vm.c: fix mark with rewinding cfp

* vm.c (m_core_hash_merge_ptr): copy the arguments to the machine stack before rewinding the control frame pointer and leaving the arguments outside valid region of the value stack. [ruby-core:69969] [Bug #11352] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51263 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2015-07-16 05:18:40 +00:00 · 2015-07-16 05:18:40 +00:00 · aab3599dae
commit aab3599dae
parent e981a61c53
3 changed files with 31 additions and 1 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+Thu Jul 16 14:18:37 2015  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* vm.c (m_core_hash_merge_ptr): copy the arguments to the machine
+	  stack before rewinding the control frame pointer and leaving the
+	  arguments outside valid region of the value stack.
+	  [ruby-core:69969] [Bug #11352]
+
+
 Thu Jul 16 11:38:21 2015  Eric Wong  <e@80x24.org>

 	* process.c (close_unless_reserved): declare type of `fd' arg
--- a/test/ruby/test_literal.rb
+++ b/test/ruby/test_literal.rb
@ -192,7 +192,9 @@ class TestRubyLiteral < Test::Unit::TestCase
    assert_normal_exit %q{GC.disable=true; x = nil; raise if eval("[#{(1..1_000_000).to_a.join(", ")}]").size != 1_000_000}, "", timeout: 300, child_env: %[--disable-gems]
    assert_normal_exit %q{GC.disable=true; x = nil; raise if eval("{#{(1..1_000_000).map{|n| "#{n} => x"}.join(', ')}}").size != 1_000_000}, "", timeout: 300, child_env: %[--disable-gems]
    assert_normal_exit %q{GC.disable=true; x = nil; raise if eval("{#{(1..1_000_000).map{|n| "#{n} => #{n}"}.join(', ')}}").size != 1_000_000}, "", timeout: 300, child_env: %[--disable-gems]
+  end

+  def test_big_hash_literal
    bug7466 = '[ruby-dev:46658]'
    h = {
      0xFE042 => 0xE5CD,
@ -327,6 +329,19 @@ class TestRubyLiteral < Test::Unit::TestCase
    }
    k = h.keys
    assert_equal([129, 0xFE331], [k.size, k.last], bug7466)
+
+    code = [
+      "h = {",
+      (1..128).map {|i| "#{i} => 0,"},
+      (129..140).map {|i| "#{i} => [],"},
+      "}",
+    ].join
+    assert_separately([], <<-"end;")
+      GC.stress = true
+      #{code}
+      GC.stress = false
+      assert_equal(140, h.size)
+    end;
  end

  def test_range
--- a/vm.c
+++ b/vm.c
@ -2400,6 +2400,7 @@ static VALUE
 core_hash_merge_ary(VALUE hash, VALUE ary)
 {
    core_hash_merge(hash, RARRAY_LEN(ary), RARRAY_CONST_PTR(ary));
+    RB_GC_GUARD(ary);
    return hash;
 }

@ -2407,8 +2408,14 @@ static VALUE
 m_core_hash_merge_ptr(int argc, VALUE *argv, VALUE recv)
 {
    VALUE hash = argv[0];
+    VALUE *args;

-    REWIND_CFP(core_hash_merge(hash, argc-1, argv+1));
+    --argc; ++argv;
+    VM_ASSERT(argc <= 256);
+    args = ALLOCA_N(VALUE, argc);
+    MEMCPY(args, argv, VALUE, argc);
+    argv = args;
+    REWIND_CFP(core_hash_merge(hash, argc, argv));

    return hash;
 }