This appears to be a GC bug, since adding GC.disable to the top prevents the crash. The issue looks similar to #3491 so they could be related.
ASAN report:
==3466==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 (pc 0x7fffc774bf3d bp 0x7fff5a5f9f00 sp 0x7fff5a5f9f00 T0)
#0 0x7fffc774bf3c in _platform_memmove$VARIANT$Haswell (libsystem_platform.dylib+0x5f3c)
#1 0x10599ebf8 in __asan_memcpy (libclang_rt.asan_osx_dynamic.dylib+0x41bf8)
#2 0x10576db11 in mrb_vm_exec (mruby+0x100171b11)
#3 0x1057609e9 in mrb_vm_run (mruby+0x1001649e9)
#4 0x105792cb9 in mrb_top_run (mruby+0x100196cb9)
#5 0x1058619e5 in mrb_load_exec (mruby+0x1002659e5)
#6 0x1058627f5 in mrb_load_file_cxt (mruby+0x1002667f5)
#7 0x1055fe9d6 in main mruby.c:227
#8 0x7fffc753b254 in start (libdyld.dylib+0x5254)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (libsystem_platform.dylib+0x5f3c) in _platform_memmove$VARIANT$Haswell
==3466==ABORTING
Abort trap: 6
Debug shows that m->env->stack is 0x2:
$ lldb bin/mruby
(lldb) target create "bin/mruby"
Current executable set to 'bin/mruby' (x86_64).
(lldb) process launch -- 214845.rb
Process 3444 launched: '/Users/clayton/git/mruby/bin/mruby' (x86_64)
AddressSanitizer debugger support is active. Memory error breakpoint has been installed and you can now use the 'memory history' command.
Process 3444 stopped
* thread #1: tid = 0x5ddc, 0x00007fffc774bf3d libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 157, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x2)
frame #0: 0x00007fffc774bf3d libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell + 157
libsystem_platform.dylib`_platform_memmove$VARIANT$Haswell:
-> 0x7fffc774bf3d <+157>: movq (%rsi), %rcx
0x7fffc774bf40 <+160>: movq (%rsi,%rdx), %r8
0x7fffc774bf44 <+164>: movq %rcx, (%rdi)
0x7fffc774bf47 <+167>: movq %r8, (%rdi,%rdx)
(lldb) frame select 2
frame #2: 0x0000000100171b12 mruby`mrb_vm_exec(mrb=0x000061400000fe40, proc=0x000062f00006ba00, pc=0x00000001002f6380) + 53170 at vm.c:1361
1358 stack_extend(mrb, irep->nregs, ci->argc+2);
1359 }
1360 if(m->env) {
-> 1361 regs[0] = m->env->stack[0];
1362 }
1363 pc = irep->iseq;
1364 JUMP;
(lldb) print *m->env
(REnv) $0 = {
tt = MRB_TT_ARRAY
color = 2
flags = 0
c = 0x000062f000009c40
gcnext = 0x0000000000000000
stack = 0x0000000000000002
mid = 2
cioff = 105759274967392
}
The following input demonstrates a crash:
This appears to be a GC bug, since adding
GC.disable
to the top prevents the crash. The issue looks similar to #3491 so they could be related.ASAN report:
Debug shows that
m->env->stack
is0x2
:This issue was reported by https://hackerone.com/ston3
The text was updated successfully, but these errors were encountered: