diff options
author | nagachika <nagachika@ruby-lang.org> | 2022-09-25 13:00:25 +0900 |
---|---|---|
committer | nagachika <nagachika@ruby-lang.org> | 2022-09-25 13:00:25 +0900 |
commit | c356c31f77b2d7c7c7f40f5b19dbb0961ea5f803 (patch) | |
tree | c6bb5c4ec48cbef96cfea3a3e58366fcc71e3631 /gc.c | |
parent | 13ee4b2c35bad0f893d5ed5a6fdca62da406f958 (diff) |
merge revision(s) 86d061294d3cc1656e18d0e1fd4b4f290da16944: [Backport #18928]
[Bug #18928] Fix crash in WeakMap
In wmap_live_p, if is_pointer_to_heap returns false, then the page is
either in the tomb or has already been freed, so the object is dead. In
this case, wmap_live_p should return false.
---
gc.c | 21 +++++++++++----------
1 file changed, 11 insertions(+), 10 deletions(-)
Diffstat (limited to 'gc.c')
-rw-r--r-- | gc.c | 21 |
1 files changed, 11 insertions, 10 deletions
@@ -12035,20 +12035,21 @@ static int wmap_live_p(rb_objspace_t *objspace, VALUE obj) { if (SPECIAL_CONST_P(obj)) return TRUE; - if (is_pointer_to_heap(objspace, (void *)obj)) { - void *poisoned = asan_unpoison_object_temporary(obj); + /* If is_pointer_to_heap returns false, the page could be in the tomb heap + * or have already been freed. */ + if (!is_pointer_to_heap(objspace, (void *)obj)) return FALSE; - enum ruby_value_type t = BUILTIN_TYPE(obj); - int ret = (!(t == T_NONE || t >= T_FIXNUM || t == T_ICLASS) && - is_live_object(objspace, obj)); + void *poisoned = asan_unpoison_object_temporary(obj); - if (poisoned) { - asan_poison_object(obj); - } + enum ruby_value_type t = BUILTIN_TYPE(obj); + int ret = (!(t == T_NONE || t >= T_FIXNUM || t == T_ICLASS) && + is_live_object(objspace, obj)); - return ret; + if (poisoned) { + asan_poison_object(obj); } - return TRUE; + + return ret; } static int |