Bug #21441
closed
SEGV during thread cleanup if profiler calls thread_profiles_frames at wrong time
Description
During thread cleanup, if a ruby sampling profiler calls thread_profile_frames at just the wrong time, the ec's stack is cleared but the CFP still exists on the EC, so thread_profile_frames assumes it can walk the stack and crashes.
In rb_ec_clear_vm_stack, it should set cfp to NULL before clearing the stack. If during rc_ec_clear_vm_stack the process gets a signal and this thread handles it and calls thread_profile_frames, the early return check of if (!cfp) fails, it continues and crashes in this function.
Updated by luke-gru (Luke Gruber) about 1 month ago
I opened a PR here.
This may need to be backported.
Updated by Anonymous about 1 month ago
- Status changed from Open to Closed
Applied in changeset git|e3ec101cc21613550ef87b7bd8432a69c7e639de.
thread_cleanup: set CFP to NULL before clearing ec's stack
We clear the CFP first so that if a sampling profiler interrupts the current thread during rb_ec_set_vm_stack,
thread_profile_frames returns early instead of trying to walk the stack that's no longer set on the ec.
The early return in thread_profile_frames was introduced at eab7f4623fb.
Fixes [Bug #21441]
Updated by ufuk (Ufuk Kayserilioglu) about 1 month ago
- Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN to 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: REQUIRED
Updated by nagachika (Tomoyuki Chikanaga) about 1 month ago
- Backport changed from 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: REQUIRED to 3.2: UNKNOWN, 3.3: REQUIRED, 3.4: REQUIRED
Updated by nagachika (Tomoyuki Chikanaga) about 1 month ago
- Backport changed from 3.2: UNKNOWN, 3.3: REQUIRED, 3.4: REQUIRED to 3.2: UNKNOWN, 3.3: DONE, 3.4: REQUIRED
Merged https://github.com/ruby/ruby/pull/13672 into ruby_3_3 branch.
Updated by k0kubun (Takashi Kokubun) 16 days ago
- Backport changed from 3.2: UNKNOWN, 3.3: DONE, 3.4: REQUIRED to 3.2: UNKNOWN, 3.3: DONE, 3.4: DONE
ruby_3_4 edfcbacabae6317195a55f2b83fafe2d2b3f6fc8.