* [ruby-core:90309] [Ruby trunk Bug#15382] Stack overflow in int_or()
[not found] <redmine.issue-15382.20181205120708@ruby-lang.org>
@ 2018-12-05 12:07 ` fumfi.255
2018-12-05 13:04 ` [ruby-core:90311] " mame
2018-12-05 17:03 ` [ruby-core:90322] " nobu
2 siblings, 0 replies; 3+ messages in thread
From: fumfi.255 @ 2018-12-05 12:07 UTC (permalink / raw)
To: ruby-core
Issue #15382 has been reported by fumfel (Kamil Frankowicz).
----------------------------------------
Bug #15382: Stack overflow in int_or()
https://bugs.ruby-lang.org/issues/15382
* Author: fumfel (Kamil Frankowicz)
* Status: Open
* Priority: Normal
* Assignee:
* Target version:
* ruby -v: ruby 2.6.0dev (2018-12-04 trunk 66199) [x86_64-linux]
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
After some fuzz testing I found a crashing test case.
To reproduce: miniruby ruby_so_int_or
Full ASAN report: https://gist.github.com/fumfel/0a2e01f2ab6794632d017bfd306ffac9
ASAN report:
~~~
==22120==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe9d1ddff8 (pc 0x55d12a2abd28 bp 0x7ffe9d1de010 sp 0x7ffe9d1de000 T0)
#0 0x55d12a2abd27 in int_or XYZ/ruby/numeric.c:4494
#1 0x55d12a714ae7 in vm_call_cfunc_with_frame XYZ/ruby/./vm_insnhelper.c:1908:11
#2 0x55d12a714ae7 in vm_call_cfunc XYZ/ruby/./vm_insnhelper.c:1924
#3 0x55d12a69d73b in vm_exec_core XYZ/ruby/insns.def:766:5
#4 0x55d12a6fc0ff in rb_vm_exec XYZ/ruby/vm.c:1876:22
#5 0x55d12a6cf136 in vm_call0_body XYZ/ruby/./vm_eval.c:127:13
#6 0x55d12a7387c1 in rb_vm_call0 XYZ/ruby/./vm_eval.c:60:12
#7 0x55d12a7387c1 in call_method_entry XYZ/ruby/./vm_method.c:1954
#8 0x55d12a6d2f89 in basic_obj_respond_to_missing XYZ/ruby/./vm_method.c:1971:12
#9 0x55d12a6d2f89 in check_funcall_missing XYZ/ruby/./vm_eval.c:374
#10 0x55d12a6d265e in rb_check_funcall_default XYZ/ruby/./vm_eval.c:420:14
#11 0x55d12a28d664 in do_coerce XYZ/ruby/numeric.c:424:17
#12 0x55d12a2ac03a in rb_num_coerce_bit XYZ/ruby/numeric.c:4424:5
#13 0x55d12a2ac03a in fix_or XYZ/ruby/numeric.c:4489
#14 0x55d12a2ac03a in int_or XYZ/ruby/numeric.c:4496
[-------------------- SNIP ----------------------]
#378 0x55d12a2ac03a in int_or XYZ/ruby/numeric.c:4496
#379 0x55d12a714ae7 in vm_call_cfunc_with_frame XYZ/ruby/./vm_insnhelper.c:1908:11
#380 0x55d12a714ae7 in vm_call_cfunc XYZ/ruby/./vm_insnhelper.c:1924
#381 0x55d12a69d73b in vm_exec_core XYZ/ruby/insns.def:766:5
#382 0x55d12a6fc0ff in rb_vm_exec XYZ/ruby/vm.c:1876:22
#383 0x55d12a6cf136 in vm_call0_body XYZ/ruby/./vm_eval.c:127:13
#384 0x55d12a7387c1 in rb_vm_call0 XYZ/ruby/./vm_eval.c:60:12
#385 0x55d12a7387c1 in call_method_entry XYZ/ruby/./vm_method.c:1954
#386 0x55d12a6d2f89 in basic_obj_respond_to_missing XYZ/ruby/./vm_method.c:1971:12
#387 0x55d12a6d2f89 in check_funcall_missing XYZ/ruby/./vm_eval.c:374
#388 0x55d12a6d265e in rb_check_funcall_default XYZ/ruby/./vm_eval.c:420:14
SUMMARY: AddressSanitizer: stack-overflow XYZ/ruby/numeric.c:4494 in int_or
==22120==ABORTING
~~~
---Files--------------------------------
ruby_so_int_or (59 Bytes)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ruby-core:90311] [Ruby trunk Bug#15382] Stack overflow in int_or()
[not found] <redmine.issue-15382.20181205120708@ruby-lang.org>
2018-12-05 12:07 ` [ruby-core:90309] [Ruby trunk Bug#15382] Stack overflow in int_or() fumfi.255
@ 2018-12-05 13:04 ` mame
2018-12-05 17:03 ` [ruby-core:90322] " nobu
2 siblings, 0 replies; 3+ messages in thread
From: mame @ 2018-12-05 13:04 UTC (permalink / raw)
To: ruby-core
Issue #15382 has been updated by mame (Yusuke Endoh).
