diff options
| author | Peter Zhu <peter@peterzhu.ca> | 2023-02-28 14:59:33 -0500 |
|---|---|---|
| committer | Peter Zhu <peter@peterzhu.ca> | 2023-03-03 16:12:03 -0500 |
| commit | 62c2082f1f726cb90d8c332fbedbecf41d5d82ec (patch) | |
| tree | f768c3103ed1ad0d0e1fa3ab00a253af08cd6e79 /internal | |
| parent | 0700d0fd1c77b4fddf803dea3c10be654df600ff (diff) | |
| download | ruby-62c2082f1f726cb90d8c332fbedbecf41d5d82ec.tar.gz | |
[Bug #19469] Fix crash when resizing generic iv list
The following script can sometimes trigger a crash:
```ruby
GC.stress = true
class Array
def foo(bool)
if bool
@a = 1
@b = 2
@c = 1
else
@c = 1
end
end
end
obj = []
obj.foo(true)
obj2 = []
obj2.foo(false)
obj3 = []
obj3.foo(true)
```
This is because vm_setivar_default calls rb_ensure_generic_iv_list_size
to resize the iv list. However, the call to gen_ivtbl_resize reallocs
the iv list, and then inserts into the generic iv table. If the
st_insert triggers a GC then the old iv list will be read during
marking, causing a use-after-free bug.
Co-Authored-By: Jemma Issroff <jemmaissroff@gmail.com>
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/variable.h | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/internal/variable.h b/internal/variable.h index 88fa28e1ba..e012b1196e 100644 --- a/internal/variable.h +++ b/internal/variable.h @@ -57,7 +57,7 @@ VALUE rb_gvar_defined(ID); void rb_const_warn_if_deprecated(const rb_const_entry_t *, VALUE, ID); rb_shape_t * rb_grow_iv_list(VALUE obj); void rb_ensure_iv_list_size(VALUE obj, uint32_t len, uint32_t newsize); -struct gen_ivtbl * rb_ensure_generic_iv_list_size(VALUE obj, uint32_t newsize); +struct gen_ivtbl *rb_ensure_generic_iv_list_size(VALUE obj, rb_shape_t *shape, uint32_t newsize); attr_index_t rb_obj_ivar_set(VALUE obj, ID id, VALUE val); MJIT_SYMBOL_EXPORT_END |