Invalid read/write by ~big_zero


#1

e$B0J2<$N$h$&$K$9$k$He(B valgrind e$B$Ge(B
Invalid read of size 4 e$B$de(B
Invalid write of size 4 e$B$,=P$^$9e(B

% valgrind ./ruby -ve ’
big_neg = 0x40000000.coerce(-1)[0]
big_zero = 0x40000000.coerce(0)[0]
p big_zero % big_neg
p ~big_zero’
==8288== Memcheck, a memory error detector.
==8288== Copyright © 2002-2006, and GNU GPL’d, by Julian Seward et al.
==8288== Using LibVEX rev 1658, a library for dynamic binary
translation.
==8288== Copyright © 2004-2006, and GNU GPL’d, by OpenWorks LLP.
==8288== Using valgrind-3.2.1-Debian, a dynamic binary instrumentation
framework.
==8288== Copyright © 2000-2006, and GNU GPL’d, by Julian Seward et al.
==8288== For more details, rerun with: -v
==8288==
–8288-- DWARF2 CFI reader: unhandled CFI instruction 0:50
–8288-- DWARF2 CFI reader: unhandled CFI instruction 0:50
–8288-- DWARF2 CFI reader: unhandled CFI instruction 0:50
–8288-- DWARF2 CFI reader: unhandled CFI instruction 0:50
ruby 1.9.0 (2007-07-14 patchlevel 0) [i686-linux]
0
==8288== Invalid read of size 4
==8288== at 0x80E5A98: get2comp (bignum.c:76)
==8288== by 0x80E77BE: rb_big_neg (bignum.c:1043)
==8288== by 0x80D9858: vm_call_method (insnhelper.ci:351)
==8288== by 0x80D4F7D: vm_eval (insns.def:1171)
==8288== by 0x80D86E3: vm_eval_body (vm.c:1165)
==8288== by 0x80D8A1A: rb_iseq_eval (vm.c:1374)
==8288== by 0x80590C8: ruby_exec_node (eval.c:226)
==8288== by 0x805D63C: ruby_run_node (eval.c:251)
==8288== by 0x8056C95: main (main.c:46)
==8288== Address 0x42FB4A0 is 0 bytes inside a block of size 1 alloc’d
==8288== at 0x401D38B: malloc (vg_replace_malloc.c:149)
==8288== by 0x8062B79: ruby_xmalloc (gc.c:250)
==8288== by 0x80E5B8C: bignew_1 (bignum.c:49)
==8288== by 0x80E6772: rb_big_clone (bignum.c:59)
==8288== by 0x80E7782: rb_big_neg (bignum.c:1032)
==8288== by 0x80D9858: vm_call_method (insnhelper.ci:351)
==8288== by 0x80D4F7D: vm_eval (insns.def:1171)
==8288== by 0x80D86E3: vm_eval_body (vm.c:1165)
==8288== by 0x80D8A1A: rb_iseq_eval (vm.c:1374)
==8288== by 0x80590C8: ruby_exec_node (eval.c:226)
==8288== by 0x805D63C: ruby_run_node (eval.c:251)
==8288== by 0x8056C95: main (main.c:46)
==8288==
==8288== Invalid write of size 4
==8288== at 0x80E5AA2: get2comp (bignum.c:77)
==8288== by 0x80E77BE: rb_big_neg (bignum.c:1043)
==8288== by 0x80D9858: vm_call_method (insnhelper.ci:351)
==8288== by 0x80D4F7D: vm_eval (insns.def:1171)
==8288== by 0x80D86E3: vm_eval_body (vm.c:1165)
==8288== by 0x80D8A1A: rb_iseq_eval (vm.c:1374)
==8288== by 0x80590C8: ruby_exec_node (eval.c:226)
==8288== by 0x805D63C: ruby_run_node (eval.c:251)
==8288== by 0x8056C95: main (main.c:46)
==8288== Address 0x42FB4A0 is 0 bytes inside a block of size 1 alloc’d
==8288== at 0x401D38B: malloc (vg_replace_malloc.c:149)
==8288== by 0x8062B79: ruby_xmalloc (gc.c:250)
==8288== by 0x80E5B8C: bignew_1 (bignum.c:49)
==8288== by 0x80E6772: rb_big_clone (bignum.c:59)
==8288== by 0x80E7782: rb_big_neg (bignum.c:1032)
==8288== by 0x80D9858: vm_call_method (insnhelper.ci:351)
==8288== by 0x80D4F7D: vm_eval (insns.def:1171)
==8288== by 0x80D86E3: vm_eval_body (vm.c:1165)
==8288== by 0x80D8A1A: rb_iseq_eval (vm.c:1374)
==8288== by 0x80590C8: ruby_exec_node (eval.c:226)
==8288== by 0x805D63C: ruby_run_node (eval.c:251)
==8288== by 0x8056C95: main (main.c:46)
==8288==
==8288== Conditional jump or move depends on uninitialised value(s)
==8288== at 0x80E5AB9: get2comp (bignum.c:80)
==8288== by 0x80E77BE: rb_big_neg (bignum.c:1043)
==8288== by 0x80D9858: vm_call_method (insnhelper.ci:351)
==8288== by 0x80D4F7D: vm_eval (insns.def:1171)
==8288== by 0x80D86E3: vm_eval_body (vm.c:1165)
==8288== by 0x80D8A1A: rb_iseq_eval (vm.c:1374)
==8288== by 0x80590C8: ruby_exec_node (eval.c:226)
==8288== by 0x805D63C: ruby_run_node (eval.c:251)
==8288== by 0x8056C95: main (main.c:46)
0
==8288==
==8288== ERROR SUMMARY: 3 errors from 3 contexts (suppressed: 19 from 1)
==8288== malloc/free: in use at exit: 881,852 bytes in 7,038 blocks.
==8288== malloc/free: 7,139 allocs, 101 frees, 898,767 bytes allocated.
==8288== For counts of detected errors, rerun with: -v
==8288== searching for pointers to 7,038 not-freed blocks.
==8288== checked 650,504 bytes.
==8288==
==8288== LEAK SUMMARY:
==8288== definitely lost: 0 bytes in 0 blocks.
==8288== possibly lost: 68 bytes in 1 blocks.
==8288== still reachable: 881,784 bytes in 7,037 blocks.
==8288== suppressed: 0 bytes in 0 blocks.
==8288== Reachable blocks (those to which a pointer was found) are not
shown.
==8288== To see them, rerun with: --show-reachable=yes