`$SAFE` as a process global state. [Feature #14250]

* vm_core.h (rb_vm_t): move `rb_execution_context_t::safe_level` to
  `rb_vm_t::safe_level_` because `$SAFE` is a process (VM) global state.

* vm_core.h (rb_proc_t): remove `rb_proc_t::safe_level` because `Proc`
  objects don't need to keep `$SAFE` at the creation.
  Also make `is_from_method` and `is_lambda` as 1 bit fields.

* cont.c (cont_restore_thread): no need to keep `$SAFE` for Continuation.

* eval.c (ruby_cleanup): use `rb_set_safe_level_force()` instead of access
  `vm->safe_level_` directly.

* eval_jump.c: End procs `END{}` doesn't keep `$SAFE`.

* proc.c (proc_dup): removed and introduce `rb_proc_dup` in vm.c.

* safe.c (rb_set_safe_level): don't check `$SAFE` 1 -> 0 changes.

* safe.c (safe_setter): use `rb_set_safe_level()`.

* thread.c (rb_thread_safe_level): `Thread#safe_level` returns `$SAFE`.
  It should be obsolete.

* transcode.c (load_transcoder_entry): `rb_safe_level()` only returns
  0 or 1 so that this check is not needed.

* vm.c (vm_proc_create_from_captured): don't need to keep `$SAFE` for Proc.

* vm.c (rb_proc_create): renamed to `proc_create`.

* vm.c (rb_proc_dup): moved from proc.c.

* vm.c (vm_invoke_proc): do not need to set and restore `$SAFE`
  for `Proc#call`.

* vm_eval.c (rb_eval_cmd): rename a local variable to represent clearer
  meaning.

* lib/drb/drb.rb: restore `$SAFE`.

* lib/erb.rb: restore `$SAFE`, too.

* test/lib/leakchecker.rb: check `$SAFE == 0` at the end of tests.

* test/rubygems/test_gem.rb: do not set `$SAFE = 1`.

* bootstraptest/test_proc.rb: catch up this change.

* spec/ruby/optional/capi/string_spec.rb: ditto.

* test/bigdecimal/test_bigdecimal.rb: ditto.

* test/fiddle/test_func.rb: ditto.

* test/fiddle/test_handle.rb: ditto.

* test/net/imap/test_imap_response_parser.rb: ditto.

* test/pathname/test_pathname.rb: ditto.

* test/readline/test_readline.rb: ditto.

* test/ruby/test_file.rb: ditto.

* test/ruby/test_optimization.rb: ditto.

* test/ruby/test_proc.rb: ditto.

* test/ruby/test_require.rb: ditto.

* test/ruby/test_thread.rb: ditto.

* test/rubygems/test_gem_specification.rb: ditto.

* test/test_tempfile.rb: ditto.

* test/test_tmpdir.rb: ditto.

* test/win32ole/test_win32ole.rb: ditto.

* test/win32ole/test_win32ole_event.rb: ditto.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61510 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

18 files changed, 61 insertions, 13 deletions

diff --git a/test/bigdecimal/test_bigdecimal.rb b/test/bigdecimal/test_bigdecimal.rb
index 595783c63d..bb9ec92481 100644
--- a/test/bigdecimal/test_bigdecimal.rb
+++ b/test/bigdecimal/test_bigdecimal.rb
@@ -125,6 +125,8 @@ class TestBigDecimal < Test::Unit::TestCase
       $SAFE = 1
       BigDecimal('1'.taint)
     }.join
+  ensure
+    $SAFE = 0
   end
 
   def test_s_ver
@@ -195,6 +197,8 @@ class TestBigDecimal < Test::Unit::TestCase
       $SAFE = 1
       BigDecimal('1'.taint)
     }.join
+  ensure
+    $SAFE = 0
   end
 
   def _test_mode(type)
diff --git a/test/fiddle/test_func.rb b/test/fiddle/test_func.rb
index 8c35833a32..d170c59a75 100644
--- a/test/fiddle/test_func.rb
+++ b/test/fiddle/test_func.rb
@@ -19,6 +19,8 @@ module Fiddle
           f.call("uname -rs".dup.taint)
         end
       }.join
+    ensure
+      $SAFE = 0
     end
 
     def test_sinf
diff --git a/test/fiddle/test_handle.rb b/test/fiddle/test_handle.rb
index 77559eb4d9..c0fac39908 100644
--- a/test/fiddle/test_handle.rb
+++ b/test/fiddle/test_handle.rb
@@ -15,6 +15,8 @@ module Fiddle
           Fiddle::Handle.new(LIBC_SO.dup.taint)
         }
       end.join
+    ensure
+      $SAFE = 0
     end
 
     def test_safe_function_lookup
@@ -25,6 +27,8 @@ module Fiddle
           h["qsort".dup.taint]
         }
       end.join
+    ensure
+      $SAFE = 0
     end
 
     def test_to_i
diff --git a/test/lib/leakchecker.rb b/test/lib/leakchecker.rb
index d236b7d7f0..dbe6f5cdbb 100644
--- a/test/lib/leakchecker.rb
+++ b/test/lib/leakchecker.rb
@@ -15,10 +15,15 @@ class LeakChecker
       check_tempfile_leak(test_name),
       check_env(test_name),
       check_encodings(test_name),
+      check_safe(test_name),
     ]
     GC.start if leaks.any?
   end
 
+  def check_safe test_name
+    puts "#{test_name}: $SAFE == #{$SAFE}" unless $SAFE == 0
+  end
+
   def find_fds
     if IO.respond_to?(:console) and (m = IO.method(:console)).arity.nonzero?
       m[:close]
diff --git a/test/net/imap/test_imap_response_parser.rb b/test/net/imap/test_imap_response_parser.rb
index 12c8a27017..ed31a03f5a 100644
--- a/test/net/imap/test_imap_response_parser.rb
+++ b/test/net/imap/test_imap_response_parser.rb
@@ -29,6 +29,8 @@ class IMAPResponseParserTest < Test::Unit::TestCase
 EOF
     }.call
     assert_equal [:Haschildren], response.data.attr
+  ensure
+    $SAFE = 0
   end
 
   def test_flag_list_too_many_flags
diff --git a/test/pathname/test_pathname.rb b/test/pathname/test_pathname.rb
index ad104d06df..5000904216 100644
--- a/test/pathname/test_pathname.rb
+++ b/test/pathname/test_pathname.rb
@@ -1411,6 +1411,8 @@ class TestPathname < Test::Unit::TestCase
       $SAFE = 1
       assert_equal("foo/bar", File.join(Pathname.new("foo"), Pathname.new("bar").taint))
     }.call
+  ensure
+    $SAFE = 0
   end
 
   def test_relative_path_from_casefold
diff --git a/test/readline/test_readline.rb b/test/readline/test_readline.rb
index 68c1ff7312..ce85935e9d 100644
--- a/test/readline/test_readline.rb
+++ b/test/readline/test_readline.rb
@@ -53,6 +53,8 @@ class TestReadline < Test::Unit::TestCase
             end
           end
         }.join
+      ensure
+        $SAFE = 0
       end
     end
 
diff --git a/test/ruby/test_file.rb b/test/ruby/test_file.rb
index 2aa145a303..9f09ac6fd1 100644
--- a/test/ruby/test_file.rb
+++ b/test/ruby/test_file.rb
@@ -465,6 +465,8 @@ class TestFile < Test::Unit::TestCase
     (0..1).each do |level|
       assert_nothing_raised(SecurityError, bug5374) {in_safe[level]}
     end
+  ensure
+    $SAFE = 0
   end
 
   if /(bcc|ms|cyg)win|mingw|emx/ =~ RUBY_PLATFORM
diff --git a/test/ruby/test_optimization.rb b/test/ruby/test_optimization.rb
index 11cf1ffbfb..dc542b644e 100644
--- a/test/ruby/test_optimization.rb
+++ b/test/ruby/test_optimization.rb
@@ -677,7 +677,7 @@ class TestRubyOptimization < Test::Unit::TestCase
         $SAFE = 1
         b.call
       end
-      assert_equal 0, foo{$SAFE}
+      assert_equal 1, foo{$SAFE}
     END
   end
 
diff --git a/test/ruby/test_proc.rb b/test/ruby/test_proc.rb
index 1a1ca24228..1607baf067 100644
--- a/test/ruby/test_proc.rb
+++ b/test/ruby/test_proc.rb
@@ -160,26 +160,34 @@ class TestProc < Test::Unit::TestCase
       $SAFE += 1
       proc {$SAFE}
     }.call
-    assert_equal(safe, $SAFE)
+
+    assert_equal(safe + 1, $SAFE)
     assert_equal(safe + 1, p.call)
-    assert_equal(safe, $SAFE)
+    assert_equal(safe + 1, $SAFE)
 
+    $SAFE = 0
     c.class_eval {define_method(:safe, p)}
     assert_equal(safe, x.safe)
-    assert_equal(safe, x.method(:safe).call)
-    assert_equal(safe, x.method(:safe).to_proc.call)
 
+    $SAFE = 0
     p = proc {$SAFE += 1}
     assert_equal(safe + 1, p.call)
-    assert_equal(safe, $SAFE)
+    assert_equal(safe + 1, $SAFE)
 
