New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in get_file #3492

Closed
clayton-shopify opened this Issue Mar 8, 2017 · 2 comments

Comments

Projects
None yet
3 participants
@clayton-shopify
Contributor

clayton-shopify commented Mar 8, 2017

The following input demonstrates a crash:

def a
  b
ensure
  yield
end

lambda { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { a { return } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } } }.call

The crash first appeared after this commit: 3390020, and building with -DMRB_DEFAULT_METHOD_MISSING makes the crash go away, so the issue may be related to method_missing.

ASAN report:

ASAN:DEADLYSIGNAL
=================================================================
==5342==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x000100f5587d bp 0x7fff5ed0a450 sp 0x7fff5ed0a320 T0)
    #0 0x100f5587c in get_file debug.c:12
    #1 0x100f557e0 in mrb_debug_get_filename debug.c:58
    #2 0x100f16d4e in each_backtrace backtrace.c:132
    #3 0x100f15b7a in output_backtrace backtrace.c:182
    #4 0x100f13614 in exc_output_backtrace backtrace.c:198
    #5 0x100f1239c in mrb_print_backtrace backtrace.c:283
    #6 0x100fdd1c2 in mrb_print_error print.c:33
    #7 0x100ef6a81 in main mruby.c:240
    #8 0x7fffb4357254 in start (libdyld.dylib+0x5254)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV debug.c:12 in get_file
==5342==ABORTING
Abort trap: 6

This issue was reported by https://hackerone.com/ssarong

@matz

This comment has been minimized.

Show comment
Hide comment
@matz

matz Mar 10, 2017

Member

The issue is related to #3438. I am investigating the solution (probably by removing save/restore backtrace).

Member

matz commented Mar 10, 2017

The issue is related to #3438. I am investigating the solution (probably by removing save/restore backtrace).

@matz matz closed this in dcf6a41 Mar 19, 2017

matz added a commit that referenced this issue Mar 20, 2017

@bovi

This comment has been minimized.

Show comment
Hide comment
@bovi

bovi Mar 21, 2017

Member

After this change I get the following warning on "Darwin daboAir.local 16.4.0 Darwin Kernel Version 16.4.0: Thu Dec 22 22:53:21 PST 2016; root:xnu-3789.41.3~3/RELEASE_X86_64 x86_64":

CC    mrbgems/mruby-compiler/core/codegen.c -> build/host/mrbgems/mruby-compiler/core/codegen.o
/Users/dabo/Seafile/Private/Projects/mruby/mrbgems/mruby-compiler/core/codegen.c:2202:47: warning: format specifies type 'long long' but the argument has
      type 'intptr_t' (aka 'long') [-Wformat]
      snprintf(buf, sizeof(buf), "$%" PRId64, (intptr_t)tree);
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~
/usr/include/secure/_stdio.h:57:62: note: expanded from macro 'snprintf'
  __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
                                                             ^~~~~~~~~~~
1 warning generated.
YACC  mrbgems/mruby-compiler/core/parse.y -> build/host/mrbgems/mruby-compiler/core/y.tab.c
CC    build/host/mrbgems/mruby-compiler/core/y.tab.c -> build/host/mrbgems/mruby-compiler/core/y.tab.o
AR    build/host/lib/libmruby_core.a 
ar: creating archive /Users/dabo/Seafile/Private/Projects/mruby/build/host/lib/libmruby_core.a
Member

bovi commented Mar 21, 2017

After this change I get the following warning on "Darwin daboAir.local 16.4.0 Darwin Kernel Version 16.4.0: Thu Dec 22 22:53:21 PST 2016; root:xnu-3789.41.3~3/RELEASE_X86_64 x86_64":

CC    mrbgems/mruby-compiler/core/codegen.c -> build/host/mrbgems/mruby-compiler/core/codegen.o
/Users/dabo/Seafile/Private/Projects/mruby/mrbgems/mruby-compiler/core/codegen.c:2202:47: warning: format specifies type 'long long' but the argument has
      type 'intptr_t' (aka 'long') [-Wformat]
      snprintf(buf, sizeof(buf), "$%" PRId64, (intptr_t)tree);
      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~
/usr/include/secure/_stdio.h:57:62: note: expanded from macro 'snprintf'
  __builtin___snprintf_chk (str, len, 0, __darwin_obsz(str), __VA_ARGS__)
                                                             ^~~~~~~~~~~
1 warning generated.
YACC  mrbgems/mruby-compiler/core/parse.y -> build/host/mrbgems/mruby-compiler/core/y.tab.c
CC    build/host/mrbgems/mruby-compiler/core/y.tab.c -> build/host/mrbgems/mruby-compiler/core/y.tab.o
AR    build/host/lib/libmruby_core.a 
ar: creating archive /Users/dabo/Seafile/Private/Projects/mruby/build/host/lib/libmruby_core.a
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment