ruby.git/vm.c, branch v3_3_11 The Ruby Programming Language Backport WASI setjmp handler memory leak fixes to Ruby 3.3 2025-10-11T09:27:37+00:00 刘皓 whiteaxe@tuta.io 2025-10-09T00:45:26+00:00 7e31d3c0229095b6b256ba04288869a6373938b6 






thread_cleanup: set CFP to NULL before clearing ec's stack
2025-06-29T04:08:00+00:00

Luke Gruber
luke.gruber@shopify.com

2025-06-17T20:56:26+00:00

a52a2e852a38fbf3c2b5184a4fa64951b47ae03a

We clear the CFP first so that if a sampling profiler interrupts the current thread during `rb_ec_set_vm_stack`,
`thread_profile_frames` returns early instead of trying to walk the stack that's no longer set on the ec.

The early return in `thread_profile_frames` was introduced at eab7f4623fb.

Fixes [Bug #21441]





We clear the CFP first so that if a sampling profiler interrupts the current thread during `rb_ec_set_vm_stack`,
`thread_profile_frames` returns early instead of trying to walk the stack that's no longer set on the ec.

The early return in `thread_profile_frames` was introduced at eab7f4623fb.

Fixes [Bug #21441]







merge revision(s) 08b3a45bc97c835b4677bf76dbce68fd51d81897: [Backport #21180]
2025-03-16T09:52:56+00:00

nagachika
nagachika@ruby-lang.org

2025-03-16T09:52:56+00:00

2b2ab1a67c236eb0c47e63e8adcf877b0d20a38c

	Push a real iseq in rb_vm_push_frame_fname()

	Previously, vm_make_env_each() (used during proc
	creation and for the debug inspector C API) picked up the
	non-GC-allocated iseq that rb_vm_push_frame_fname() creates,
	which led to a SEGV when the GC tried to mark the non GC object.

	Put a real iseq imemo instead. Speed should be about the same since
	the old code also did a imemo allocation and a malloc allocation.

	Real iseq allows ironing out the special-casing of dummy frames in
	rb_execution_context_mark() and rb_execution_context_update(). A check
	is added to RubyVM::ISeq#eval, though, to stop attempts to run dummy
	iseqs.

	[Bug #21180]

	Co-authored-by: Aaron Patterson <tenderlove@ruby-lang.org>





	Push a real iseq in rb_vm_push_frame_fname()

	Previously, vm_make_env_each() (used during proc
	creation and for the debug inspector C API) picked up the
	non-GC-allocated iseq that rb_vm_push_frame_fname() creates,
	which led to a SEGV when the GC tried to mark the non GC object.

	Put a real iseq imemo instead. Speed should be about the same since
	the old code also did a imemo allocation and a malloc allocation.

	Real iseq allows ironing out the special-casing of dummy frames in
	rb_execution_context_mark() and rb_execution_context_update(). A check
	is added to RubyVM::ISeq#eval, though, to stop attempts to run dummy
	iseqs.

	[Bug #21180]

	Co-authored-by: Aaron Patterson <tenderlove@ruby-lang.org>







merge revision(s) f7059af50a31a4d27a04ace0beadb60616f3f971: [Backport #21046]
2025-03-08T08:23:15+00:00

nagachika
nagachika@ruby-lang.org

2025-03-08T08:23:15+00:00

8274b8193e0a047d1edfff603dd2436276f906c4

	Use no-inline version `rb_current_ec` on Arm64

	The TLS across .so issue seems related to Arm64, but not Darwin.





	Use no-inline version `rb_current_ec` on Arm64

	The TLS across .so issue seems related to Arm64, but not Darwin.







merge revision(s) 92dd9734a967c20e628c8f77c5ce700058dcd58c: [Backport #20950]
2025-01-15T01:54:19+00:00

Takashi Kokubun
takashikkbn@gmail.com

2025-01-15T01:54:19+00:00

299455be9966c0a31dabe00014a4b8fae5093a7d

	Fix use-after-free in ep in Proc#dup for ifunc procs

	[Bug #20950]

	ifunc proc has the ep allocated in the cfunc_proc_t which is the data of
	the TypedData object. If an ifunc proc is duplicated, the ep points to
	the ep of the source object. If the source object is freed, then the ep
	of the duplicated object now points to a freed memory region. If we try
	to use the ep we could crash.

	For example, the following script crashes:

	    p = { a: 1 }.to_proc
	    100.times do
	      p = p.dup
	      GC.start
	      p.call
	    rescue ArgumentError
	    end

	This commit changes ifunc proc to also duplicate the ep when it is duplicated.





	Fix use-after-free in ep in Proc#dup for ifunc procs

	[Bug #20950]

	ifunc proc has the ep allocated in the cfunc_proc_t which is the data of
	the TypedData object. If an ifunc proc is duplicated, the ep points to
	the ep of the source object. If the source object is freed, then the ep
	of the duplicated object now points to a freed memory region. If we try
	to use the ep we could crash.

