Uninitialized _tag.retval value is used

Ruby Development
1

e$B5$$,$D$$$?$N$G$9$,!"e(B_tag.retval e$B$r=i4|2=$7$J$$$G;H$&$3$H$,$"e(B
e$B$k$h$&$G$9!#e(B

e$B0J2<$N$h$&$Ke(B TH_PUSH_TAG(th); e$B$ND>8e$G!"$^$@e(B _tag
e$B$,=i4|2=$5e(B
e$B$l$F$$i$:!"$I$s$JCM$G$b$$+$7$/$J$$>uBV$G!"e(B123456 e$B$H$$$&CMe(B
e$B$rBeF~$7$^$9!#e(B

e$B$=$7$F!"e(Bvm_make_jump_tag_but_local_jump e$B$Ge(B retval
e$B$r;H$&$H$-e(B
e$B$Ke(B 123456 e$B$H$$$&$K$J$k$I$&$+$rD4$Y$k$h$&$K$7$^$9!#e(B

Index: vm.c

— vm.c (revision 16271)
+++ vm.c (working copy)
@@ -912,7 +912,11 @@ vm_make_jump_tag_but_local_jump(int stat
VALUE result = Qnil;

 if (val == Qundef)

  • {
    val = GET_THREAD()->tag->retval;

  •    if(val == 123456)

  •        fprintf(stderr, "retval is 123456\n");

  • }
    switch (state) {
    case 0:
    break;
    @@ -1142,6 +1146,7 @@ vm_eval_body(rb_thread_t *th)
    VALUE initial = 0;

    TH_PUSH_TAG(th);

  • _tag.retval = 123456;
    if ((state = EXEC_TAG()) == 0) {
    vm_loop_start:
    result = vm_eval(th, initial);

e$B$=$7$F!"0J2<$Ne(B s1.rb, s2.rb, s3.rb e$B$rMQ0U$7$^$9!#e(B

% cat s1.rb
def m
proc {
load “s2.rb”
}.call
ensure
GC.start
end
m

% cat s2.rb
require ‘s3.rb’
X.call

% cat s3.rb
X = proc do
lambda {
return
}.call
end

e$B$=$7$F!">e5-$NJQ99$r9T$C$?e(B ruby e$B$Ge(B s1.rb
e$B$r<B9T$9$k$H!“e(B
retval e$B$,e(B 123456 e$B$K$J$k$3$H$,8!=P$5$l!”$=$N8e$Ge(B SEGV
e$B$7$^$9!#e(B

% ./ruby s1.rb
retval is 123456
s1.rb:6: [BUG] Segmentation fault
ruby 1.9.0 (2008-05-02 revision 16271) [i686-linux]

– control frame ----------
c:0006 p:---- s:0015 b:0015 l:000014 d:000014 CFUNC :start
c:0005 p:0013 s:0012 b:0012 l:0008bc d:000011 BLOCK s1.rb:6
c:0004 p:0027 s:0010 b:0009 l:0008bc d:0008bc METHOD s1.rb:6
c:0003 p:0012 s:0006 b:0006 l:000005 d:000005 TOP s1.rb:8
c:0002 p:---- s:0004 b:0004 l:000003 d:000003 FINISH
:private_class_method
c:0001 p:0000 s:0002 b:0002 l:000001 d:000001 TOP :17

DBG> : “s1.rb:6:in ensure in m'" DBG> : "s1.rb:6:inm’”
DBG> : “s1.rb:8:in `’”
– backtrace of native function call (Use addr2line) –
0x8100595
0x8126ade
0x8126b3b
0x80cd770
0xb7fea440
0x8064f01
0x80f5d9d
0x8064aab
0x80f5c91
0x80d2200
0x80f6080
0x8064aab
0x8065425
0x8065d60
0x8065d7b
0x80fed93
0x80fa715
0x80fdf84
0x80fe2bd
0x805afbf
0x805e67e
0x8058ab5
0xb7e4bea8
0x80589b1

zsh: abort (core dumped) ./ruby s1.rb
% gdb ruby core.3723
GNU gdb 6.4.90-debian
Copyright © 2006 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public
License, and you are
welcome to change it and/or distribute copies of it under
certain conditions.
Type “show copying” to see the conditions.
There is absolutely no warranty for GDB. Type “show
warranty” for details.
This GDB was configured as “i486-linux-gnu”…Using host
libthread_db library “/lib/tls/i686/cmov/libthread_db.so.1”.

warning: Can’t read pathname for load map: Input/output
error.
Reading symbols from
/lib/tls/i686/cmov/libpthread.so.0…done.
Loaded symbols for /lib/tls/i686/cmov/libpthread.so.0
Reading symbols from /lib/tls/i686/cmov/librt.so.1…done.
Loaded symbols for /lib/tls/i686/cmov/librt.so.1
Reading symbols from /lib/tls/i686/cmov/libdl.so.2…done.
Loaded symbols for /lib/tls/i686/cmov/libdl.so.2
Reading symbols from
/lib/tls/i686/cmov/libcrypt.so.1…done.
Loaded symbols for /lib/tls/i686/cmov/libcrypt.so.1
Reading symbols from /lib/tls/i686/cmov/libm.so.6…done.
Loaded symbols for /lib/tls/i686/cmov/libm.so.6
Reading symbols from /lib/tls/i686/cmov/libc.so.6…done.
Loaded symbols for /lib/tls/i686/cmov/libc.so.6
Reading symbols from /lib/ld-linux.so.2…Reading symbols
from /usr/lib/debug/lib/ld-2.3.6.so…done.
done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from
/tmp/b/lib/ruby/1.9.0/i686-linux/enc/encdb.so…done.
Loaded symbols for
/tmp/b/lib/ruby/1.9.0/i686-linux/enc/encdb.so
Reading symbols from
/tmp/b/lib/ruby/1.9.0/i686-linux/enc/trans/transdb.so…done.
Loaded symbols for
/tmp/b/lib/ruby/1.9.0/i686-linux/enc/trans/transdb.so
Reading symbols from /lib/libgcc_s.so.1…done.
Loaded symbols for /lib/libgcc_s.so.1
Core was generated by `./ruby s1.rb’.
Program terminated with signal 6, Aborted.
#0 0xb7fea410 in ?? ()
(gdb) bt
#0 0xb7fea410 in ?? ()
#1 0xbfffdb9c in ?? ()
#2 0x00000006 in ?? ()
#3 0x00000e8b in ?? ()
#4 0xb7e5f811 in raise () from /lib/tls/i686/cmov/libc.so.6
#5 0xb7e60fb9 in abort () from /lib/tls/i686/cmov/libc.so.6
#6 0x08126b40 in rb_bug (fmt=0x815404d “Segmentation
fault”) at error.c:226
#7 0x080cd770 in sigsegv (sig=11) at signal.c:551
#8 0xb7fea440 in ?? ()
#9 0x0000000b in ?? ()
#10 0xbfffdd2c in ?? ()
#11 0xbfffddac in ?? ()
#12 0x0000000b in ?? ()
#13 0x00000000 in ?? ()
(gdb)