1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[Bug #18928] Fix crash in WeakMap

Browse Source 
In wmap_live_p, if is_pointer_to_heap returns false, then the page is
either in the tomb or has already been freed, so the object is dead. In
this case, wmap_live_p should return false.
This commit is contained in:
Peter Zhu 2022-07-19 15:51:39 -04:00
parent fa5724cca9
commit 86d061294d
Notes: git 2022-07-20 21:40:52 +09:00 
Merged: https://github.com/ruby/ruby/pull/6152
1 changed files with 11 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
gc.c
View File

@ -12706,20 +12706,21 @@ static int
wmap_live_p(rb_objspace_t *objspace, VALUE obj) wmap_live_p(rb_objspace_t *objspace, VALUE obj)
{ {
if (SPECIAL_CONST_P(obj)) return TRUE; if (SPECIAL_CONST_P(obj)) return TRUE;
if (is_pointer_to_heap(objspace, (void *)obj)) { /* If is_pointer_to_heap returns false, the page could be in the tomb heap
void *poisoned = asan_unpoison_object_temporary(obj); * or have already been freed. */
if (!is_pointer_to_heap(objspace, (void *)obj)) return FALSE;
enum ruby_value_type t = BUILTIN_TYPE(obj); void *poisoned = asan_unpoison_object_temporary(obj);
int ret = (!(t == T_NONE || t >= T_FIXNUM || t == T_ICLASS) &&
is_live_object(objspace, obj));
if (poisoned) { enum ruby_value_type t = BUILTIN_TYPE(obj);
asan_poison_object(obj); int ret = (!(t == T_NONE || t >= T_FIXNUM || t == T_ICLASS) &&
} is_live_object(objspace, obj));
return ret; if (poisoned) {
asan_poison_object(obj);
} }
return TRUE;
return ret;
} }
static int static int