc=1, argv=0x00007fff5f4ab420, blk=mrb_value @ 0x00007fff5f4aa550) + 12470 at vm.c:447 frame #22: 0x0000000100158ee8 mruby`mrb_funcall_argv(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4ab200, mid=10, argc=1, argv=0x00007fff5f4ab420) + 984 at vm.c:464 frame #23: 0x000000010015896f mruby`mrb_funcall(mrb=0x000061400000fe40, self=mrb_value @ 0x00007fff5f4ab400, name="==", argc=1) + 1743 at vm.c:342 ...
This issue was reported by Dinko Galetic and Denis Kasak (https://hackerone.com/dgaletic).
The text was updated successfully, but these errors were encountered:
The new recursion limit gets triggered and throws an exception, which prevents it from overflowing the stack. However, it appears the crash happens while rescuing that exception.
Sorry, something went wrong.
OP_RETRUN to take B as matching exception; ref #3487
000c68d
Enhance OP_RESCUE to take B operand fas matching exception; ref #3487
26169f9
Update VM to support new OP_RESCUE behavior; ref #3487
92f5bec
916b8ed
No branches or pull requests
The following input demonstrates a crash:
This results in recursion, but it seems to crash well before overflowing the stack:
This issue was reported by Dinko Galetic and Denis Kasak (https://hackerone.com/dgaletic).
The text was updated successfully, but these errors were encountered: