Actions
Bug #21970
open
Corrupted `ciobj->operands` in `compile.c: optimize_checktype`
Bug #21970:
Corrupted `ciobj->operands` in `compile.c: optimize_checktype`
Status:
Open
Assignee:
-
Target version:
-
ruby -v:
ruby 4.0.2 (2026-03-17 revision d3da9fec82) +PRISM [aarch64-linux]
Description
A rare crash I observed in production. I unfortunately don't have a reproduction, but perhaps this will ring a bell to someone.
#4 0x0000aaaac9afb1b8 [PAC] in sigsegv (sig=11, info=0xaaaaff573e30, ctx=0xaaaaff573eb0) at signal.c:948
#5 <signal handler called>
#6 0x0000aaaac9ddcb60 in get_next_insn (iobj=0xffffffff00000001) at compile.c:3078
#7 optimize_checktype (iobj=0xaaab00000640, iseq=0xffff6e41ac80) at compile.c:3291
#8 iseq_peephole_optimize (iseq=iseq@entry=0xffff6e41ac80, list=list@entry=0xaaab00000640, do_tailcallopt=do_tailcallopt@entry=0) at compile.c:3363
#9 0x0000aaaac9dde590 [PAC] in iseq_optimize (anchor=<optimized out>, iseq=<optimized out>) at compile.c:4453
#10 iseq_setup_insn (anchor=<optimized out>, iseq=<optimized out>) at compile.c:1648
#11 iseq_setup_insn (iseq=0xffff6e41ac80, anchor=0xffffdb42d078) at compile.c:1637
#12 0x0000aaaac9e22d34 [PAC] in pm_iseq_compile_node (iseq=0xffff6e41ac80, node=<optimized out>) at /ruby-4.0.2/prism_compile.c:10514
#13 0x0000aaaac9a32f08 [PAC] in pm_iseq_new_with_opt_try (d=d@entry=281474360333120) at iseq.c:1106
#14 0x0000aaaac99c81bc [PAC] in rb_protect (proc=proc@entry=0xaaaac9a32eec <pm_iseq_new_with_opt_try>, data=data@entry=281474360333120, pstate=pstate@entry=0xffffdb42d3e4)
at eval.c:1127
#15 0x0000aaaac9a39408 [PAC] in pm_iseq_new_with_opt (node=node@entry=0xffffdb42d510, name=name@entry=281472546599520, path=path@entry=281472531544280, realpath=281472531544280,
first_lineno=first_lineno@entry=215, parent=parent@entry=0x0, isolated_depth=isolated_depth@entry=0, type=type@entry=ISEQ_TYPE_METHOD, option=0xffffdb42d328,
error_state=error_state@entry=0xffffdb42d3e4) at iseq.c:1159
#16 0x0000aaaac9dcf1fc [PAC] in pm_new_child_iseq (iseq=iseq@entry=0xffff6e41b068, node=node@entry=0xffffdb42d510, name=281472546599520, parent=parent@entry=0x0,
type=type@entry=ISEQ_TYPE_METHOD, line_no=215) at /ruby-4.0.2/iseq.h:154
#17 0x0000aaaac9e0688c [PAC] in pm_compile_node (iseq=iseq@entry=0xffff6e41b068, node=0xaaab000f0ac0, ret=ret@entry=0xffffdb42dcd8, popped=popped@entry=true,
scope_node=scope_node@entry=0xffffdb42e170) at /ruby-4.0.2/prism_compile.c:9073
#18 0x0000aaaac9e0bd7c [PAC] in pm_compile_node (iseq=iseq@entry=0xffff6e41b068, node=0xaaab000eeed0, ret=ret@entry=0xffffdb42dcd8, popped=popped@entry=false,
scope_node=scope_node@entry=0xffffdb42e170) at /ruby-4.0.2/prism_compile.c:10327
#19 0x0000aaaac9e1ee4c [PAC] in pm_compile_scope_node (iseq=iseq@entry=0xffff6e41b068, scope_node=scope_node@entry=0xffffdb42e170, ret=ret@entry=0xffffdb42dcd8,
popped=popped@entry=false, node_location=<optimized out>, node_location=<optimized out>) at /ruby-4.0.2/prism_compile.c:7047
(gdb) f 7
#7 optimize_checktype (iobj=0xaaab00000640, iseq=0xffff6e41ac80) at compile.c:3291
3291 ciobj = (INSN *)get_next_insn((INSN*)OPERAND_AT(ciobj, 0));
(gdb) p (INSN*)ciobj->operands[0]
$7 = (INSN *) 0xffffffff00000001
(gdb) p *(INSN*)ciobj->operands[0]
Cannot access memory at address 0xffffffff00000001
Updated by nobu (Nobuyoshi Nakada) about 1 month ago
Is it possible to inspect the contents of *iobj and *ciobj?
