New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Null pointer dereference in OP_CALL #3534

Closed
clayton-shopify opened this Issue Mar 21, 2017 · 0 comments

Comments

Projects
None yet
1 participant
@clayton-shopify
Contributor

clayton-shopify commented Mar 21, 2017

The following input demonstrates a crash:

s=proc{|f,g,x|f[x][g[x]]}.curry
k=proc{|x,y|x}.curry
i=proc{|x|x}.curry
fi0=[]
re0=proc{|x|fi0.size;x}.curry
[s[s[i][i]][k[i]]][0][s[s[k[s]][s[k[s]][s[s[k[s]][s[k[s[k[re0]]]][s[k[s]][k]]]][k]]]][k[s[k[s]][k]]]]

This appears to be a GC bug, since adding GC.disable to the top prevents the crash. The issue looks similar to #3491 so they could be related.

ASAN report:

==3466==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x7fffc774bf3d bp 0x7fff5a5f9f00 sp 0x7fff5a5f9f00 T0)
    #0 0x7fffc774bf3c in _platform_memmove$VARIANT$Haswell (libsystem_platform.dylib+0x5f3c)
    #1 0x10599ebf8 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bf8)
    #2 0x10576db11 in mrb_vm_exec (mruby+0x100171b11)
    #3 0x1057609e9 in mrb_vm_run (mruby+0x1001649e9)
    #4 0x105792cb9 in mrb_top_run (mruby+0x100196cb9)
    #5 0x1058619e5 in mrb_load_exec (mruby+0x1002659e5)
    #6 0x1058627f5 in mrb_load_file_cxt (mruby+0x1002667f5)
    #7 0x1055fe9d6 in main mruby.c:227
    #8 0x7fffc753b254 in start (libdyld.dylib+0x5254)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libsystem_platform.dylib+0x5f3c) in _platform_memmove$VARIANT$Haswell
==3466==ABORTING
Abort trap: 6

Debug shows that m->env->stack is 0x2:

$ lldb bin/mruby
(lldb) target create "bin/mruby"
Current executable set to 'bin/mruby' (x86_64).
(lldb) process launch -- 214845.rb
Process 3444 launched: '/Users/clayton/git/mruby/bin/mruby' (x86_64)
AddressSanitizer debugger support is active. Memory error breakpoint has been installed and you can now use the 'memory history' command.
Process 3444 stopped
* thread #1: tid = 0x5ddc, 0x00007fffc774bf3d libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 157, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x2)
    frame #0: 0x00007fffc774bf3d libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 157
libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell:
->  0x7fffc774bf3d <+157>: movq   (%rsi), %rcx
    0x7fffc774bf40 <+160>: movq   (%rsi,%rdx), %r8
    0x7fffc774bf44 <+164>: movq   %rcx, (%rdi)
    0x7fffc774bf47 <+167>: movq   %r8, (%rdi,%rdx)
(lldb) frame select 2
frame #2: 0x0000000100171b12 mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f00006ba00, pc=0x00000001002f6380) + 53170 at vm.c:1361
   1358	          stack_extend(mrb, irep->nregs, ci->argc+2);
   1359	        }
   1360	        if(m->env) {
-> 1361	          regs[0] = m->env->stack[0];
   1362	        }
   1363	        pc = irep->iseq;
   1364	        JUMP;
(lldb) print *m->env
(REnv) $0 = {
  tt = MRB_TT_ARRAY
  color = 2
  flags = 0
  c = 0x000062f000009c40
  gcnext = 0x0000000000000000
  stack = 0x0000000000000002
  mid = 2
  cioff = 105759274967392
}

This issue was reported by https://hackerone.com/ston3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment