diff options
author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-08-07 11:45:24 +0000 |
---|---|---|
committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2019-08-07 11:45:24 +0000 |
commit | f5930c87174c369eaad42523ffd0f3cb8ff15b8a (patch) | |
tree | 990b1ae441a12e0522672c1819c0ea75f311b57f /ext/-test- | |
parent | b405ad8ed489232ea6051d44695a57156eb2a5cc (diff) |
merge revision(s) 3f9562015e651735bfc2fdd14e8f6963b673e22a,c06ddfee878524168e4af07443217ed2f8d0954b,3b3b4a44e57dfe03ce3913009d69a33d6f6100be: [Backport #15792]
Get rid of indirect sharing
* string.c (str_duplicate): share the root shared string if the
original string is already sharing, so that all shared strings
refer the root shared string directly. indirect sharing can
cause a dangling pointer.
[Bug #15792]
str_duplicate: Don't share with a frozen shared string
This is a follow up for 3f9562015e651735bfc2fdd14e8f6963b673e22a.
Before this commit, it was possible to create a shared string which
shares with another shared string by passing a frozen shared string
to `str_duplicate`.
Such string looks like:
```
-------- -----------------
| root | ------ owns -----> | root's buffer |
-------- -----------------
^ ^ ^
----------- | |
| shared1 | ------ references ----- |
----------- |
^ |
----------- |
| shared2 | ------ references ---------
-----------
```
This is bad news because `rb_fstring(shared2)` can make `shared1`
independent, which severs the reference from `shared1` to `root`:
```c
/* from fstr_update_callback() */
str = str_new_frozen(rb_cString, shared2); /* can return shared1 */
if (STR_SHARED_P(str)) { /* shared1 is also a shared string */
str_make_independent(str); /* no frozen check */
}
```
If `shared1` was the only reference to `root`, then `root` can be
reclaimed by the GC, leaving `shared2` in a corrupted state:
```
----------- --------------------
| shared1 | -------- owns --------> | shared1's buffer |
----------- --------------------
^
|
----------- -------------------------
| shared2 | ------ references ----> | root's buffer (freed) |
----------- -------------------------
```
Here is a reproduction script for the situation this commit fixes.
```ruby
a = ('a' * 24).strip.freeze.strip
-a
p a
4.times { GC.start }
p a
```
- string.c (str_duplicate): always share with the root string when
the original is a shared string.
- test_rb_str_dup.rb: specifically test `rb_str_dup` to make
sure it does not try to share with a shared string.
[Bug #15792]
Closes: https://github.com/ruby/ruby/pull/2159
Update dependencies
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67731 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ext/-test-')
-rw-r--r-- | ext/-test-/string/depend | 11 | ||||
-rw-r--r-- | ext/-test-/string/rb_str_dup.c | 35 |
2 files changed, 46 insertions, 0 deletions
diff --git a/ext/-test-/string/depend b/ext/-test-/string/depend index 8e7ee2a55a..71e995a523 100644 --- a/ext/-test-/string/depend +++ b/ext/-test-/string/depend @@ -173,6 +173,17 @@ qsort.o: $(hdrdir)/ruby/subst.h qsort.o: $(hdrdir)/ruby/util.h qsort.o: $(top_srcdir)/include/ruby.h qsort.o: qsort.c +rb_str_dup.o: $(RUBY_EXTCONF_H) +rb_str_dup.o: $(arch_hdrdir)/ruby/config.h +rb_str_dup.o: $(hdrdir)/ruby.h +rb_str_dup.o: $(hdrdir)/ruby/backward.h +rb_str_dup.o: $(hdrdir)/ruby/defines.h +rb_str_dup.o: $(hdrdir)/ruby/intern.h +rb_str_dup.o: $(hdrdir)/ruby/missing.h +rb_str_dup.o: $(hdrdir)/ruby/ruby.h +rb_str_dup.o: $(hdrdir)/ruby/st.h +rb_str_dup.o: $(hdrdir)/ruby/subst.h +rb_str_dup.o: rb_str_dup.c set_len.o: $(RUBY_EXTCONF_H) set_len.o: $(arch_hdrdir)/ruby/config.h set_len.o: $(hdrdir)/ruby/backward.h diff --git a/ext/-test-/string/rb_str_dup.c b/ext/-test-/string/rb_str_dup.c new file mode 100644 index 0000000000..a0bd65820f --- /dev/null +++ b/ext/-test-/string/rb_str_dup.c @@ -0,0 +1,35 @@ +#include "ruby.h" + +VALUE rb_str_dup(VALUE str); + +static VALUE +bug_rb_str_dup(VALUE self, VALUE str) +{ + rb_check_type(str, T_STRING); + return rb_str_dup(str); +} + +static VALUE +bug_shared_string_p(VALUE self, VALUE str) +{ + rb_check_type(str, T_STRING); + return RB_FL_TEST(str, RUBY_ELTS_SHARED) && RB_FL_TEST(str, RSTRING_NOEMBED) ? Qtrue : Qfalse; +} + +static VALUE +bug_sharing_with_shared_p(VALUE self, VALUE str) +{ + rb_check_type(str, T_STRING); + if (bug_shared_string_p(self, str)) { + return bug_shared_string_p(self, RSTRING(str)->as.heap.aux.shared); + } + return Qfalse; +} + +void +Init_string_rb_str_dup(VALUE klass) +{ + rb_define_singleton_method(klass, "rb_str_dup", bug_rb_str_dup, 1); + rb_define_singleton_method(klass, "shared_string?", bug_shared_string_p, 1); + rb_define_singleton_method(klass, "sharing_with_shared?", bug_sharing_with_shared_p, 1); +} |