ruby-changes:66981
From: Alan <ko1@a...>
Date: Fri, 30 Jul 2021 01:04:53 +0900 (JST)
Subject: [ruby-changes:66981] cbecf9c7ba (master): Fix use-after-free on -DUSE_EMBED_CI=0
https://git.ruby-lang.org/ruby.git/commit/?id=cbecf9c7ba From cbecf9c7ba71ef0e844c72c97f85ce4fffb46aa6 Mon Sep 17 00:00:00 2001 From: Alan Wu <XrXr@u...> Date: Thu, 29 Jul 2021 12:04:36 -0400 Subject: Fix use-after-free on -DUSE_EMBED_CI=0 On -DUSE_EMBED_CI=0, there are more GC allocations and the old code didn't keep old_operands[0] reachable while allocating. On a Debian based system, I get a crash requiring erb under GC stress mode. On macOS, tool/transcode-tblgen.rb runs incorrectly if I put GC.stress=true as the first line. --- compile.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/compile.c b/compile.c index 38a96f1..6695a02 100644 --- a/compile.c +++ b/compile.c @@ -3443,11 +3443,11 @@ insn_set_specialized_instruction(rb_iseq_t *iseq, INSN *iobj, int insn_id) https://github.com/ruby/ruby/blob/trunk/compile.c#L3443 iobj->operand_size = insn_len(insn_id) - 1; if (insn_id == BIN(opt_neq)) { - VALUE *old_operands = iobj->operands; + VALUE original_ci = iobj->operands[0]; iobj->operand_size = 2; iobj->operands = compile_data_calloc2(iseq, iobj->operand_size, sizeof(VALUE)); iobj->operands[0] = (VALUE)new_callinfo(iseq, idEq, 1, 0, NULL, FALSE); - iobj->operands[1] = old_operands[0]; + iobj->operands[1] = original_ci; } return COMPILE_OK; -- cgit v1.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/