From: merch-redmine@... Date: 2020-05-23T02:10:57+00:00 Subject: [ruby-core:98484] [Ruby master Bug#16907] Probable use-after-free in VM assertion Issue #16907 has been reported by jeremyevans0 (Jeremy Evans). ---------------------------------------- Bug #16907: Probable use-after-free in VM assertion https://bugs.ruby-lang.org/issues/16907 * Author: jeremyevans0 (Jeremy Evans) * Status: Open * Priority: Normal * Assignee: ko1 (Koichi Sasada) * ruby -v: ruby 2.8.0dev (2020-05-22) [x86_64-openbsd6.7] * Backport: 2.5: DONTNEED, 2.6: DONTNEED, 2.7: DONTNEED ---------------------------------------- The following Ruby program fails with VM assertions enabled on OpenBSD (code taken from `test_caller_to_enum` in `test/ruby/test_backtrace.rb`): ```ruby def foo return to_enum(__method__) unless block_given? raise yield 1 end enum = foo enum.next ``` This is due to the following assertion in `rb_current_vm` in `vm_core.h`: ```c VM_ASSERT(ruby_current_vm_ptr == NULL || ruby_current_execution_context_ptr == NULL || rb_ec_thread_ptr(GET_EC()) == NULL || rb_ec_vm_ptr(GET_EC()) == ruby_current_vm_ptr); ``` Adding some debugging code, `rb_ec_vm_ptr(GET_EC())` is `0xdfdfdfdfdfdfdfdf`. This is the memory pattern that OpenBSD free(3) writes to memory in order to detect use-after-free. So it is quite likely that this is operating on freed memory. My guess as to what is happening here is that the enumerator fiber stack is freed, but this VM assertion is still accessing the memory. However, that's just a guess, and not a particularly educated one. I am not sure how to fix it. -- https://bugs.ruby-lang.org/ Unsubscribe: