From: billk@cts.com
To: ruby-core@ruby-lang.org
Subject: [ruby-core:62052] [ruby-trunk - Bug #8543] rb_iseq_load
Date: Wed, 16 Apr 2014 10:21:56 +0000 [thread overview]
Message-ID: <redmine.journal-46227.20140416102155.54cf161e9be5bd15@ruby-lang.org> (raw)
In-Reply-To: redmine.issue-8543.20130619213935@ruby-lang.org
Issue #8543 has been updated by B Kelly.
File iseq-load-test3.rb added
File iseq-load-test3-file.rb added
Hello again,
The attached files comprise a small example which appears to consistently
reproduce a segmentation fault with rb_iseq_load.
Interpreter is: ruby 2.2.0dev (2014-04-16 trunk 45597) [i386-mswin32_100]
The crash appears related to the case statement.
~~~
Call stack:
The st_table pointer at st_foreach_check is bad:
msvcr100-ruby220.dll!st_foreach_check(st_table * table=0x00000008, int (void)* func=0x0f3f3580, unsigned long arg=4512588, unsigned long never=6) Line 891 + 0x3 bytes C
msvcr100-ruby220.dll!hash_foreach_call(unsigned long arg=4512588) Line 258 + 0x17 bytes C
msvcr100-ruby220.dll!rb_ensure(unsigned long (void)* b_proc=0x0f3f3530, unsigned long data1=4512588, unsigned long (void)* e_proc=0x0f3f3480, unsigned long data2=10318080) Line 888 + 0x7 bytes C
msvcr100-ruby220.dll!rb_hash_foreach(unsigned long hash=10318080, int (void)* func=0x0f45ac20, unsigned long farg=4512696) Line 275 + 0x17 bytes C
> msvcr100-ruby220.dll!iseq_set_sequence(rb_iseq_struct * iseq=0x00d279b0, iseq_link_anchor * anchor=0x0044dd58) Line 1507 + 0x12 bytes C
msvcr100-ruby220.dll!iseq_setup(rb_iseq_struct * iseq=0x00d279b0, iseq_link_anchor * anchor=0x0044dd58) Line 1026 + 0xd bytes C
msvcr100-ruby220.dll!iseq_build_from_ary_body(rb_iseq_struct * iseq=0x00d279b0, iseq_link_anchor * anchor=0x0044dd58, unsigned long body=10318900, st_table * labels_table=0x00d27d10) Line 5855 + 0xd bytes C
msvcr100-ruby220.dll!rb_iseq_build_from_ary(rb_iseq_struct * iseq=0x00d279b0, unsigned long locals=10320520, unsigned long args=5, unsigned long exception=10320460, unsigned long body=10318900) Line 5932 + 0x15 bytes C
msvcr100-ruby220.dll!iseq_load(unsigned long self=10542580, unsigned long data=10320540, unsigned long parent=10318300, unsigned long opt=4) Line 561 + 0x19 bytes C
msvcr100-ruby220.dll!rb_iseq_load(unsigned long data=10320540, unsigned long parent=10318300, unsigned long opt=4) Line 582 + 0x17 bytes C
msvcr100-ruby220.dll!iseq_build_load_iseq(rb_iseq_struct * iseq=0x00d27500, unsigned long op=10320540) Line 5701 + 0x15 bytes C
msvcr100-ruby220.dll!iseq_build_from_ary_body(rb_iseq_struct * iseq=0x00d27500, iseq_link_anchor * anchor=0x0044dfd4, unsigned long body=10318680, st_table * labels_table=0x00d27860) Line 5816 + 0x13 bytes C
msvcr100-ruby220.dll!rb_iseq_build_from_ary(rb_iseq_struct * iseq=0x00d27500, unsigned long locals=10320900, unsigned long args=3, unsigned long exception=10320840, unsigned long body=10318680) Line 5932 + 0x15 bytes C
msvcr100-ruby220.dll!iseq_load(unsigned long self=10542580, unsigned long data=10320920, unsigned long parent=10318380, unsigned long opt=4) Line 561 + 0x19 bytes C
msvcr100-ruby220.dll!rb_iseq_load(unsigned long data=10320920, unsigned long parent=10318380, unsigned long opt=4) Line 582 + 0x17 bytes C
msvcr100-ruby220.dll!iseq_build_load_iseq(rb_iseq_struct * iseq=0x00d27110, unsigned long op=10320920) Line 5701 + 0x15 bytes C
msvcr100-ruby220.dll!iseq_build_from_ary_body(rb_iseq_struct * iseq=0x00d27110, iseq_link_anchor * anchor=0x0044e250, unsigned long body=10318560, st_table * labels_table=0x00d27470) Line 5783 + 0xd bytes C
