Ruby » Ruby master

After debugging the above issue I found a use-after-free bug in

static void
autoload_c_free(void *ptr)
{
    struct autoload_const *ac = ptr;
    ccan_list_del(&ac->cnode); // <- can mess up other unrelated objects if parent linked list head is already freed.
    xfree(ac);
}

This only becomes an issue because we fixed:

static void
autoload_i_free(void *ptr)
{
    struct autoload_data_i *p = ptr;

    /* we may leak some memory at VM shutdown time, no big deal */
    if (ccan_list_empty(&p->constants)) {
	xfree(p);
    }
}

In the above code, p->constants was (almost) never empty so the underlying data was never freed.

PR: https://github.com/ruby/ruby/pull/5898

Okay, so I suspected some issue with autoload_delete and finally found how to reproduce it.

static void
autoload_delete(VALUE mod, ID id)
{
    RB_VM_LOCK_ENTER();

    st_data_t val, load = 0, n = id;

    if (st_lookup(RCLASS_IV_TBL(mod), (st_data_t)autoload, &val)) {
        struct st_table *tbl = check_autoload_table((VALUE)val);
        struct autoload_data *ele;
        struct autoload_const *ac;

        st_delete(tbl, &n, &load);

        /* Qfalse can indicate already deleted */
        if (load != Qfalse) {
            ele = get_autoload_data((VALUE)load, &ac);
            VM_ASSERT(ele);
            /*
             * we must delete here to avoid "already initialized" warnings
             * with parallel autoload.  Using list_del_init here so list_del
             * works in autoload_c_free
             */
            ccan_list_del_init(&ac->cnode);

            if (tbl->num_entries == 0) {
                n = autoload;
                st_delete(RCLASS_IV_TBL(mod), &n, &val);
            }
        }
    }

    RB_VM_LOCK_LEAVE();

    rb_thread_schedule(); // add this to create odd behaviour (eventually).
}

Test case:

module MyModule; end

file = "autoload_does_not_exist.rb"

190.times do
	puts "."
	start = false

	threads = Array.new(10) do
		Thread.new do
			Thread.pass until start
			begin
				MyModule.autoload :FileDoesNotExist, file
				Thread.pass
				MyModule::FileDoesNotExist
			rescue LoadError => e
				e
			ensure
				Thread.pass
			end
		end
	end

	start = true
	threads.each { |t|
		raise "Failed" unless t.value.is_a?(LoadError)
	}
end

Failure example:

.
#<Thread:0x00007fafd3665c08 ../test.rb:35 run> terminated with exception (report_on_exception is true):
../test.rb:40:in `block (3 levels) in <main>': uninitialized constant MyModule::FileDoesNotExist (NameError)
../test.rb:40:in `block (3 levels) in <main>': uninitialized constant MyModule::FileDoesNotExist (NameError)
make: *** [uncommon.mk:1250: runruby] Error 1

@fxn (Xavier Noria) said:

Once the trigger has been executed, it is gone, the way I see it. How is that represented internally, I don't care and should not drive the design of the interface in my view. To me, autoload is not metadata of the module you need to preserve and autoload? should say if there's an autoload not yet triggered in the class/module or ancestors or not.

Maybe, but how it actually works is a lot more nuanced.

Consider multiple threads trying to require a feature which is slow to load. Let's say it's a web sever, and the first thread is cancelled because the request is cancelled. Should this cause all subsequent attempts to use the constant to fail? If you think of it like a trigger, the first thread fires the trigger, fails to load the file, and now it's gone and can never be loaded. But if you look at it as more of a gate or doorway, on transitioning through the doorway, you may eventually get the constant, even if prior threads failed to make it all the way through.

The doorway style is safer because a transient failure won't cause the constant load to fail outright and allows subsequent threads to retry. It's also easier from an implementation point of view to NOT mutate the autoload state while it's being loaded which introduces more complexity in the locking and state management. Essentially I prefer immutable autoload state + read-only operations during load. Deleting the state is a write operation which significantly complicates the internal locking logic.

Consider multiple threads trying to require a feature which is slow to load. Let's say it's a web sever, and the first thread is cancelled because the request is cancelled. Should this cause all subsequent attempts to use the constant to fail?

Unless I misunderstood, that's exactly what would happen with explicit require calls, as the file would end up in $LOADED_FEATURES, so subsequence require calls would be a noop.

I'm not gonna pretend it's graceful, but it's somewhat consistent.

@byroot (Jean Boussier) Does this align up with what you are saying?

features = $LOADED_FEATURES.dup

path = "./sleepy.rb"

File.write(path, "sleep 5")

thread = Thread.new do
	require path
end

sleep 1

thread.kill
thread.join

pp $LOADED_FEATURES - features

Because it's empty.

@ioquatix (Samuel Williams) indeed, my bad.

"ioquatix (Samuel Williams)" noreply@ruby-lang.org wrote:

@normalperson (Eric Wong) I've attached patch files. If you have time, I'd really appreciate your feedback on this. Specifically, patch 5 - freeing this unconditionally causes the Ruby VM to hang in test-bundler-parallel and I'm not sure why. Here is a backtrace of a hung process:

Sorry, I don't have time to look at it. Maybe late June or July. Thanks.