Updated by byroot (Jean Boussier) about 1 month ago
Of course:
(gdb) p *iobj
$1 = {link = {type = ISEQ_ELEMENT_INSN, next = 0xaaab00000848, prev = 0xaaab00000818}, insn_id = YARVINSN_putnil, operand_size = 0, sc_state = 0, operands = 0x0, insn_info = {
line_no = 220, node_id = 449, events = 0}}
(gdb) p *ciobj
$2 = {link = {type = ISEQ_ELEMENT_ADJUST, next = 0xaaab00000680, prev = 0xaaab00000640}, insn_id = YARVINSN_jump, operand_size = 43691, sc_state = 220, operands = 0xaaab00000018,
insn_info = {line_no = 3, node_id = 65535, events = 2016}}
Updated by byroot (Jean Boussier) 5 days ago
We ran into several more instances of that bug in the last couple weeks.
apps/intercom/app/helpers/operator_workflows_helper.rb: [BUG] Segmentation fault at 0x0000aaaa00000009
ruby 4.0.2 (2026-03-17 revision d3da9fec82) +PRISM [aarch64-linux]
...
-- C level backtrace information -------------------------------------------
/usr/local/lib/libruby.so.4.0(fprintf+0x0) [0xffff8550e738] /usr/src/ruby/vm_dump.c:1105
/usr/local/lib/libruby.so.4.0(rb_vm_bugreport) /usr/src/ruby/vm_dump.c:1453
/usr/local/lib/libruby.so.4.0(rb_bug_for_fatal_signal+0xe0) [0xffff852e9e30] /usr/src/ruby/error.c:1131
/usr/local/lib/libruby.so.4.0(sigsegv+0x58) [0xffff8544d5f8] /usr/src/ruby/signal.c:948
linux-vdso.so.1(__kernel_rt_sigreturn+0x0) [0xffff85a11838]
/usr/local/lib/libruby.so.4.0(get_next_insn+0x4) [0xffff852682b4] /usr/src/ruby/compile.c:3078
/usr/local/lib/libruby.so.4.0(optimize_checktype) /usr/src/ruby/compile.c:3291
/usr/local/lib/libruby.so.4.0(iseq_peephole_optimize) /usr/src/ruby/compile.c:3363
Here it's ciobj that's wrong.
And another similar one:
bundler_cache/ruby/4.0.0/gems/bundler-4.0.8/lib/bundler/vendor/thor/lib/thor/parser/options.rb: [BUG] Segmentation fault at 0x0000000001000000
ruby 4.0.2 (2026-03-17 revision d3da9fec82) +PRISM [aarch64-linux]
-- Ruby level backtrace information ----------------------------------------
./bin/rspec:6:in '<main>'
<internal:/usr/local/lib/ruby/4.0.0/rubygems/core_ext/kernel_require.rb>:139:in 'require'
<internal:/usr/local/lib/ruby/4.0.0/rubygems/core_ext/kernel_require.rb>:139:in 'require'
/bundler_cache/ruby/4.0.0/gems/bundler-4.0.8/lib/bundler/setup.rb:16:in '<top (required)>'
/bundler_cache/ruby/4.0.0/gems/bundler-4.0.8/lib/bundler.rb:92:in 'ui'
<internal:/usr/local/lib/ruby/4.0.0/rubygems/core_ext/kernel_require.rb>:139:in 'require'
<internal:/usr/local/lib/ruby/4.0.0/rubygems/core_ext/kernel_require.rb>:139:in 'require'
/bundler_cache/ruby/4.0.0/gems/bundler-4.0.8/lib/bundler/ui/shell.rb:3:in '<top (required)>'
/bundler_cache/ruby/4.0.0/gems/bundler-4.0.8/lib/bundler/ui/shell.rb:3:in 'require_relative'
/bundler_cache/ruby/4.0.0/gems/bundler-4.0.8/lib/bundler/vendored_thor.rb:8:in '<top (required)>'
/bundler_cache/ruby/4.0.0/gems/bundler-4.0.8/lib/bundler/vendored_thor.rb:8:in 'require_relative'
/bundler_cache/ruby/4.0.0/gems/bundler-4.0.8/lib/bundler/vendor/thor/lib/thor.rb:1:in '<top (required)>'
/bundler_cache/ruby/4.0.0/gems/bundler-4.0.8/lib/bundler/vendor/thor/lib/thor.rb:1:in 'require_relative'
/bundler_cache/ruby/4.0.0/gems/bundler-4.0.8/lib/bundler/vendor/thor/lib/thor/base.rb:6:in '<top (required)>'
/bundler_cache/ruby/4.0.0/gems/bundler-4.0.8/lib/bundler/vendor/thor/lib/thor/base.rb:6:in 'require_relative'
/bundler_cache/ruby/4.0.0/gems/bundler-4.0.8/lib/bundler/vendor/thor/lib/thor/parser.rb:4:in '<top (required)>'
/bundler_cache/ruby/4.0.0/gems/bundler-4.0.8/lib/bundler/vendor/thor/lib/thor/parser.rb:4:in 'require_relative'
-- C level backtrace information -------------------------------------------
/usr/local/lib/libruby.so.4.0(fprintf+0x0) [0xffffb886e738] /usr/src/ruby/vm_dump.c:1105
/usr/local/lib/libruby.so.4.0(rb_vm_bugreport) /usr/src/ruby/vm_dump.c:1453
/usr/local/lib/libruby.so.4.0(rb_bug_for_fatal_signal+0xe0) [0xffffb8649e30] /usr/src/ruby/error.c:1131
/usr/local/lib/libruby.so.4.0(sigsegv+0x58) [0xffffb87ad5f8] /usr/src/ruby/signal.c:948
linux-vdso.so.1(__kernel_rt_sigreturn+0x0) [0xffffb8d77838]
/usr/local/lib/libruby.so.4.0(get_next_insn+0x18) [0xffffb85c82c8] /usr/src/ruby/compile.c:3080
/usr/local/lib/libruby.so.4.0(optimize_checktype) /usr/src/ruby/compile.c:3291
/usr/local/lib/libruby.so.4.0(iseq_peephole_optimize) /usr/src/ruby/compile.c:3363
/usr/local/lib/libruby.so.4.0(iseq_optimize+0x58) [0xffffb85c9a88] /usr/src/ruby/compile.c:4453
/usr/local/lib/libruby.so.4.0(iseq_setup_insn) /usr/src/ruby/compile.c:1648
/usr/local/lib/libruby.so.4.0(iseq_setup_insn) /usr/src/ruby/compile.c:1637
/usr/local/lib/libruby.so.4.0(pm_iseq_compile_node+0xc4) [0xffffb860c214] /usr/src/ruby/prism_compile.c:10514
Actions