Bug #12988
closedCalling `inspect` sometimes causes a segv
Description
rb_obj_inspect
calls rb_ivar_count
to find the number of instance variables on an object. rb_ivar_count
uses tbl->num_entries
on the instance variable index table to determine how far in to the instance variable array it should read. Since the instance variable index table is shared, it may increase in size, but the instance variable array will not.
For example:
class A
def initialize
@a = nil
@b = nil
@c = nil
@d = nil
@e = nil
end
end
x = A.new
y = x.clone
100.times { |z| x.instance_variable_set(:"@foo#{z}", nil) }
puts y.inspect
x
and y
share an IV index table. Calling instance_variable_set
on x
will increase the size of the IV index table. When y.inspect
is called, the table size is larger than ROBJECT_IVPTR
array for that instance. This means that sometimes calling inspect can segv as it may read memory it shouldn't.
I've attached a patch that fixes this by using the length of the array rather than the size of the IV index table.
Files