[bug:trunk] invalid memory access in 100**900

e$B0J2<$N$h$&$K!“e(B100**900
e$B$r7W;;$9$k$HJQ$J$H$3$m$r%”%/%;%9$9$k$h$&$G$9!#e(B

% valgrind ./ruby -ve ‘100**900’
==30546== Memcheck, a memory error detector.
==30546== Copyright © 2002-2007, and GNU GPL’d, by Julian Seward et
al.
==30546== Using LibVEX rev 1854, a library for dynamic binary
translation.
==30546== Copyright © 2004-2007, and GNU GPL’d, by OpenWorks LLP.
==30546== Using valgrind-3.3.1-Debian, a dynamic binary instrumentation
framework.
==30546== Copyright © 2000-2007, and GNU GPL’d, by Julian Seward et
al.
==30546== For more details, rerun with: -v
==30546==
ruby 1.9.2dev (2009-10-17 trunk 25379) [i686-linux]
==30546== Invalid read of size 1
==30546== at 0x4024980: memcpy (mc_replace_strmem.c:402)
==30546== by 0x816D731: big_split (bignum.c:1851)
==30546== by 0x816D8D4: bigmul1_karatsuba (bignum.c:1874)
==30546== by 0x816E549: bigmul0 (bignum.c:2055)
==30546== by 0x816FC3B: bigsqr (bignum.c:2552)
==30546== by 0x816FF06: rb_big_pow (bignum.c:2604)
==30546== by 0x80894C5: int_pow (numeric.c:2451)
==30546== by 0x80896E1: fix_pow (numeric.c:2508)
==30546== by 0x81464CC: call_cfunc (vm_insnhelper.c:292)
==30546== by 0x8146346: vm_call_cfunc (vm_insnhelper.c:386)
==30546== by 0x8145885: vm_call_method (vm_insnhelper.c:511)
==30546== by 0x8141559: vm_exec_core (insns.def:994)
==30546== Address 0x442a1e3 is 3 bytes after a block of size 376
alloc’d
==30546== at 0x4023E8C: realloc (vg_replace_malloc.c:429)
==30546== by 0x80635EF: vm_xrealloc (gc.c:699)
==30546== by 0x8063734: ruby_xrealloc (gc.c:761)
==30546== by 0x8063783: ruby_xrealloc2 (gc.c:771)
==30546== by 0x8168E7A: rb_big_realloc (bignum.c:120)
==30546== by 0x8168E9B: rb_big_resize (bignum.c:129)
==30546== by 0x8169428: bigtrunc (bignum.c:207)
==30546== by 0x816FC43: bigsqr (bignum.c:2552)
==30546== by 0x816FF06: rb_big_pow (bignum.c:2604)
==30546== by 0x80894C5: int_pow (numeric.c:2451)
==30546== by 0x80896E1: fix_pow (numeric.c:2508)
==30546== by 0x81464CC: call_cfunc (vm_insnhelper.c:292)
==30546==
==30546== Invalid read of size 1
==30546== at 0x4024987: memcpy (mc_replace_strmem.c:402)
==30546== by 0x816D731: big_split (bignum.c:1851)
==30546== by 0x816D8D4: bigmul1_karatsuba (bignum.c:1874)
==30546== by 0x816E549: bigmul0 (bignum.c:2055)
==30546== by 0x816FC3B: bigsqr (bignum.c:2552)
==30546== by 0x816FF06: rb_big_pow (bignum.c:2604)
==30546== by 0x80894C5: int_pow (numeric.c:2451)
==30546== by 0x80896E1: fix_pow (numeric.c:2508)
==30546== by 0x81464CC: call_cfunc (vm_insnhelper.c:292)
==30546== by 0x8146346: vm_call_cfunc (vm_insnhelper.c:386)
==30546== by 0x8145885: vm_call_method (vm_insnhelper.c:511)
==30546== by 0x8141559: vm_exec_core (insns.def:994)
==30546== Address 0x442a1e2 is 2 bytes after a block of size 376
alloc’d
==30546== at 0x4023E8C: realloc (vg_replace_malloc.c:429)
==30546== by 0x80635EF: vm_xrealloc (gc.c:699)
==30546== by 0x8063734: ruby_xrealloc (gc.c:761)
==30546== by 0x8063783: ruby_xrealloc2 (gc.c:771)
==30546== by 0x8168E7A: rb_big_realloc (bignum.c:120)
==30546== by 0x8168E9B: rb_big_resize (bignum.c:129)
==30546== by 0x8169428: bigtrunc (bignum.c:207)
==30546== by 0x816FC43: bigsqr (bignum.c:2552)
==30546== by 0x816FF06: rb_big_pow (bignum.c:2604)
==30546== by 0x80894C5: int_pow (numeric.c:2451)
==30546== by 0x80896E1: fix_pow (numeric.c:2508)
==30546== by 0x81464CC: call_cfunc (vm_insnhelper.c:292)
==30546==
==30546== Invalid read of size 1
==30546== at 0x4024990: memcpy (mc_replace_strmem.c:402)
==30546== by 0x816D731: big_split (bignum.c:1851)
==30546== by 0x816D8D4: bigmul1_karatsuba (bignum.c:1874)
==30546== by 0x816E549: bigmul0 (bignum.c:2055)
==30546== by 0x816FC3B: bigsqr (bignum.c:2552)
==30546== by 0x816FF06: rb_big_pow (bignum.c:2604)
==30546== by 0x80894C5: int_pow (numeric.c:2451)
==30546== by 0x80896E1: fix_pow (numeric.c:2508)
==30546== by 0x81464CC: call_cfunc (vm_insnhelper.c:292)
==30546== by 0x8146346: vm_call_cfunc (vm_insnhelper.c:386)
==30546== by 0x8145885: vm_call_method (vm_insnhelper.c:511)
==30546== by 0x8141559: vm_exe: int_pow (numeric.c:2451)
==30546== by 0x80896E1: fix_pow (numeric.c:2508)
==30546== by 0x81464CC: call_cfunc (vm_insnhelper.c:292)
==30546==
==30546== ERROR SUMMARY: 4 errors from 4 contexts (suppressed: 29 from
1)
==30546== malloc/free: in use at exit: 607,758 bytes in 14,322 blocks.
==30546== malloc/free: 15,588 allocs, 1,266 frees, 1,628,891 bytes
allocated.
==30546== For counts of detected errors, rerun with: -v
==30546== searching for pointers to 14,322 not-freed blocks.
==30546== checked 447,132 bytes.
==30546==
==30546== LEAK SUMMARY:
==30546== definitely lost: 464,272 bytes in 9,660 blocks.
==30546== possibly lost: 0 bytes in 0 blocks.
==30546== still reachable: 143,486 bytes in 4,662 blocks.
==30546== suppressed: 0 bytes in 0 blocks.
==30546== Rerun with --leak-check=full to see details of leaked memory.