msvcr100-ruby220.dll!rb_iseq_build_from_ary(rb_iseq_struct * iseq=0x00d27110, unsigned long locals=10321160, unsigned long args=1, unsigned long exception=10321100, unsigned long body=10318560) Line 5932 + 0x15 bytes C
msvcr100-ruby220.dll!iseq_load(unsigned long self=10542580, unsigned long data=10321180, unsigned long parent=10318460, unsigned long opt=4) Line 561 + 0x19 bytes C
msvcr100-ruby220.dll!rb_iseq_load(unsigned long data=10321180, unsigned long parent=10318460, unsigned long opt=4) Line 582 + 0x17 bytes C
msvcr100-ruby220.dll!iseq_build_load_iseq(rb_iseq_struct * iseq=0x00d25c08, unsigned long op=10321180) Line 5701 + 0x15 bytes C
msvcr100-ruby220.dll!iseq_build_from_ary_body(rb_iseq_struct * iseq=0x00d25c08, iseq_link_anchor * anchor=0x0044e4cc, unsigned long body=10318500, st_table * labels_table=0x00d25f68) Line 5783 + 0xd bytes C
msvcr100-ruby220.dll!rb_iseq_build_from_ary(rb_iseq_struct * iseq=0x00d25c08, unsigned long locals=10339520, unsigned long args=1, unsigned long exception=10339460, unsigned long body=10318500) Line 5932 + 0x15 bytes C
msvcr100-ruby220.dll!iseq_load(unsigned long self=10542580, unsigned long data=10339540, unsigned long parent=0, unsigned long opt=4) Line 561 + 0x19 bytes C
msvcr100-ruby220.dll!iseq_s_load(int argc=1, unsigned long * argv=0x0057005c, unsigned long self=10542580) Line 576 + 0x13 bytes C
msvcr100-ruby220.dll!call_cfunc_m1(unsigned long (void)* func=0x0f443b50, unsigned long recv=10542580, int argc=1, const unsigned long * argv=0x0057005c) Line 1330 + 0xf bytes C
msvcr100-ruby220.dll!vm_call_cfunc_with_frame(rb_thread_struct * th=0x00c15588, rb_control_frame_struct * reg_cfp=0x005eff80, rb_call_info_struct * ci=0x00cdcfc0) Line 1502 + 0x20 bytes C
msvcr100-ruby220.dll!vm_call_cfunc(rb_thread_struct * th=0x00c15588, rb_control_frame_struct * reg_cfp=0x005eff80, rb_call_info_struct * ci=0x00cdcfc0) Line 1592 + 0x11 bytes C
msvcr100-ruby220.dll!vm_call_method(rb_thread_struct * th=0x00c15588, rb_control_frame_struct * cfp=0x005eff80, rb_call_info_struct * ci=0x00cdcfc0) Line 1786 + 0x11 bytes C
msvcr100-ruby220.dll!vm_call_general(rb_thread_struct * th=0x00c15588, rb_control_frame_struct * reg_cfp=0x005eff80, rb_call_info_struct * ci=0x00cdcfc0) Line 1941 + 0x11 bytes C
msvcr100-ruby220.dll!vm_exec_core(rb_thread_struct * th=0x00c15588, unsigned long initial=0) Line 1028 + 0x1a bytes C
msvcr100-ruby220.dll!vm_exec(rb_thread_struct * th=0x00c15588) Line 1328 + 0xd bytes C
msvcr100-ruby220.dll!invoke_block_from_c(rb_thread_struct * th=0x00c15588, const rb_block_struct * block=0x005effe0, unsigned long self=10187260, int argc=1, const unsigned long * argv=0x0044f0ec, const rb_block_struct * blockptr=0x00000000, const RNode * cref=0x00000000, unsigned long defined_class=4, int splattable=1) Line 752 + 0x9 bytes C
msvcr100-ruby220.dll!vm_yield(rb_thread_struct * th=0x00c15588, int argc=1, const unsigned long * argv=0x0044f0ec) Line 784 + 0x28 bytes C
msvcr100-ruby220.dll!rb_yield_0(int argc=1, const unsigned long * argv=0x0044f0ec) Line 936 + 0x13 bytes C
msvcr100-ruby220.dll!rb_yield(unsigned long val=10340180) Line 946 + 0xb bytes C
msvcr100-ruby220.dll!rb_ary_each(unsigned long array=10342440) Line 1806 + 0x2f bytes C
msvcr100-ruby220.dll!call_cfunc_0(unsigned long (void)* func=0x0f3cd6b0, unsigned long recv=10342440, int argc=0, const unsigned long * argv=0x00570040) Line 1336 + 0x7 bytes C
