Actions
Bug #21970
open
Corrupted `ciobj->operands` in `compile.c: optimize_checktype`
Bug #21970:
Corrupted `ciobj->operands` in `compile.c: optimize_checktype`
Status:
Open
Assignee:
-
Target version:
-
ruby -v:
ruby 4.0.2 (2026-03-17 revision d3da9fec82) +PRISM [aarch64-linux]
Description
A rare crash I observed in production. I unfortunately don't have a reproduction, but perhaps this will ring a bell to someone.
#4 0x0000aaaac9afb1b8 [PAC] in sigsegv (sig=11, info=0xaaaaff573e30, ctx=0xaaaaff573eb0) at signal.c:948
#5 <signal handler called>
#6 0x0000aaaac9ddcb60 in get_next_insn (iobj=0xffffffff00000001) at compile.c:3078
#7 optimize_checktype (iobj=0xaaab00000640, iseq=0xffff6e41ac80) at compile.c:3291
#8 iseq_peephole_optimize (iseq=iseq@entry=0xffff6e41ac80, list=list@entry=0xaaab00000640, do_tailcallopt=do_tailcallopt@entry=0) at compile.c:3363
#9 0x0000aaaac9dde590 [PAC] in iseq_optimize (anchor=<optimized out>, iseq=<optimized out>) at compile.c:4453
#10 iseq_setup_insn (anchor=<optimized out>, iseq=<optimized out>) at compile.c:1648
#11 iseq_setup_insn (iseq=0xffff6e41ac80, anchor=0xffffdb42d078) at compile.c:1637
#12 0x0000aaaac9e22d34 [PAC] in pm_iseq_compile_node (iseq=0xffff6e41ac80, node=<optimized out>) at /ruby-4.0.2/prism_compile.c:10514
#13 0x0000aaaac9a32f08 [PAC] in pm_iseq_new_with_opt_try (d=d@entry=281474360333120) at iseq.c:1106
#14 0x0000aaaac99c81bc [PAC] in rb_protect (proc=proc@entry=0xaaaac9a32eec <pm_iseq_new_with_opt_try>, data=data@entry=281474360333120, pstate=pstate@entry=0xffffdb42d3e4)
at eval.c:1127
#15 0x0000aaaac9a39408 [PAC] in pm_iseq_new_with_opt (node=node@entry=0xffffdb42d510, name=name@entry=281472546599520, path=path@entry=281472531544280, realpath=281472531544280,
first_lineno=first_lineno@entry=215, parent=parent@entry=0x0, isolated_depth=isolated_depth@entry=0, type=type@entry=ISEQ_TYPE_METHOD, option=0xffffdb42d328,
error_state=error_state@entry=0xffffdb42d3e4) at iseq.c:1159
#16 0x0000aaaac9dcf1fc [PAC] in pm_new_child_iseq (iseq=iseq@entry=0xffff6e41b068, node=node@entry=0xffffdb42d510, name=281472546599520, parent=parent@entry=0x0,
type=type@entry=ISEQ_TYPE_METHOD, line_no=215) at /ruby-4.0.2/iseq.h:154
#17 0x0000aaaac9e0688c [PAC] in pm_compile_node (iseq=iseq@entry=0xffff6e41b068, node=0xaaab000f0ac0, ret=ret@entry=0xffffdb42dcd8, popped=popped@entry=true,
scope_node=scope_node@entry=0xffffdb42e170) at /ruby-4.0.2/prism_compile.c:9073
#18 0x0000aaaac9e0bd7c [PAC] in pm_compile_node (iseq=iseq@entry=0xffff6e41b068, node=0xaaab000eeed0, ret=ret@entry=0xffffdb42dcd8, popped=popped@entry=false,
scope_node=scope_node@entry=0xffffdb42e170) at /ruby-4.0.2/prism_compile.c:10327
#19 0x0000aaaac9e1ee4c [PAC] in pm_compile_scope_node (iseq=iseq@entry=0xffff6e41b068, scope_node=scope_node@entry=0xffffdb42e170, ret=ret@entry=0xffffdb42dcd8,
popped=popped@entry=false, node_location=<optimized out>, node_location=<optimized out>) at /ruby-4.0.2/prism_compile.c:7047
(gdb) f 7
#7 optimize_checktype (iobj=0xaaab00000640, iseq=0xffff6e41ac80) at compile.c:3291
3291 ciobj = (INSN *)get_next_insn((INSN*)OPERAND_AT(ciobj, 0));
(gdb) p (INSN*)ciobj->operands[0]
$7 = (INSN *) 0xffffffff00000001
(gdb) p *(INSN*)ciobj->operands[0]
Cannot access memory at address 0xffffffff00000001
Updated by nobu (Nobuyoshi Nakada) 2 days ago
Is it possible to inspect the contents of *iobj and *ciobj?
Updated by byroot (Jean Boussier) 2 days ago
Of course:
(gdb) p *iobj
$1 = {link = {type = ISEQ_ELEMENT_INSN, next = 0xaaab00000848, prev = 0xaaab00000818}, insn_id = YARVINSN_putnil, operand_size = 0, sc_state = 0, operands = 0x0, insn_info = {
line_no = 220, node_id = 449, events = 0}}
(gdb) p *ciobj
$2 = {link = {type = ISEQ_ELEMENT_ADJUST, next = 0xaaab00000680, prev = 0xaaab00000640}, insn_id = YARVINSN_jump, operand_size = 43691, sc_state = 220, operands = 0xaaab00000018,
insn_info = {line_no = 3, node_id = 65535, events = 2016}}
Actions