Briefly investigated. This is an infinite recursion.
Simplified version:
def respond_to_missing?(s, f)
0 + "foo"
end
0.respond_to?(:foo)
`0 + "foo"` calls `coerce`, which calls `respond_to_missing?` recursively.
----------------------------------------
Bug #15382: Stack overflow in int_or()
https://bugs.ruby-lang.org/issues/15382#change-75415
* Author: fumfel (Kamil Frankowicz)
* Status: Open
* Priority: Normal
* Assignee:
* Target version:
* ruby -v: ruby 2.6.0dev (2018-12-04 trunk 66199) [x86_64-linux]
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
After some fuzz testing I found a crashing test case.
To reproduce: miniruby ruby_so_int_or
Full ASAN report: https://gist.github.com/fumfel/0a2e01f2ab6794632d017bfd306ffac9
ASAN report:
~~~
==22120==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe9d1ddff8 (pc 0x55d12a2abd28 bp 0x7ffe9d1de010 sp 0x7ffe9d1de000 T0)
#0 0x55d12a2abd27 in int_or XYZ/ruby/numeric.c:4494
#1 0x55d12a714ae7 in vm_call_cfunc_with_frame XYZ/ruby/./vm_insnhelper.c:1908:11
#2 0x55d12a714ae7 in vm_call_cfunc XYZ/ruby/./vm_insnhelper.c:1924
#3 0x55d12a69d73b in vm_exec_core XYZ/ruby/insns.def:766:5
#4 0x55d12a6fc0ff in rb_vm_exec XYZ/ruby/vm.c:1876:22
#5 0x55d12a6cf136 in vm_call0_body XYZ/ruby/./vm_eval.c:127:13
#6 0x55d12a7387c1 in rb_vm_call0 XYZ/ruby/./vm_eval.c:60:12
#7 0x55d12a7387c1 in call_method_entry XYZ/ruby/./vm_method.c:1954
#8 0x55d12a6d2f89 in basic_obj_respond_to_missing XYZ/ruby/./vm_method.c:1971:12
#9 0x55d12a6d2f89 in check_funcall_missing XYZ/ruby/./vm_eval.c:374
#10 0x55d12a6d265e in rb_check_funcall_default XYZ/ruby/./vm_eval.c:420:14
#11 0x55d12a28d664 in do_coerce XYZ/ruby/numeric.c:424:17
#12 0x55d12a2ac03a in rb_num_coerce_bit XYZ/ruby/numeric.c:4424:5
#13 0x55d12a2ac03a in fix_or XYZ/ruby/numeric.c:4489
#14 0x55d12a2ac03a in int_or XYZ/ruby/numeric.c:4496
[-------------------- SNIP ----------------------]
#378 0x55d12a2ac03a in int_or XYZ/ruby/numeric.c:4496
#379 0x55d12a714ae7 in vm_call_cfunc_with_frame XYZ/ruby/./vm_insnhelper.c:1908:11
#380 0x55d12a714ae7 in vm_call_cfunc XYZ/ruby/./vm_insnhelper.c:1924
#381 0x55d12a69d73b in vm_exec_core XYZ/ruby/insns.def:766:5
#382 0x55d12a6fc0ff in rb_vm_exec XYZ/ruby/vm.c:1876:22
#383 0x55d12a6cf136 in vm_call0_body XYZ/ruby/./vm_eval.c:127:13
#384 0x55d12a7387c1 in rb_vm_call0 XYZ/ruby/./vm_eval.c:60:12
#385 0x55d12a7387c1 in call_method_entry XYZ/ruby/./vm_method.c:1954
#386 0x55d12a6d2f89 in basic_obj_respond_to_missing XYZ/ruby/./vm_method.c:1971:12
#387 0x55d12a6d2f89 in check_funcall_missing XYZ/ruby/./vm_eval.c:374
#388 0x55d12a6d265e in rb_check_funcall_default XYZ/ruby/./vm_eval.c:420:14
SUMMARY: AddressSanitizer: stack-overflow XYZ/ruby/numeric.c:4494 in int_or
==22120==ABORTING
~~~
---Files--------------------------------
ruby_so_int_or (59 Bytes)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
* [ruby-core:90322] [Ruby trunk Bug#15382] Stack overflow in int_or()
[not found] <redmine.issue-15382.20181205120708@ruby-lang.org>
2018-12-05 12:07 ` [ruby-core:90309] [Ruby trunk Bug#15382] Stack overflow in int_or() fumfi.255
2018-12-05 13:04 ` [ruby-core:90311] " mame
@ 2018-12-05 17:03 ` nobu
2 siblings, 0 replies; 3+ messages in thread
From: nobu @ 2018-12-05 17:03 UTC (permalink / raw)
To: ruby-core
Issue #15382 has been updated by nobu (Nobuyoshi Nakada).
