From: "peterzhu2118 (Peter Zhu) via ruby-core" Date: 2023-01-06T19:26:06+00:00 Subject: [ruby-core:111705] [Ruby master Bug#19320] Crash during compaction while traversing the stack Issue #19320 has been reported by peterzhu2118 (Peter Zhu). ---------------------------------------- Bug #19320: Crash during compaction while traversing the stack https://bugs.ruby-lang.org/issues/19320 * Author: peterzhu2118 (Peter Zhu) * Status: Open * Priority: Normal * Backport: 2.7: UNKNOWN, 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN ---------------------------------------- Fix PR: https://github.com/ruby/ruby/pull/7081 Applying the following patch to test/erb/test_erb.rb and running that file will cause Ruby to crash on my machine (macOS 13.1 on M1 Pro): ```diff --- a/test/erb/test_erb.rb +++ b/test/erb/test_erb.rb @@ -7,6 +7,12 @@ class TestERB < Test::Unit::TestCase class MyError < RuntimeError ; end + def setup + GC.auto_compact = true + GC.stress = true + GC.verify_compaction_references(expand_heap: true, toward: :empty) + end + ``` It crashes with the following log: ``` /Users/peter/src/ruby/lib/erb/compiler.rb:276: [BUG] Segmentation fault at 0x00000001083a8690 ... -- C level backtrace information ------------------------------------------- ... /Users/peter/src/ruby/build/ruby(rb_vm_each_stack_value+0xa8) [0x104cc3a44] ../vm.c:2737 /Users/peter/src/ruby/build/ruby(rb_vm_each_stack_value+0xa8) [0x104cc3a44] ../vm.c:2737 /Users/peter/src/ruby/build/ruby(check_stack_for_moved+0x2c) [0x104b272a4] ../gc.c:5512 /Users/peter/src/ruby/build/ruby(gc_compact_finish) ../gc.c:5534 /Users/peter/src/ruby/build/ruby(gc_sweep_compact) ../gc.c:8653 /Users/peter/src/ruby/build/ruby(gc_sweep) ../gc.c:6196 /Users/peter/src/ruby/build/ruby(has_sweeping_pages+0x0) [0x104b19c54] ../gc.c:9568 /Users/peter/src/ruby/build/ruby(gc_rest) ../gc.c:9570 ``` This crash happens because it's reading the VALUE at sp. But since sp points to the top of the stack, it's reading the VALUE above the top of the stack, which is causing this segfault. I can repro this crash in Ruby 3.2.0, but looking at the code I think it can happen in Ruby 3.1 and 3.0 as well. -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/