[ruby-core:90311] [Ruby trunk Bug#15382] Stack overflow in int_or()

ruby-core@ruby-lang.org archive (unofficial mirror)
 help / color / mirror / Atom feed

From: mame@ruby-lang.org
To: ruby-core@ruby-lang.org
Subject: [ruby-core:90311] [Ruby trunk Bug#15382] Stack overflow in int_or()
Date: Wed, 05 Dec 2018 13:04:45 +0000 (UTC)	[thread overview]
Message-ID: <redmine.journal-75415.20181205130444.36c7377abcc39cbb@ruby-lang.org> (raw)
In-Reply-To: redmine.issue-15382.20181205120708@ruby-lang.org

Issue #15382 has been updated by mame (Yusuke Endoh).


Briefly investigated.  This is an infinite recursion.

Simplified version:

    def respond_to_missing?(s, f)
      0 + "foo"
    end
    0.respond_to?(:foo)

`0 + "foo"` calls `coerce`, which calls `respond_to_missing?` recursively.

----------------------------------------
Bug #15382: Stack overflow in int_or()
https://bugs.ruby-lang.org/issues/15382#change-75415

* Author: fumfel (Kamil Frankowicz)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.6.0dev (2018-12-04 trunk 66199) [x86_64-linux]
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
After some fuzz testing I found a crashing test case.

To reproduce: miniruby ruby_so_int_or

Full ASAN report: https://gist.github.com/fumfel/0a2e01f2ab6794632d017bfd306ffac9

ASAN report:

~~~
==22120==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe9d1ddff8 (pc 0x55d12a2abd28 bp 0x7ffe9d1de010 sp 0x7ffe9d1de000 T0)
    #0 0x55d12a2abd27 in int_or XYZ/ruby/numeric.c:4494
    #1 0x55d12a714ae7 in vm_call_cfunc_with_frame XYZ/ruby/./vm_insnhelper.c:1908:11
    #2 0x55d12a714ae7 in vm_call_cfunc XYZ/ruby/./vm_insnhelper.c:1924
    #3 0x55d12a69d73b in vm_exec_core XYZ/ruby/insns.def:766:5
    #4 0x55d12a6fc0ff in rb_vm_exec XYZ/ruby/vm.c:1876:22
    #5 0x55d12a6cf136 in vm_call0_body XYZ/ruby/./vm_eval.c:127:13
    #6 0x55d12a7387c1 in rb_vm_call0 XYZ/ruby/./vm_eval.c:60:12
    #7 0x55d12a7387c1 in call_method_entry XYZ/ruby/./vm_method.c:1954
    #8 0x55d12a6d2f89 in basic_obj_respond_to_missing XYZ/ruby/./vm_method.c:1971:12
    #9 0x55d12a6d2f89 in check_funcall_missing XYZ/ruby/./vm_eval.c:374
    #10 0x55d12a6d265e in rb_check_funcall_default XYZ/ruby/./vm_eval.c:420:14
    #11 0x55d12a28d664 in do_coerce XYZ/ruby/numeric.c:424:17
    #12 0x55d12a2ac03a in rb_num_coerce_bit XYZ/ruby/numeric.c:4424:5
    #13 0x55d12a2ac03a in fix_or XYZ/ruby/numeric.c:4489
    #14 0x55d12a2ac03a in int_or XYZ/ruby/numeric.c:4496
    [-------------------- SNIP ----------------------]
    #378 0x55d12a2ac03a in int_or XYZ/ruby/numeric.c:4496
    #379 0x55d12a714ae7 in vm_call_cfunc_with_frame XYZ/ruby/./vm_insnhelper.c:1908:11
    #380 0x55d12a714ae7 in vm_call_cfunc XYZ/ruby/./vm_insnhelper.c:1924
    #381 0x55d12a69d73b in vm_exec_core XYZ/ruby/insns.def:766:5
    #382 0x55d12a6fc0ff in rb_vm_exec XYZ/ruby/vm.c:1876:22
    #383 0x55d12a6cf136 in vm_call0_body XYZ/ruby/./vm_eval.c:127:13
    #384 0x55d12a7387c1 in rb_vm_call0 XYZ/ruby/./vm_eval.c:60:12
    #385 0x55d12a7387c1 in call_method_entry XYZ/ruby/./vm_method.c:1954
    #386 0x55d12a6d2f89 in basic_obj_respond_to_missing XYZ/ruby/./vm_method.c:1971:12
    #387 0x55d12a6d2f89 in check_funcall_missing XYZ/ruby/./vm_eval.c:374
    #388 0x55d12a6d265e in rb_check_funcall_default XYZ/ruby/./vm_eval.c:420:14

SUMMARY: AddressSanitizer: stack-overflow XYZ/ruby/numeric.c:4494 in int_or
==22120==ABORTING
~~~


---Files--------------------------------
ruby_so_int_or (59 Bytes)


-- 
https://bugs.ruby-lang.org/

next prev parent reply	other threads:[~2018-12-05 13:04 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <redmine.issue-15382.20181205120708@ruby-lang.org>
2018-12-05 12:07 ` [ruby-core:90309] [Ruby trunk Bug#15382] Stack overflow in int_or() fumfi.255
2018-12-05 13:04 ` mame [this message]
2018-12-05 17:03 ` [ruby-core:90322] " nobu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-list from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://www.ruby-lang.org/en/community/mailing-lists/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=redmine.journal-75415.20181205130444.36c7377abcc39cbb@ruby-lang.org \
    --to=ruby-core@ruby-lang.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).