e$B1sF#$G$9!#e(B

2009e$BG/e(B10e$B7ne(B17e$BF|e(B9:01 Tanaka A. [email protected]:

e$B0J2<$N$h$&$K!“e(B100**900 e$B$r7W;;$9$k$HJQ$J$H$3$m$r%”%/%;%9$9$k$h$&$G$9!#e(B

e$B$9$_$^$;$s!"e(Boff-by-one e$B%(%i!<$7$F$^$7$?!#e(B

Index: bignum.c

— bignum.c (revision 25382)
+++ bignum.c (working copy)
@@ -1848,13 +1848,13 @@

 while (--hn && !vds[hn + ln]);
 h = bignew(hn += 2, 1);
  • MEMCPY(BDIGITS(h), vds + ln, BDIGIT, hn);
  • BDIGITS(h)[hn - 1] = 0;
  • MEMCPY(BDIGITS(h), vds + ln, BDIGIT, hn - 1);

  • BDIGITS(h)[hn - 1] = 0; /* margin for carry */

    while (–ln && !vds[ln]);
    l = bignew(ln += 2, 1);

  • MEMCPY(BDIGITS(l), vds, BDIGIT, ln);
  • BDIGITS(l)[ln - 1] = 0;
  • MEMCPY(BDIGITS(l), vds, BDIGIT, ln - 1);

  • BDIGITS(l)[ln - 1] = 0; /* margin for carry */

    *pl = l;
    *ph = h;

e$B%A%1%C%He(B #2227 e$B$,99?7$5$l$^$7$?!#e(B (by Yui NARUSE)

e$B%9%F!<%?%9e(B Opene$B$+$ie(BAssignede$B$KJQ99e(B
e$BC4Ev<Te(B Yusuke E.e$B$K%;%C%He(B
ruby -v ruby 1.9.2dev (2009-10-18 trunk 25392)
[x86_64-freebsd7.2]e$B$K%;%C%He(B

[email protected]:Q$_$G$9$h$M!)e(B

http://redmine.ruby-lang.org/issues/show/2227

e$B%A%1%C%He(B #2227 e$B$,99?7$5$l$^$7$?!#e(B (by Yusuke E.)

e$B%9%F!<%?%9e(B Assignede$B$+$ie(BClosede$B$KJQ99e(B

[email protected]:Q$_$G$9$h$M!)e(B

e$B$=$NDL$j$G$9!#e(B

http://redmine.ruby-lang.org/issues/show/2227

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs