From f3abe5ba645839fb2a686aee18d3466b59256af0 Mon Sep 17 00:00:00 2001 From: "NARUSE, Yui" Date: Fri, 17 Mar 2023 13:40:04 +0900 Subject: merge revision(s) 0700d0fd1c77b4fddf803dea3c10be654df600ff,62c2082f1f726cb90d8c332fbedbecf41d5d82ec: [Backport #19469] Fix indentation in vm_setivar_default --- vm_insnhelper.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) [Bug #19469] Fix crash when resizing generic iv list The following script can sometimes trigger a crash: ```ruby GC.stress = true class Array def foo(bool) if bool @a = 1 @b = 2 @c = 1 else @c = 1 end end end obj = [] obj.foo(true) obj2 = [] obj2.foo(false) obj3 = [] obj3.foo(true) ``` This is because vm_setivar_default calls rb_ensure_generic_iv_list_size to resize the iv list. However, the call to gen_ivtbl_resize reallocs the iv list, and then inserts into the generic iv table. If the st_insert triggers a GC then the old iv list will be read during marking, causing a use-after-free bug. Co-Authored-By: Jemma Issroff --- internal/variable.h | 2 +- variable.c | 23 ++++++++++++++++++----- vm_insnhelper.c | 4 ++-- 3 files changed, 21 insertions(+), 8 deletions(-) --- internal/variable.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'internal/variable.h') diff --git a/internal/variable.h b/internal/variable.h index 3933279633..6dec6a6759 100644 --- a/internal/variable.h +++ b/internal/variable.h @@ -57,7 +57,7 @@ VALUE rb_gvar_defined(ID); void rb_const_warn_if_deprecated(const rb_const_entry_t *, VALUE, ID); rb_shape_t * rb_grow_iv_list(VALUE obj); void rb_ensure_iv_list_size(VALUE obj, uint32_t len, uint32_t newsize); -struct gen_ivtbl * rb_ensure_generic_iv_list_size(VALUE obj, uint32_t newsize); +struct gen_ivtbl *rb_ensure_generic_iv_list_size(VALUE obj, rb_shape_t *shape, uint32_t newsize); attr_index_t rb_obj_ivar_set(VALUE obj, ID id, VALUE val); MJIT_SYMBOL_EXPORT_END -- cgit v1.2.3