ruby-changes:51153
From: k0kubun <ko1@a...>
Date: Wed, 9 May 2018 00:06:17 +0900 (JST)
Subject: [ruby-changes:51153] k0kubun:r63360 (trunk): _mjit_compile_pc_and_sp.erb: make sure no uninitialized
k0kubun 2018-05-09 00:06:11 +0900 (Wed, 09 May 2018) New Revision: 63360 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=63360 Log: _mjit_compile_pc_and_sp.erb: make sure no uninitialized area on VM stack to prevent SEGV on GC. GC may mark every value in VM stack. Unfortunately I couldn't write a test for it... So let me explain the situation. SEGV example: https://gist.github.com/k0kubun/c7cea2b5761ffdff29ec79ea1a8f7f91 ``` $ ruby --dump=insns -e 'def oct(num, len); "%0#{len}o" % num; end' == disasm: #<ISeq:oct@-e:1 (1,0)-(1,41)> (catch: FALSE) local table (size: 2, argc: 2 [opts: 0, rest: -1, post: 0, block: -1, kw: -1@-1, kwrest: -1]) [ 2] num@0<Arg> [ 1] len@1<Arg> 0000 putobject "%0" ( 1)[LiCa] 0002 getlocal_WC_0 len@1 0004 dup 0005 checktype T_STRING 0007 branchif 14 0009 dup 0010 opt_send_without_block <callinfo!mid:to_s, argc:0, FCALL|ARGS_SIMPLE>, <callcache> 0013 tostring 0014 putobject "o" 0016 concatstrings 3 0018 getlocal_WC_0 num@0 0020 opt_mod <callinfo!mid:%, argc:1, ARGS_SIMPLE>, <callcache> 0023 leave [Re] ``` Prior to this commit, after arguments are pushed on 0010, stacks were: VM stack: [uninitialized, uninitialized, len] JIT stack: ["%0", len, len] And then, when GC is invoked on 0016, VM stack will be [uninitialized, uninitialized] and those uninitialized values will be marked by GC. With this commit, after arguments are pushed on 0010, stacks will be: VM stack: [len] JIT stack: ["%0", len, len] And VM stack will be [] on 0016. Modified files: trunk/tool/ruby_vm/views/_mjit_compile_pc_and_sp.erb Index: tool/ruby_vm/views/_mjit_compile_pc_and_sp.erb =================================================================== --- tool/ruby_vm/views/_mjit_compile_pc_and_sp.erb (revision 63359) +++ tool/ruby_vm/views/_mjit_compile_pc_and_sp.erb (revision 63360) @@ -20,12 +20,11 @@ https://github.com/ruby/ruby/blob/trunk/tool/ruby_vm/views/_mjit_compile_pc_and_sp.erb#L20 % # sp motion is optimized away for `handles_frame? #=> false` case. % # Thus sp should be set properly before `goto cancel`. % if insn.handles_frame? - fprintf(f, " reg_cfp->sp = (VALUE *)reg_cfp->bp + stack_size + 1 - <%= insn.pops.size %>;\n"); /* POPN(INSN_ATTR(popn)); */ -% % # JIT-only behavior (pushing JIT's local variables to VM's stack): { rb_snum_t i, push_size; push_size = -<%= insn.call_attribute('sp_inc') %> + <%= insn.rets.size %> - <%= insn.pops.size %>; + fprintf(f, " reg_cfp->sp = (VALUE *)reg_cfp->bp + %ld + 1;\n", push_size); /* POPN(INSN_ATTR(popn)); */ for (i = 0; i < push_size; i++) { /* TODO: use memcpy? */ fprintf(f, " *(reg_cfp->sp + %ld) = stack[%ld];\n", i - push_size, (rb_snum_t)b->stack_size - push_size + i); } -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/