Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in ary_concat #3532

clayton-shopify opened this issue Mar 21, 2017 · 1 comment

Null pointer dereference in ary_concat #3532

clayton-shopify opened this issue Mar 21, 2017 · 1 comment


Copy link

@clayton-shopify clayton-shopify commented Mar 21, 2017

The following input demonstrates a crash:

a *(

I suspect this occurs due to invalid code generation.

$ bin/mruby -v 214171.rb
mruby 1.2.0 (2015-11-17)
214171.rb:1:3: '*' interpreted as argument prefix
00002   NODE_BEGIN:
00002     NODE_FCALL:
00002       NODE_SELF
00004       method='a' (358)
00002       args:
00004         NODE_SPLAT:
00002           NODE_BEGIN:
00002             NODE_ARRAY:
00002               NODE_SPLAT:
00002                 NODE_BEGIN:
00003             NODE_INT 0 base 10
irep 0x60c000014740 nregs=5 nlocals=1 pools=0 syms=1 reps=0
file: 214171.rb
    2 000 OP_LOADSELF	R1
    2 001 OP_ARRAY	R2	R2	0
    2 002 OP_LOADNIL	R3
    3 003 OP_LOADI	R4	0
    3 004 OP_ARYCAT	R3	R4
    3 005 OP_SEND	R2	:a	127
    3 006 OP_STOP

==83636==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000018 (pc 0x0001062e9bfb bp 0x7fff59913610 sp 0x7fff59913530 T0)
    #0 0x1062e9bfa in ary_concat array.c:260
    #1 0x1062e9ab4 in mrb_ary_concat array.c:279
    #2 0x10646d8c3 in mrb_vm_exec (mruby+0x10018a8c3)
    #3 0x106447f79 in mrb_vm_run (mruby+0x100164f79)
    #4 0x10647a249 in mrb_top_run (mruby+0x100197249)
    #5 0x106549a85 in mrb_load_exec (mruby+0x100266a85)
    #6 0x10654a895 in mrb_load_file_cxt (mruby+0x100267895)
    #7 0x1062e55c6 in main mruby.c:227
    #8 0x7fff8cb21254 in start (libdyld.dylib+0x5254)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV array.c:260 in ary_concat
Abort trap: 6

This issue was reported by

Copy link
Contributor Author

@clayton-shopify clayton-shopify commented Mar 27, 2017 reported another input that produces the same crash:

def method_missing(*)end
y(&:d).s g(*s)

@matz matz closed this as completed in d35fcf1 Apr 3, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

1 participant