Closed
Description
The following input demonstrates a crash:
h = {}
a = []
200.times do |n|
a[0] = n
h[a] = 0
puts h.to_a.clone
endNote that I was only able to reproduce this issue when building mruby on a 32-bit Linux system. (I used Ubuntu 16.04 for testing.) I could not reproduce on 64-bit Linux or 64-bit macOS.
Valgrind report:
==21910== Memcheck, a memory error detector
==21910== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==21910== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==21910== Command: bin/mruby 360807.rb
==21910==
==21910== Invalid read of size 4
==21910== at 0x804F43A: mrb_class (class.h:52)
==21910== by 0x8053B81: mrb_vm_exec (vm.c:1428)
==21910== by 0x8051E01: mrb_vm_run (vm.c:950)
==21910== by 0x805B2ED: mrb_top_run (vm.c:3005)
==21910== by 0x807C9EB: mrb_load_exec (parse.y:5835)
==21910== by 0x807CA9C: mrb_load_file_cxt (parse.y:5844)
==21910== by 0x804A40A: main (mruby.c:279)
==21910== Address 0x5 is not stack'd, malloc'd or (recently) free'd
==21910==
==21910==
==21910== Process terminating with default action of signal 11 (SIGSEGV)
==21910== Access not within mapped region at address 0x5
==21910== at 0x804F43A: mrb_class (class.h:52)
==21910== by 0x8053B81: mrb_vm_exec (vm.c:1428)
==21910== by 0x8051E01: mrb_vm_run (vm.c:950)
==21910== by 0x805B2ED: mrb_top_run (vm.c:3005)
==21910== by 0x807C9EB: mrb_load_exec (parse.y:5835)
==21910== by 0x807CA9C: mrb_load_file_cxt (parse.y:5844)
==21910== by 0x804A40A: main (mruby.c:279)
==21910== If you believe this happened as a result of a stack
==21910== overflow in your program's main thread (unlikely but
==21910== possible), you can try to increase the size of the
==21910== main thread stack using the --main-stacksize= flag.
==21910== The main thread stack size used in this run was 8388608.
==21910==
==21910== HEAP SUMMARY:
==21910== in use at exit: 258,317 bytes in 5,395 blocks
==21910== total heap usage: 5,515 allocs, 120 frees, 397,673 bytes allocated
==21910==
==21910== LEAK SUMMARY:
==21910== definitely lost: 0 bytes in 0 blocks
==21910== indirectly lost: 0 bytes in 0 blocks
==21910== possibly lost: 0 bytes in 0 blocks
==21910== still reachable: 258,317 bytes in 5,395 blocks
==21910== suppressed: 0 bytes in 0 blocks
==21910== Rerun with --leak-check=full to see details of leaked memory
==21910==
==21910== For counts of detected and suppressed errors, rerun with: -v
==21910== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Segmentation fault (core dumped)
This issue was reported by https://hackerone.com/flamezzz
Metadata
Metadata
Assignees
Labels
No labels