Fix crash when allocating classes with newobj hook

We need to zero out the whole slot when running the newobj hook for a newly allocated class because the slot could be filled with garbage, which would cause a crash if a GC runs inside of the newobj hook. For example, the following script crashes: ``` require "objspace" GC.stress = true ObjectSpace.trace_object_allocations { 100.times do Class.new end } ``` [Bug #19482]
author: Peter Zhu <peter@peterzhu.ca> 2023-03-07 09:50:30 -0500
committer: Peter Zhu <peter@peterzhu.ca> 2023-03-08 08:47:18 -0500
commit: e1bd45624c85e8a80991bda20801f50967ac77a1 (patch)
tree: 5ddb643dc47a1e63f44dd331fcd0c06caaa4ca84 /gc.c
parent: bead4bce3b4544cb61b3c05c11204a377e20cdfa (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/gc.c b/gc.c
index e4b2cfe44c..31a5788297 100644
--- a/gc.c
+++ b/gc.c
@@ -2834,6 +2834,12 @@ newobj_alloc(rb_objspace_t *objspace, rb_ractor_t *cr, size_t size_pool_idx, boo
     return obj;
 }
 
+static void
+newobj_zero_slot(VALUE obj)
+{
+    memset((char *)obj + sizeof(struct RBasic), 0, rb_gc_obj_slot_size(obj) - sizeof(struct RBasic));
+}
+
 ALWAYS_INLINE(static VALUE newobj_slowpath(VALUE klass, VALUE flags, rb_objspace_t *objspace, rb_ractor_t *cr, int wb_protected, size_t size_pool_idx));
 
 static inline VALUE
@@ -2864,7 +2870,7 @@ newobj_slowpath(VALUE klass, VALUE flags, rb_objspace_t *objspace, rb_ractor_t *
 #endif
         newobj_init(klass, flags, wb_protected, objspace, obj);
 
-        gc_event_hook_prep(objspace, RUBY_INTERNAL_EVENT_NEWOBJ, obj, newobj_fill(obj, 0, 0, 0));
+        gc_event_hook_prep(objspace, RUBY_INTERNAL_EVENT_NEWOBJ, obj, newobj_zero_slot(obj));
     }
     RB_VM_LOCK_LEAVE_CR_LEV(cr, &lev);
author	Peter Zhu <peter@peterzhu.ca>	2023-03-07 09:50:30 -0500
committer	Peter Zhu <peter@peterzhu.ca>	2023-03-08 08:47:18 -0500
commit	e1bd45624c85e8a80991bda20801f50967ac77a1 (patch)
tree	5ddb643dc47a1e63f44dd331fcd0c06caaa4ca84 /gc.c
parent	bead4bce3b4544cb61b3c05c11204a377e20cdfa (diff)