1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix crash when evacuating generic ivar

Browse Source 
When transitioning generic instance variable objects to too complex, we
set the shape first before performing inserting the new gen_ivtbl. The
st_insert for the new gen_ivtbl could allocate and cause a GC. If that
happens, then it will crash because the object will have a too complex
shape but not yet be backed by a st_table.

This commit changes the order so that the insert happens first before
the new shape is set.

The following script reproduces the issue:

```
o = []
o.instance_variable_set(:@a, 1)

i = 0
o = Object.new
while RubyVM::Shape.shapes_available > 0
  o.instance_variable_set(:"@i#{i}", 1)
  i += 1
end

ary = 1_000.times.map { [] }

GC.stress = true
ary.each do |o|
  o.instance_variable_set(:@a, 1)
  o.instance_variable_set(:@b, 1)
end
```
This commit is contained in:
Peter Zhu 2023-11-20 14:55:50 -05:00
parent 103bbd21f8
commit f376163194
2 changed files with 23 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
test/ruby/test_shapes.rb
View File

@ -277,6 +277,28 @@ class TestShapes < Test::Unit::TestCase
end; end;
end end
def test_gc_stress_during_evacuate_generic_ivar
assert_separately([], "#{<<~"begin;"}\n#{<<~'end;'}")
begin;
[].instance_variable_set(:@a, 1)
i = 0
o = Object.new
while RubyVM::Shape.shapes_available > 0
o.instance_variable_set(:"@i#{i}", 1)
i += 1
end
ary = 10.times.map { [] }
GC.stress = true
ary.each do |o|
o.instance_variable_set(:@a, 1)
o.instance_variable_set(:@b, 1)
end
end;
end
def test_run_out_of_shape_for_module_ivar def test_run_out_of_shape_for_module_ivar
assert_separately([], "#{<<~"begin;"}\n#{<<~'end;'}") assert_separately([], "#{<<~"begin;"}\n#{<<~'end;'}")
begin; begin;

2
variable.c
View File

@ -1399,12 +1399,12 @@ rb_obj_convert_to_too_complex(VALUE obj, st_table *table)
struct gen_ivtbl *ivtbl = xmalloc(sizeof(struct gen_ivtbl)); struct gen_ivtbl *ivtbl = xmalloc(sizeof(struct gen_ivtbl));
ivtbl->as.complex.table = table; ivtbl->as.complex.table = table;
st_insert(gen_ivs, (st_data_t)obj, (st_data_t)ivtbl);
#if SHAPE_IN_BASIC_FLAGS #if SHAPE_IN_BASIC_FLAGS
rb_shape_set_shape_id(obj, OBJ_TOO_COMPLEX_SHAPE_ID); rb_shape_set_shape_id(obj, OBJ_TOO_COMPLEX_SHAPE_ID);
#else #else
ivtbl->shape_id = OBJ_TOO_COMPLEX_SHAPE_ID; ivtbl->shape_id = OBJ_TOO_COMPLEX_SHAPE_ID;
#endif #endif
st_insert(gen_ivs, (st_data_t)obj, (st_data_t)ivtbl);
} }
RB_VM_LOCK_LEAVE(); RB_VM_LOCK_LEAVE();
} }