Overwriting these methods also should be warned, as `Object#initialize`?
https://github.com/nobu/ruby/pull/new/bug/15382-warn-redef
----------------------------------------
Bug #15382: Stack overflow in int_or()
https://bugs.ruby-lang.org/issues/15382#change-75427
* Author: fumfel (Kamil Frankowicz)
* Status: Open
* Priority: Normal
* Assignee:
* Target version:
* ruby -v: ruby 2.6.0dev (2018-12-04 trunk 66199) [x86_64-linux]
* Backport: 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
After some fuzz testing I found a crashing test case.
To reproduce: miniruby ruby_so_int_or
Full ASAN report: https://gist.github.com/fumfel/0a2e01f2ab6794632d017bfd306ffac9
ASAN report:
~~~
==22120==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe9d1ddff8 (pc 0x55d12a2abd28 bp 0x7ffe9d1de010 sp 0x7ffe9d1de000 T0)
#0 0x55d12a2abd27 in int_or XYZ/ruby/numeric.c:4494
#1 0x55d12a714ae7 in vm_call_cfunc_with_frame XYZ/ruby/./vm_insnhelper.c:1908:11
#2 0x55d12a714ae7 in vm_call_cfunc XYZ/ruby/./vm_insnhelper.c:1924
#3 0x55d12a69d73b in vm_exec_core XYZ/ruby/insns.def:766:5
#4 0x55d12a6fc0ff in rb_vm_exec XYZ/ruby/vm.c:1876:22
#5 0x55d12a6cf136 in vm_call0_body XYZ/ruby/./vm_eval.c:127:13
#6 0x55d12a7387c1 in rb_vm_call0 XYZ/ruby/./vm_eval.c:60:12
#7 0x55d12a7387c1 in call_method_entry XYZ/ruby/./vm_method.c:1954
#8 0x55d12a6d2f89 in basic_obj_respond_to_missing XYZ/ruby/./vm_method.c:1971:12
#9 0x55d12a6d2f89 in check_funcall_missing XYZ/ruby/./vm_eval.c:374
#10 0x55d12a6d265e in rb_check_funcall_default XYZ/ruby/./vm_eval.c:420:14
#11 0x55d12a28d664 in do_coerce XYZ/ruby/numeric.c:424:17
#12 0x55d12a2ac03a in rb_num_coerce_bit XYZ/ruby/numeric.c:4424:5
#13 0x55d12a2ac03a in fix_or XYZ/ruby/numeric.c:4489
#14 0x55d12a2ac03a in int_or XYZ/ruby/numeric.c:4496
[-------------------- SNIP ----------------------]
#378 0x55d12a2ac03a in int_or XYZ/ruby/numeric.c:4496
#379 0x55d12a714ae7 in vm_call_cfunc_with_frame XYZ/ruby/./vm_insnhelper.c:1908:11
#380 0x55d12a714ae7 in vm_call_cfunc XYZ/ruby/./vm_insnhelper.c:1924
#381 0x55d12a69d73b in vm_exec_core XYZ/ruby/insns.def:766:5
#382 0x55d12a6fc0ff in rb_vm_exec XYZ/ruby/vm.c:1876:22
#383 0x55d12a6cf136 in vm_call0_body XYZ/ruby/./vm_eval.c:127:13
#384 0x55d12a7387c1 in rb_vm_call0 XYZ/ruby/./vm_eval.c:60:12
#385 0x55d12a7387c1 in call_method_entry XYZ/ruby/./vm_method.c:1954
#386 0x55d12a6d2f89 in basic_obj_respond_to_missing XYZ/ruby/./vm_method.c:1971:12
#387 0x55d12a6d2f89 in check_funcall_missing XYZ/ruby/./vm_eval.c:374
#388 0x55d12a6d265e in rb_check_funcall_default XYZ/ruby/./vm_eval.c:420:14
SUMMARY: AddressSanitizer: stack-overflow XYZ/ruby/numeric.c:4494 in int_or
==22120==ABORTING
~~~
---Files--------------------------------
ruby_so_int_or (59 Bytes)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-12-05 17:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <redmine.issue-15382.20181205120708@ruby-lang.org>
2018-12-05 12:07 ` [ruby-core:90309] [Ruby trunk Bug#15382] Stack overflow in int_or() fumfi.255
2018-12-05 13:04 ` [ruby-core:90311] " mame
2018-12-05 17:03 ` [ruby-core:90322] " nobu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).