From: "ioquatix (Samuel Williams) via ruby-core" <ruby-core@...>
Date: 2025-03-27T05:21:44+00:00
Subject: [ruby-core:121447] [Ruby Bug#21198] Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return

Issue #21198 has been updated by ioquatix (Samuel Williams).


A solution to this would be to invalidate the proc afterwards. I don't know if this is possible but I can take a look.

----------------------------------------
Bug #21198: Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return
https://bugs.ruby-lang.org/issues/21198#change-112447

* Author: peterzhu2118 (Peter Zhu)
* Status: Open
* Backport: 3.1: DONTNEED, 3.2: DONTNEED, 3.3: DONTNEED, 3.4: REQUIRED
----------------------------------------
The Fiber::Scheduler#blocking_operation_wait method is passed a proc through the `rb_fiber_scheduler_blocking_operation_wait` function. This function stack allocates the arguments used for the proc ([source](https://github.com/ruby/ruby/blob/2183899fd184ab1cfee80d57c0dd6f4dcd370375/scheduler.c#L755-L762)). If this proc is captured anywhere, then calling it again will illegally read from and write to stack space.

The following script demonstrates this issue using the [test/fiber/scheduler.rb](https://github.com/ruby/ruby/blob/master/test/fiber/scheduler.rb) scheduler:

```ruby
require_relative "test/fiber/scheduler"

class MyScheduler < Scheduler
  def blocking_operation_wait(work)
    super

    $work = work
  end
end

scheduler = MyScheduler.new
Fiber.set_scheduler(scheduler)

require "tempfile"

Fiber.schedule do
  file = Tempfile.new
  file.write("hello world!")
  $work.call
end

scheduler.run
```

Crashes with:

```
test.rb:19: [BUG] Bus Error at 0xce0f57696add0045
ruby 3.4.2 (2025-02-15 revision d2930f8e7a) +PRISM [arm64-darwin24]

-- Crash Report log information --------------------------------------------
   See Crash Report log file in one of the following locations:             
     * ~/Library/Logs/DiagnosticReports                                     
     * /Library/Logs/DiagnosticReports                                      
   for more details.                                                        
Don't forget to include the above Crash Report log file in bug reports.     

-- Control frame information -----------------------------------------------
c:0003 p:---- s:0010 e:000009 IFUNC 
c:0002 p:0017 s:0007 e:000006 BLOCK  test.rb:19 [FINISH]
c:0001 p:---- s:0003 e:000002 DUMMY  [FINISH]

-- Ruby level backtrace information ----------------------------------------
test.rb:19:in 'block in <main>'

-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1
Note that the Fiber scheduler is enabled

-- Machine register context ------------------------------------------------
  x0: 0x000000010063a5f0  x1: 0x000000014b80ce00  x2: 0x0000000000000000
  x3: 0x000000014b60f060  x4: 0x0000000000000000  x5: 0x0000000000000000
  x6: 0x0000000000000004  x7: 0x0000000000000000 x18: 0x0000000000000000
 x19: 0x000000014b6a4840 x20: 0xce0f57696add0045 x21: 0x000000010063a5f0
 x22: 0x000000014b60f060 x23: 0x0000000000000000 x24: 0x000000014b60f998
 x25: 0x0000000000014273 x26: 0x000000014b60f060 x27: 0x000000014b60f060
 x28: 0x000000014b80ce00  lr: 0x0000000100d881d8  fp: 0x000000011bb039f0
  sp: 0x000000011bb03980

-- C level backtrace information -------------------------------------------
SEGV received in BUS handler
[1]    52599 abort      ruby test.rb
```



-- 
https://bugs.ruby-lang.org/
 ______________________________________________
 ruby-core mailing list -- ruby-core@ml.ruby-lang.org
 To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
 ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/