-
NARUSE, Yui authored
merge revision(s) 0700d0fd,62c2082f: [Backport #19469] Fix indentation in vm_setivar_default --- vm_insnhelper.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) [Bug #19469] Fix crash when resizing generic iv list The following script can sometimes trigger a crash: ```ruby GC.stress = true class Array def foo(bool) if bool @a = 1 @b = 2 @c = 1 else @c = 1 end end end obj = [] obj.foo(true) obj2 = [] obj2.foo(false) obj3 = [] obj3.foo(true) ``` This is because vm_setivar_default calls rb_ensure_generic_iv_list_size to resize the iv list. However, the call to gen_ivtbl_resize reallocs the iv list, and then inserts into the generic iv table. If the st_insert triggers a GC then the old iv list will be read during marking, causing a use-after-free bug. Co-Authored-By:
Jemma Issroff <jemmaissroff@gmail.com> --- internal/variable.h | 2 +- variable.c | 23 ++++++++++++++++++----- vm_insnhelper.c | 4 ++-- 3 files changed, 21 insertions(+), 8 deletions(-)
NARUSE, Yui authoredmerge revision(s) 0700d0fd,62c2082f: [Backport #19469] Fix indentation in vm_setivar_default --- vm_insnhelper.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) [Bug #19469] Fix crash when resizing generic iv list The following script can sometimes trigger a crash: ```ruby GC.stress = true class Array def foo(bool) if bool @a = 1 @b = 2 @c = 1 else @c = 1 end end end obj = [] obj.foo(true) obj2 = [] obj2.foo(false) obj3 = [] obj3.foo(true) ``` This is because vm_setivar_default calls rb_ensure_generic_iv_list_size to resize the iv list. However, the call to gen_ivtbl_resize reallocs the iv list, and then inserts into the generic iv table. If the st_insert triggers a GC then the old iv list will be read during marking, causing a use-after-free bug. Co-Authored-By:
Loading