[ruby-core:112938] [Ruby master Bug#19469] Crash when resizing generic iv list
From:
"naruse (Yui NARUSE) via ruby-core" <ruby-core@...>
Date:
2023-03-18 05:53:47 UTC
List:
ruby-core #112938
Issue #19469 has been updated by naruse (Yui NARUSE).
Backport changed from 2.7: DONTNEED, 3.0: DONTNEED, 3.1: DONTNEED, 3.2: REQUIRED to 2.7: DONTNEED, 3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONE
ruby_3_2 f3abe5ba645839fb2a686aee18d3466b59256af0 merged revision(s) 0700d0fd1c77b4fddf803dea3c10be654df600ff,62c2082f1f726cb90d8c332fbedbecf41d5d82ec.
----------------------------------------
Bug #19469: Crash when resizing generic iv list
https://bugs.ruby-lang.org/issues/19469#change-102462
* Author: peterzhu2118 (Peter Zhu)
* Status: Closed
* Priority: Normal
* Backport: 2.7: DONTNEED, 3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONE
----------------------------------------
GitHub PR: https://github.com/ruby/ruby/pull/7407
The following script can sometimes trigger a crash:
```ruby
GC.stress = true
class Array
def foo(bool)
if bool
@a = 1
@b = 2
@c = 1
else
@c = 1
end
end
end
obj = []
obj.foo(true)
obj2 = []
obj2.foo(false)
obj3 = []
obj3.foo(true)
```
This is because vm_setivar_default calls rb_ensure_generic_iv_list_size to resize the iv list. However, the call to gen_ivtbl_resize reallocs the iv list, and then inserts into the generic iv table. If the st_insert triggers a GC then the old iv list will be read during marking, causing a use-after-free bug.
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/