From: nobu@... Date: 2016-11-30T00:31:14+00:00 Subject: [ruby-core:78426] [Ruby trunk Bug#12988] Calling `inspect` sometimes causes a segv Issue #12988 has been updated by Nobuyoshi Nakada. You could close this issue by including `[Bug #12988]` in the commit message. ---------------------------------------- Bug #12988: Calling `inspect` sometimes causes a segv https://bugs.ruby-lang.org/issues/12988#change-61798 * Author: Aaron Patterson * Status: Closed * Priority: Normal * Assignee: Aaron Patterson * ruby -v: ruby 2.4.0dev (2016-10-05 tclass-heaps 56351) [x86_64-darwin16] * Backport: 2.1: REQUIRED, 2.2: REQUIRED, 2.3: REQUIRED ---------------------------------------- `rb_obj_inspect` calls `rb_ivar_count ` to find the number of instance variables on an object. `rb_ivar_count` uses `tbl->num_entries` on the instance variable index table to determine how far in to the instance variable array it should read. Since the instance variable index table is shared, it may increase in size, but the instance variable array will not. For example: ~~~ruby class A def initialize @a = nil @b = nil @c = nil @d = nil @e = nil end end x = A.new y = x.clone 100.times { |z| x.instance_variable_set(:"@foo#{z}", nil) } puts y.inspect ~~~ `x` and `y` share an IV index table. Calling `instance_variable_set` on `x` will increase the size of the IV index table. When `y.inspect` is called, the table size is larger than `ROBJECT_IVPTR` array for that instance. This means that sometimes calling inspect can segv as it may read memory it shouldn't. I've attached a patch that fixes this by using the length of the array rather than the size of the IV index table. ---Files-------------------------------- 0001-Stop-reading-past-the-end-of-ivptr-array.patch (1.33 KB) -- https://bugs.ruby-lang.org/ Unsubscribe: