Project

General

Profile

Actions
Copy link
Like0

Bug #19469

closed

Crash when resizing generic iv list

Added by peterzhu2118 (Peter Zhu) about 2 years ago. Updated about 2 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
Backport:
2.7: DONTNEED, 3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONE
[ruby-core:112634]

Description

GitHub PR: https://github.com/ruby/ruby/pull/7407

The following script can sometimes trigger a crash:

GC.stress = true

class Array
  def foo(bool)
    if bool
      @a = 1
      @b = 2
      @c = 1
    else
      @c = 1
    end
  end
end

obj = []
obj.foo(true)

obj2 = []
obj2.foo(false)

obj3 = []
obj3.foo(true)

This is because vm_setivar_default calls rb_ensure_generic_iv_list_size to resize the iv list. However, the call to gen_ivtbl_resize reallocs the iv list, and then inserts into the generic iv table. If the st_insert triggers a GC then the old iv list will be read during marking, causing a use-after-free bug.

Related issues 2 (0 open2 closed)

Related to Ruby - Bug #19477: segfault during GC if ivars set on arraysClosedtenderlovemaking (Aaron Patterson)Actions
Related to Ruby - Bug #19433: Segmentation fault in 3.2.0/3.2.1 on M1 MacClosedActions
#2

Updated by peterzhu2118 (Peter Zhu) about 2 years ago

  • Status changed from Open to Closed
#3

Updated by byroot (Jean Boussier) about 2 years ago

  • Related to Bug #19477: segfault during GC if ivars set on arrays added
#4

Updated by peterzhu2118 (Peter Zhu) about 2 years ago

  • Related to Bug #19433: Segmentation fault in 3.2.0/3.2.1 on M1 Mac added
#5 [ruby-core:112938]

Updated by naruse (Yui NARUSE) about 2 years ago

  • Backport changed from 2.7: DONTNEED, 3.0: DONTNEED, 3.1: DONTNEED, 3.2: REQUIRED to 2.7: DONTNEED, 3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONE
Actions
Copy link
Like0

Also available in: Atom PDF