msvcr100-ruby220.dll!vm_call_cfunc_with_frame(rb_thread_struct * th=0x00c15588, rb_control_frame_struct * reg_cfp=0x005effd0, rb_call_info_struct * ci=0x00cdc5a8) Line 1502 + 0x20 bytes C
msvcr100-ruby220.dll!vm_call_cfunc(rb_thread_struct * th=0x00c15588, rb_control_frame_struct * reg_cfp=0x005effd0, rb_call_info_struct * ci=0x00cdc5a8) Line 1592 + 0x11 bytes C
msvcr100-ruby220.dll!vm_call_method(rb_thread_struct * th=0x00c15588, rb_control_frame_struct * cfp=0x005effd0, rb_call_info_struct * ci=0x00cdc5a8) Line 1786 + 0x11 bytes C
msvcr100-ruby220.dll!vm_call_general(rb_thread_struct * th=0x00c15588, rb_control_frame_struct * reg_cfp=0x005effd0, rb_call_info_struct * ci=0x00cdc5a8) Line 1941 + 0x11 bytes C
msvcr100-ruby220.dll!vm_exec_core(rb_thread_struct * th=0x00c15588, unsigned long initial=0) Line 999 + 0x1a bytes C
msvcr100-ruby220.dll!vm_exec(rb_thread_struct * th=0x00c15588) Line 1328 + 0xd bytes C
msvcr100-ruby220.dll!rb_iseq_eval_main(unsigned long iseqval=10505960) Line 1586 + 0x9 bytes C
msvcr100-ruby220.dll!ruby_exec_internal(void * n=0x00a04ee8) Line 254 + 0x46 bytes C
msvcr100-ruby220.dll!ruby_exec_node(void * n=0x00a04ee8) Line 316 + 0x9 bytes C
msvcr100-ruby220.dll!ruby_run_node(void * n=0x00a04ee8) Line 308 + 0x9 bytes C
ruby_t.exe!main(int argc=3, char * * argv=0x00c115b8) Line 36 + 0x16 bytes C
ruby_t.exe!__tmainCRTStartup() Line 555 + 0x17 bytes C
In the iseq_set_sequence above marked by ">", the bad hash value was
fetched from operands[j]:
case TS_CDHASH:
{
VALUE map = operands[j];
struct cdhash_set_label_struct data;
data.hash = map;
data.pos = pos;
data.len = len;
rb_hash_foreach(map, cdhash_set_label_i, (VALUE)&data);
hide_obj(map);
generated_iseq[pos + 1 + j] = map;
break;
}
And the iobj->insn_id is consistently YARVINSN_opt_case_dispatch:
iobj 0x00d27c6c {link={...} insn_id=YARVINSN_opt_case_dispatch line_no=5 ...} iseq_insn_data *
link {type=ISEQ_ELEMENT_INSN next=0x00d27c8c prev=0x00d27ba4 } iseq_link_element
insn_id YARVINSN_opt_case_dispatch ruby_vminsn_type
line_no 5 unsigned int
operand_size 2 int
sc_state 0 int
~~~
I had invoked the program with --disable-gems for simplicity, however
the crash occurs either way.
If there's any further information I could provide please let me know.
Thanks for your help!
Regards,
Bill
----------------------------------------
Bug #8543: rb_iseq_load
https://bugs.ruby-lang.org/issues/8543#change-46227
* Author: Alexey Voskov
* Status: Open
* Priority: Low
* Assignee: Koichi Sasada
* Category: YARV
* Target version: current: 2.2.0
* ruby -v: ruby 2.0.0p234 (2013-06-19 revision 41434) [x86_64-darwin11.4.2]
* Backport: 1.9.3: DONTNEED, 2.0.0: REQUIRED
----------------------------------------
I noticed an unusual behaviour of undocumented rb_iseq_load function.
Its work differs in different Ruby versions. I'm trying to protect some Ruby
source code by its conversion to YARV p-code and using the next strategy:
1) Convert code to array
data = RubyVM::InstructionSequence.compile_file('hello.rb').to_a
2) Pass a compiled source to the rb_iseq_load function and evaluate it
iseq = iseq_load.(data)
iseq.eval
Sample programs are supplied in the attachments.
"hello.rb"
---------------------------
puts "tralivali"
def funct(a,b)
a**b
end
3.times { |i|
puts "Hello, world#{funct(2,i)}!"
}
------------------------
The differences
Ruby 1.9.3 (ruby 1.9.3p194 (2012-04-20) [i386-mingw32])
Correct work. Output:
-------------------------
tralivali
Hello, world1!
Hello, world2!
Hello, world4!
