diff options
author | Peter Zhu <peter@peterzhu.ca> | 2022-07-19 15:51:39 -0400 |
---|---|---|
committer | Peter Zhu <peter@peterzhu.ca> | 2022-07-20 08:40:31 -0400 |
commit | 86d061294d3cc1656e18d0e1fd4b4f290da16944 (patch) | |
tree | 1703edb95b0fd73de6c18841c664efb21f3e997f /gc.c | |
parent | fa5724cca97a22006c64bb382c3894e608c63c9e (diff) |
[Bug #18928] Fix crash in WeakMap
In wmap_live_p, if is_pointer_to_heap returns false, then the page is
either in the tomb or has already been freed, so the object is dead. In
this case, wmap_live_p should return false.
Notes
Notes:
Merged: https://github.com/ruby/ruby/pull/6152
Diffstat (limited to 'gc.c')
-rw-r--r-- | gc.c | 21 |
1 files changed, 11 insertions, 10 deletions
@@ -12706,20 +12706,21 @@ static int wmap_live_p(rb_objspace_t *objspace, VALUE obj) { if (SPECIAL_CONST_P(obj)) return TRUE; - if (is_pointer_to_heap(objspace, (void *)obj)) { - void *poisoned = asan_unpoison_object_temporary(obj); + /* If is_pointer_to_heap returns false, the page could be in the tomb heap + * or have already been freed. */ + if (!is_pointer_to_heap(objspace, (void *)obj)) return FALSE; - enum ruby_value_type t = BUILTIN_TYPE(obj); - int ret = (!(t == T_NONE || t >= T_FIXNUM || t == T_ICLASS) && - is_live_object(objspace, obj)); + void *poisoned = asan_unpoison_object_temporary(obj); - if (poisoned) { - asan_poison_object(obj); - } + enum ruby_value_type t = BUILTIN_TYPE(obj); + int ret = (!(t == T_NONE || t >= T_FIXNUM || t == T_ICLASS) && + is_live_object(objspace, obj)); - return ret; + if (poisoned) { + asan_poison_object(obj); } - return TRUE; + + return ret; } static int |