	For example, the following script crashes:

	    p = { a: 1 }.to_proc
	    100.times do
	      p = p.dup
	      GC.start
	      p.call
	    rescue ArgumentError
	    end

	This commit changes ifunc proc to also duplicate the ep when it is duplicated.







Make `rb_ec_set_vm_stack` conformant to the C++11 requirement
2024-11-20T01:18:27+00:00

Nobuyoshi Nakada
nobu@ruby-lang.org

2024-11-17T10:56:02+00:00

792826d5f4b77adf571d20b8752f5d93a1848092

Https://learn.microsoft.com/en-us/cpp/build/reference/zc-inline-remove-unreferenced-comdat?view=msvc-140
> If `/Zc:inline` is specified, the compiler enforces the C++11
> requirement that all functions declared inline must have a definition
> available in the same translation unit if they're used.





Https://learn.microsoft.com/en-us/cpp/build/reference/zc-inline-remove-unreferenced-comdat?view=msvc-140
> If `/Zc:inline` is specified, the compiler enforces the C++11
> requirement that all functions declared inline must have a definition
> available in the same translation unit if they're used.







merge revision(s) 081ee3d35509110f383cb7dd8d1205def0cdd1e8,1c97abaabae6844c861705fd07f532292dcffa74: [Backport #19907] (#10315)
2024-03-21T02:23:21+00:00

NARUSE, Yui
nurse@users.noreply.github.com

2024-03-21T02:23:21+00:00

57a0afe2090b8d05673d650b1e8bf9ae67449b1f

Add memory leak test for eval kwargs

	De-dup identical callinfo objects

	Previously every call to vm_ci_new (when the CI was not packable) would
	result in a different callinfo being returned this meant that every
	kwarg callsite had its own CI.

	When calling, different CIs result in different CCs. These CIs and CCs
	both end up persisted on the T_CLASS inside cc_tbl. So in an eval loop
	this resulted in a memory leak of both types of object. This also likely
	resulted in extra memory used, and extra time searching, in non-eval
	cases.

	For simplicity in this commit I always allocate a CI object inside
	rb_vm_ci_lookup, but ideally we would lazily allocate it only when
	needed. I hope to do that as a follow up in the future.




Add memory leak test for eval kwargs

	De-dup identical callinfo objects

	Previously every call to vm_ci_new (when the CI was not packable) would
	result in a different callinfo being returned this meant that every
	kwarg callsite had its own CI.

	When calling, different CIs result in different CCs. These CIs and CCs
	both end up persisted on the T_CLASS inside cc_tbl. So in an eval loop
	this resulted in a memory leak of both types of object. This also likely
	resulted in extra memory used, and extra time searching, in non-eval
	cases.

	For simplicity in this commit I always allocate a CI object inside
	rb_vm_ci_lookup, but ideally we would lazily allocate it only when
	needed. I hope to do that as a follow up in the future.






FREE_AT_EXIT: Don't free main stack post-fork
2023-12-23T02:07:22+00:00

John Hawthorn
john@hawthorn.email

2023-12-22T20:15:22+00:00

f1b7424cbed00a27532a053949f524eaaf4be1ba

When a forked process was started in a thread, this would result in a
double-free during the child process exit.

    RUBY_FREE_AT_EXIT=1 ./miniruby -e 'Thread.new { fork { } }.join; Process.waitpid'

This is because the main thread in the forked process was not the
initial VM thread, and the new thread's stack was freed as part of
objectspace iteration.

This change also allows rb_threadptr_root_fiber_release to run without
EC being available.





When a forked process was started in a thread, this would result in a
double-free during the child process exit.

    RUBY_FREE_AT_EXIT=1 ./miniruby -e 'Thread.new { fork { } }.join; Process.waitpid'

This is because the main thread in the forked process was not the
initial VM thread, and the new thread's stack was freed as part of
objectspace iteration.

This change also allows rb_threadptr_root_fiber_release to run without
EC being available.







Free default_rand_key after freeing Ractors
2023-12-23T02:07:22+00:00

John Hawthorn
john@hawthorn.email

2023-12-22T20:15:07+00:00

339978ef3869acb2ff877451381a80ee4b548bfb

Ractor's free iterates through its TLS keys so we need to keep this
memory available until after Ractors are freed.

Minimal reproduction:

    RUBY_FREE_AT_EXIT=1 ./miniruby -e rand





Ractor's free iterates through its TLS keys so we need to keep this
memory available until after Ractors are freed.

Minimal reproduction:

    RUBY_FREE_AT_EXIT=1 ./miniruby -e rand







Correct free_on_exit env var to free_at_exit
2023-12-20T05:36:32+00:00

HParker
HParker@github.com

2023-12-20T05:12:18+00:00

7ef90b3978dad057ad6360a94d2d64e8ca5e9c38