Bug #19463
closed
YJIT `[BUG] Stack consistency error` under certain invalidation scenarios
Description
test.rb:19: [BUG] Stack consistency error (sp: 15, bp: 16)
With the following:
klass = Class.new do
def self.lookup(hash, key) = hash[key]
def self.foo(a, b) = []
def self.test(hash, key)
[lookup(hash, key), key, "".freeze]
# 05 opt_send_without_block :lookup
# 07 getlocal_WC_0 :hash
# 09 opt_str_freeze ""
# 12 newarray 3
# 14 leave
#
# YJIT will put instructions (07..14) into a block.
# When String#freeze is redefined from within lookup(),
# the return address to the block is still on-stack. We rely
# on invalidation patching the code at the return address
# to service this situation correctly.
end
end
# get YJIT to compile test()
hash = { 1 => [] }
31.times { klass.test(hash, 1) }
# inject invalidation into lookup()
evil_hash = Hash.new do |_, key|
class String
undef :freeze
def freeze = :ugokanai
end
key
end
p klass.test(evil_hash, 1)
The fix is fairly simple and I'll apply it shortly.
Updated by alanwu (Alan Wu) about 1 year ago
- Status changed from Open to Closed
Applied in changeset git|132934b82baad97107fe754d60f9a68a1db7ecda.
YJIT: Generate Block::entry_exit with block entry PC
Previously, when Block::entry_exit is requested from any instruction
that is not the first one in the block, we generated the exit with an
incorrect PC. We should always be using the PC for the entry of the
block for Block::entry_exit.
It was a simple typo. The bug was introduced while we were
refactoring to use the current backend. Later, we had a chance to spot
this issue while preparing to enable unused variable warnings, but
didn't spot the issue.
Fixes [Bug #19463]
Updated by nagachika (Tomoyuki Chikanaga) 10 months ago
- Backport changed from 2.7: DONTNEED, 3.0: DONTNEED, 3.1: DONTNEED, 3.2: REQUIRED to 2.7: DONTNEED, 3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONE
ruby_3_2 0ba10fd8508b1a2bf7488649ee90622de9bef04a merged revision(s) 132934b82baad97107fe754d60f9a68a1db7ecda.