+    $SAFE = 0
     c.class_eval {define_method(:inc, p)}
     assert_equal(safe + 1, proc {x.inc; $SAFE}.call)
-    assert_equal(safe, $SAFE)
+    assert_equal(safe + 1, $SAFE)
+
+    $SAFE = 0
     assert_equal(safe + 1, proc {x.method(:inc).call; $SAFE}.call)
-    assert_equal(safe, $SAFE)
+    assert_equal(safe + 1, $SAFE)
+
+    $SAFE = 0
     assert_equal(safe + 1, proc {x.method(:inc).to_proc.call; $SAFE}.call)
-    assert_equal(safe, $SAFE)
+    assert_equal(safe + 1, $SAFE)
+  ensure
+    $SAFE = 0
   end
 
   def m2
diff --git a/test/ruby/test_require.rb b/test/ruby/test_require.rb
index 28cf686a26..af8e6e30fa 100644
--- a/test/ruby/test_require.rb
+++ b/test/ruby/test_require.rb
@@ -112,6 +112,8 @@ class TestRequire < Test::Unit::TestCase
       proc do |require_path|
         $SAFE = 1
         require(require_path)
+      ensure
+        $SAFE = 0
       end
     end
 
diff --git a/test/ruby/test_thread.rb b/test/ruby/test_thread.rb
index 591292962d..cf3eefa25f 100644
--- a/test/ruby/test_thread.rb
+++ b/test/ruby/test_thread.rb
@@ -505,10 +505,10 @@ class TestThread < Test::Unit::TestCase
       sleep
     end
     Thread.pass until ok
-    assert_equal(0, Thread.current.safe_level)
-    assert_equal(1, t.safe_level)
-
+    assert_equal($SAFE, Thread.current.safe_level)
+    assert_equal($SAFE, t.safe_level)
   ensure
+    $SAFE = 0
     t.kill if t
   end
 
diff --git a/test/rubygems/test_gem.rb b/test/rubygems/test_gem.rb
index 8a11cc2ecf..315aea020f 100644
--- a/test/rubygems/test_gem.rb
+++ b/test/rubygems/test_gem.rb
@@ -7,7 +7,7 @@ require 'pathname'
 require 'tmpdir'
 
 # TODO: push this up to test_case.rb once battle tested
-$SAFE=1
+
 $LOAD_PATH.map! do |path|
   path.dup.untaint
 end
diff --git a/test/rubygems/test_gem_specification.rb b/test/rubygems/test_gem_specification.rb
index bb6acbc7de..ab3a7399af 100644
--- a/test/rubygems/test_gem_specification.rb
+++ b/test/rubygems/test_gem_specification.rb
@@ -948,6 +948,9 @@ dependencies: []
     @a2.files.clear
 
     assert_equal @a2, spec
+
+  ensure
+    $SAFE = 0
   end
 
   def test_self_load_escape_curly
diff --git a/test/test_tempfile.rb b/test/test_tempfile.rb
index 465ce42e36..63f5468638 100644
--- a/test/test_tempfile.rb
+++ b/test/test_tempfile.rb
@@ -38,6 +38,8 @@ class TestTempfile < Test::Unit::TestCase
     assert_nothing_raised(SecurityError, bug3733) {
       proc {$SAFE = 1; File.expand_path(Dir.tmpdir)}.call
     }
+  ensure
+    $SAFE = 0
   end
 
   def test_saves_in_given_directory
diff --git a/test/test_tmpdir.rb b/test/test_tmpdir.rb
index 691d52f3cb..07c7ddc736 100644
--- a/test/test_tmpdir.rb
+++ b/test/test_tmpdir.rb
@@ -20,6 +20,8 @@ class TestTmpdir < Test::Unit::TestCase
       tmpdir << "foo"
       assert_equal(tmpdir_org, Dir.tmpdir)
     }.join
+  ensure
+    $SAFE = 0
   end
 
   def test_world_writable
diff --git a/test/win32ole/test_win32ole.rb b/test/win32ole/test_win32ole.rb
index 92e97a7c6d..adc7c9c83a 100644
--- a/test/win32ole/test_win32ole.rb
+++ b/test/win32ole/test_win32ole.rb
@@ -188,6 +188,8 @@ if defined?(WIN32OLE)
         th.join
       }
       assert_match(/insecure object creation - `Scripting.Dictionary'/, exc.message)
+    ensure
+      $SAFE = 0
     end
 
     def test_s_new_exc_host_tainted
@@ -203,6 +205,8 @@ if defined?(WIN32OLE)
         th.join
       }
       assert_match(/insecure object creation - `localhost'/, exc.message)
+    ensure
+      $SAFE = 0
     end
 
     def test_s_new_DCOM
@@ -242,6 +246,8 @@ if defined?(WIN32OLE)
         th.join
       }
       assert_match(/insecure connection - `winmgmts:'/, exc.message)
+    ensure
+      $SAFE = 0
     end
 
     def test_invoke_accept_symbol_hash_key
diff --git a/test/win32ole/test_win32ole_event.rb b/test/win32ole/test_win32ole_event.rb
index 02bbeee321..eef4ec1820 100644
--- a/test/win32ole/test_win32ole_event.rb
+++ b/test/win32ole/test_win32ole_event.rb
@@ -395,6 +395,8 @@ if defined?(WIN32OLE_EVENT)
           th.join
         }
         assert_match(/insecure event creation - `ConnectionEvents'/, exc.message)
+      ensure
+        $SAFE = 0
       end
     end
   end