Project

General

Profile

Actions

Bug #12927

closed

SIGSEGV during GC marking of sym procs

Added by eritiro (Emiliano Ritiro) about 8 years ago. Updated about 8 years ago.

Status:
Closed
Assignee:
-
Target version:
-
[ruby-core:78100]

Description

After we migrated from Ruby 2.2.4 to Ruby 2.3.1 we started seeing a Segmentation Fault. This happens when the GC calls proc_mark() during the marking phase.
The proc tries to mark the block.ep[1] which contains an invalid VALUE.

I attached a script to reproduce the issue and the output of that script. (You have to run it a couple of times, it sigsevs 20% of the time)

Follow are the conclusion of my analysis:
The attached script duplicates a sym proc in memory (&:to_h)
sym procs in Ruby 2.3 uses a cfunc_proc_t which puts its environment data at the end of the rb_proc_t struct.
block->ep points to that environment.

When you copy a proc (with dup_proc()), the new proc will have a block->ep pointing to the original cfunc_proc_t
The sym_proc_cache prevents the corruption in most of the cases, but if we have a cache collision that replaces the original proc, and there are no other references to the original proc, the GC will collect the original proc, including its 64 bits of cfunc_proc_t, making them available for future use.
The duplicated proc will still be pointing to the original env, which now is freed data that GC can assign to whatever it wants.
If after that, this particular position of memory is filled with a VALUE that points outside of our memory, ruby aborts with a core dump.


Files

segfault.rb (1.76 KB) segfault.rb Script that reproduce the issue eritiro (Emiliano Ritiro), 11/12/2016 09:54 PM
output.txt (22 KB) output.txt eritiro (Emiliano Ritiro), 11/12/2016 09:57 PM

Related issues 1 (0 open1 closed)

Related to Ruby master - Feature #12628: change block/env structsClosedko1 (Koichi Sasada)Actions
Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0