ruby-core

Issue #10871 has been updated by Koichi Sasada.


Deterministic example (avoiding non-deterministic).

```ruby
class C
end
class D
end

$fibs = []
$xs = []

[C, D].each{|klass|
  klass.class_eval{
    $fibs << Fiber.new{
      class << self
        class X
          $xs << self
          CONST = $i
          def self.i
            CONST
          end

          def i
            CONST
          end
        end
      end
    }
  }
}

2.times{|i|
  $i = i
  $fibs[i].resume
}

$xs.each{|x|
  p [x::CONST, x.i, x.new.i]
}
```

To solve this issue, I will duplicate iseq (CREF holder) for sclass. I need to check other cases.



----------------------------------------
Bug #10871: Sclass thread unsafe due to CREF sharing
https://bugs.ruby-lang.org/issues/10871#change-51608

* Author: Evan Phoenix
* Status: Open
* Priority: High
* Assignee: 
* ruby -v: 2.2.0p0, trunk
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN
----------------------------------------
When entering an sclass, the context is tracked via the same cref mechanism used for class and module, specifically on the iseq->cref_stack. The bug is that the cref_stack is the wrong place to put the new cref because the scope is specific only to that sclass body. Mutating and using the iseq->cref_stack causes any code that reads the cref via this cref_stack to incorrectly pick up the sclass instance instead of the proper scope!

This is major thread safety bug because it means that all uses of `class << obj` are thread-unsafe and can cause random code to fail.

Here is a simple reproduction of the bug: https://gist.github.com/evanphx/6eef92f2c40662a4171b

I attempted to fix the bug by treating an sclass body the same as an eval, which already has special handling for cref's but I don't understand the code enough to make that change quickly.

I believe this is a major bug and hope that ruby-core can address it soon.

Thank you!



-- 
https://bugs.ruby-lang.org/