[MacRuby] #1166: Segfaults occurs when was passed NULL pointer into rb_protect's 3rd argument.

25 Feb 2011

      #1166: Segfaults occurs when was passed NULL pointer into rb_protect's 3rd
argument.
----------------------------------+-----------------------------------------
 Reporter:  watson1978@…          |       Owner:  lsansonetti@…        
     Type:  defect                |      Status:  new                  
 Priority:  blocker               |   Milestone:                       
Component:  MacRuby               |    Keywords:                       
----------------------------------+-----------------------------------------
 Test Script:
 {{{
 #!ruby
 class Object
   def singleton_class
     class << self; self; end
   end

   def respond(sym)
     singleton_class.class_eval <<-END
       def respond_to?(sym)
         sym.to_sym == #{sym.to_sym.inspect} ? true : super
       end
     END
   end
 end

 obj = Object.new
 obj.respond(:to_s)

 obj.instance_eval{ undef :to_s }
 Kernel.send(:String, obj)
 }}}

 Result:
 {{{
 $ DYLD_LIBRARY_PATH=. gdb --args ./macruby ~/tmp/tt.rb
 GNU gdb 6.3.50-20050815 (Apple version gdb-1510) (Wed Sep 22 02:45:02 UTC
 2010)
 Copyright 2004 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you
 are
 welcome to change it and/or distribute copies of it under certain
 conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for
 details.
 This GDB was configured as "x86_64-apple-darwin"...Reading symbols for
 shared libraries ..... done

 (gdb) r
 Starting program: /Users/watson/src/macruby-trunk-svn/macruby
 /Users/watson/tmp/tt.rb
 Reading symbols for shared libraries .++++........................ done
 Reading symbols for shared libraries . done

 Program received signal EXC_BAD_ACCESS, Could not access memory.
 Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
 0x0000000100039362 in protect_rescue (obj=0, exc=8590646752) at eval.c:490
 490         *(int *)obj = 1;
 (gdb) bt 20
 #0  0x0000000100039362 in protect_rescue (obj=0, exc=8590646752) at
 eval.c:490
 #1  0x000000010015508d in rb_rescue2 (b_proc=0x10003664e <safe_inspect>,
 data1=8590336512, r_proc=0x10003934e <protect_rescue>, data2=0) at
 vm.cpp:3500
 #2  0x00000001000393db in rb_protect (proc=0x10003664e <safe_inspect>,
 data=8590336512, state=0x0) at eval.c:502
 #3  0x0000000100036735 in name_err_mesg_to_str (obj=8590336512,
 sel=0x100ec60e0) at error.c:831
 #4  0x000000010013bdb0 in __rb_vm_rcall [inlined] () at /Users/watson/src
 /macruby-trunk-svn/dispatcher.cpp:159
 #5  0x000000010013bdb0 in ruby_dispatch [inlined] () at /Users/watson/src
 /macruby-trunk-svn/dispatcher.cpp:466
 #6  0x000000010013bdb0 in rb_vm_dispatch () at dispatcher.cpp:863
 #7  0x000000010005e0f9 in rb_vm_call0 (vm=0x100e23a70, top=0,
 self=8590037920, klass=0x20003a120, sel=0x100ec60e0, block=0x0, opt=2
 '\002', argc=0, argv=0x0) at vm.h:637
 #8  0x000000010005df8a in rb_vm_call (self=8590037920, sel=0x100ec60e0,
 argc=0, argv=0x0) at vm.h:644
 #9  0x00000001000628d9 in convert_type (val=8590037920, tname=0x100906450
 "String", method=0x100906208 "to_str", raise=2) at object.c:2515
 #10 0x000000010006292b in rb_convert_type (val=8590037920, type=5,
 tname=0x100906450 "String", method=0x100906208 "to_str") at object.c:2524
 #11 0x00000001000bbf96 in rb_str_to_str (str=8590037920) at string.c:6381
 #12 0x00000001000bbf2f in rb_string_value (ptr=0x7fff5fbfa0d0) at
 string.c:6366
 #13 0x0000000100036241 in name_err_to_s (exc=8590641568, sel=0x100e21210)
 at error.c:725
 #14 0x000000010013bdb0 in __rb_vm_rcall [inlined] () at /Users/watson/src
 /macruby-trunk-svn/dispatcher.cpp:159
 #15 0x000000010013bdb0 in ruby_dispatch [inlined] () at /Users/watson/src
 /macruby-trunk-svn/dispatcher.cpp:466
 #16 0x000000010013bdb0 in rb_vm_dispatch () at dispatcher.cpp:863
 #17 0x00000001000e81d2 in rb_vm_call0 (vm=0x100e23a70, top=0,
 self=8590641568, klass=0x20003a5e0, sel=0x100e21210, block=0x0, opt=2
 '\002', argc=0, argv=0x0) at vm.h:637
 #18 0x00000001000e92a5 in rb_vm_call2 (block=0x0, self=8590641568,
 klass=8590173664, sel=0x100e21210, argc=0, argv=0x0) at vm.h:662
 #19 0x00000001000e9145 in rb_call (recv=8590641568, mid=11472, argc=0,
 argv=0x0, scope=1, pass_current_block=false) at vm_eval.c:32
 (More stack frames follow...)
 Current language:  auto; currently c
 (gdb)
 }}}

 Patch:
 {{{
 #!diff
 diff --git a/eval.c b/eval.c
 index 5d52151..b6f9069 100644
 --- a/eval.c
 +++ b/eval.c
 @@ -487,7 +487,9 @@ static VALUE protect_exc = Qnil;
  static VALUE
  protect_rescue(VALUE obj, VALUE exc)
  {
 -    *(int *)obj = 1;
 +    if ((void *)obj != NULL) {
 +       *(int *)obj = 1;
 +    }
      GC_RETAIN(exc);
      protect_exc = exc;
      return Qnil;
 }}}

-- 
Ticket URL: <http://www.macruby.org/trac/ticket/1166>
MacRuby <http://macruby.org/>