From: Naohisa Goto <ngoto@...>
Date: 2011-07-15T18:41:07+09:00
Subject: [ruby-dev:44112] [Ruby 1.9 - Bug #4456] Time#strftime で %F 指定子に大きな幅を指定した際の不具合


Issue #4456 has been updated by Naohisa Goto.

File strftime.patch added

ruby_1_9_3のリビジョン32548にて、sparc Solaris10 (32ビット, Solaris Studio 12)ではSEGVが未だに発生します。パッチを添付するので適用希望です。

デバッガ上で実行すると以下のような感じです。
 $ dbx ../../sparc32-cc12-debug-svn193/bin/ruby
 (===snip===)
 (dbx) run -e 'Time.now.strftime("%1000000000F")'
 Running: ruby -e Time.now.strftime("%1000000000F") 
 (process id 6581)
 Reading libc_psr.so.1
 Reading encdb.so
 Reading transdb.so
 t@1 (l@1) signal SEGV (no mapping at the fault address) in _memcpy at 0x7fb907f4
 0x7fb907f4: _memcpy+0x0034:     stb      %o3, [%o0]
 Current function is rb_strftime_with_timespec
   704                           STRFTIME("%Y-%m-%d");
 (dbx) where
 current thread: t@1
   [1] _memcpy(0x13b5abdda, 0xffbff3e4, 0x3, 0x32, 0x3b9ac9f6, 0xffbff344), at 0x7fb907f4 
 =>[2] rb_strftime_with_timespec(s = 0xffbff3e4 "2011-07-15", maxsize = 100U, format = 0x467fab "F", vtm = 0x486998, timev = 4U, ts = 0xffbff344, gmt = 0), line 704 in "strftime.c"
   [3] rb_strftime_timespec(s = 0xffbff3e4 "2011-07-15", maxsize = 100U, format = 0x467fa0 "%1000000000F", vtm = 0x486998, ts = 0xffbff344, gmt = 0), line 793 in "strftime.c"
   [4] rb_strftime_alloc(buf = 0xffbff3e0, format = 0x467fa0 "%1000000000F", vtm = 0x486998, timew = 2621443089986389401ULL, gmt = 0), line 4311 in "time.c"
   [5] time_strftime(time = 4707408U, format = 4707720U), line 4564 in "time.c"
   [6] call_cfunc(func = 0x1790c0 = &`ruby`time.c`time_strftime(VALUE time, VALUE format), recv = 4707408U, len = 1, argc = 1, argv = 0x2bd9f4), line 323 in "vm_insnhelper.c"
 (===snip===)
  [15] main(argc = 3, argv = 0xffbffa5c), line 38 in "main.c"
 (dbx) print s, endp, precision, s + precision
 s = 0xffbff3e4 "2011-07-15"
 endp = 0xffbff448 ""
 precision = 1000000000
 s+precision = 0x3b5abde4 "<bad address 0x3b5abde4>"

strftime.c の213行目のマクロ
 #define NEEDS(n) do if (s + (n) >= endp - 1) goto err; while (0)
の s + (n) の計算が integer overflow して goto err に行かないのが原因のようです。

添付のパッチのようにオーバーフローしないように演算順序を変えるとSEGVは出なくなるのを確認しました。
----------------------------------------
Bug #4456: Time#strftime で %F 指定子に大きな幅を指定した際の不具合
http://redmine.ruby-lang.org/issues/4456

Author: tadayoshi funaba
Status: Closed
Priority: Normal
Assignee: 
Category: 
Target version: 
ruby -v: ruby 1.9.3dev (2011-03-02) [i686-linux]


=begin
 $ ruby -e "Time.now.strftime('%100000F')"
 -e:1: [BUG] Segmentation fault
 ruby 1.9.3dev (2011-03-02) [i686-linux]
 
 -- Control frame information -----------------------------------------------
 c:0004 p:---- s:0010 b:0010 l:000009 d:000009 CFUNC  :(null)
 c:0003 p:0023 s:0006 b:0006 l:000d2c d:00034c EVAL   -e:1
 c:0002 p:---- s:0004 b:0004 l:000003 d:000003 FINISH
 c:0001 p:0000 s:0002 b:0002 l:000d2c d:000d2c TOP   
 
 -- Ruby level backtrace information ----------------------------------------
 -e:1:in `<main>'
 Segmentation fault
=end



-- 
http://redmine.ruby-lang.org