--------------------
Ruby 2.0.0 (ruby 2.0.0p193 (2013-05-14) [x64-mingw32])
Incorrect work (omits the code inside code blocks). Output
-------------------------
tralivali
-------------------------
Attempts of loading bigger programs by means of rb_iseq_load in Ruby 2.0.0 usually ends with a segmentation fault.
Such behaviour also can be reproduced by means of iseq Ruby extension ("for iseq freaks")
https://github.com/wanabe/iseq
P.S. I understand that it is an undocumented feature.
---Files--------------------------------
hello.rb (102 Bytes)
rb_pack.rb (931 Bytes)
iseq-load-test3.rb (210 Bytes)
iseq-load-test3-file.rb (369 Bytes)
--
https://bugs.ruby-lang.org/
next prev parent reply other threads:[~2014-04-16 10:17 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-19 12:39 [ruby-core:55557] [ruby-trunk - misc #8543][Open] rb_iseq_load alvoskov (Alexey Voskov)
2013-06-20 7:40 ` [ruby-core:55568] [ruby-trunk - Bug #8543] rb_iseq_load nagachika (Tomoyuki Chikanaga)
2014-01-30 6:17 ` [ruby-core:60299] " shibata.hiroshi
2014-04-16 8:25 ` [ruby-core:62050] " billk
2014-04-16 10:21 ` billk [this message]
2014-06-26 23:40 ` [ruby-core:63353] " billk
2014-06-30 8:07 ` [ruby-core:63427] " naruse
2014-07-26 5:42 ` [ruby-core:64033] " ko1
2014-07-26 5:46 ` [ruby-core:64034] [ruby-trunk - Feature " nobu
2014-10-09 7:18 ` [ruby-core:65555] " billk
2014-10-09 7:44 ` [ruby-core:65556] " Eric Wong
2014-10-09 7:51 ` [ruby-core:65557] " normalperson
2014-10-09 23:44 ` [ruby-core:65574] " billk
2014-11-22 0:03 ` [ruby-core:66402] " Eric Wong
2014-11-22 1:06 ` [ruby-core:66404] " Eric Wong
2014-11-22 8:19 ` [ruby-core:66409] " Eric Wong
2014-11-23 5:56 ` [ruby-core:66423] " Eric Wong
2014-11-22 0:08 ` [ruby-core:66403] " normalperson
2014-11-22 1:08 ` [ruby-core:66405] " normalperson
2014-11-22 8:28 ` [ruby-core:66410] " normalperson
2014-11-23 5:58 ` [ruby-core:66424] " normalperson
2014-11-24 23:13 ` [ruby-core:66446] " billk
2014-11-25 2:01 ` [ruby-core:66450] " Eric Wong
2014-11-25 2:08 ` [ruby-core:66451] " normalperson
2014-11-25 3:09 ` [ruby-core:66452] " billk
2014-11-25 8:19 ` [ruby-core:66456] " ko1
2014-11-26 1:38 ` [ruby-core:66465] " Eric Wong
2014-11-26 1:48 ` [ruby-core:66467] " normalperson
2014-11-26 6:49 ` [ruby-core:66472] " ko1
2014-11-26 8:09 ` [ruby-core:66476] " Eric Wong
2014-11-26 8:18 ` [ruby-core:66478] " normalperson
2014-11-27 3:02 ` [ruby-core:66508] " Eric Wong
2014-11-27 3:08 ` [ruby-core:66510] " normalperson
2014-11-29 11:55 ` [ruby-core:66566] " s.wanabe
2014-12-01 22:35 ` [ruby-core:66633] " Eric Wong
2014-12-01 22:38 ` [ruby-core:66634] " normalperson
2014-12-19 21:15 ` [ruby-core:66987] " Eric Wong
2014-12-19 21:18 ` [ruby-core:66988] " normalperson
2015-09-09 23:27 ` [ruby-core:70708] [Ruby trunk - Feature #8543] new rb_iseq_load crash billk
2015-09-10 0:09 ` [ruby-core:70709] " billk
2015-09-10 14:12 ` [ruby-core:70711] [Ruby trunk - Bug " nagachika00
2015-09-10 16:42 ` [ruby-core:70713] " Bill Kelly
2015-09-10 16:54 ` [ruby-core:70714] " U.NAKAMURA
2015-09-10 17:14 ` [ruby-core:70715] " Bill Kelly
2015-09-11 1:35 ` [ruby-core:70722] " Nobuyoshi Nakada
2015-11-24 15:43 ` [ruby-core:71653] " nagachika00
2015-12-08 3:11 ` [ruby-core:71930] " usa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-list from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://www.ruby-lang.org/en/community/mailing-lists/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=redmine.journal-46227.20140416102155.54cf161e9be5bd15@ruby-lang.org \
--to=ruby-core@ruby-lang.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).