Project

General

Profile

Backport #6171

Segfault in rb_free_method_entry

Added by jballanc (Joshua Ballanco) over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
[ruby-core:43380]

Description

=begin
Running the following script in both Ruby 1.9.3p125 and trunk causes a segfault:

class Bug
  def initialize(target)
    define_singleton_method(:reverse, target.method(:reverse).to_proc)
  end
end

1000.times { p = Bug.new('test'); 10000.times { p.reverse } }

and the corresponding backtrace:

(gdb) bt
#0  0x00007fff9337a6c1 in tiny_free_list_remove_ptr ()
#1  0x00007fff9337e55d in szone_free_definite_size ()
#2  0x00007fff933b7789 in free ()
#3  0x000000010007373c in vm_xfree (objspace=0x10081a800, ptr=0x100460470) at gc.c:880
#4  0x0000000100073ae6 in ruby_xfree (x=0x100460470) at gc.c:944
#5  0x00000001002079f1 in rb_free_method_entry (me=0x100460470) at vm_method.c:157
#6  0x0000000100207920 in rb_sweep_method_entry (pvm=0x100401780) at vm_method.c:127
#7  0x0000000100077abd in before_gc_sweep (objspace=0x10081a800) at gc.c:2296
#8  0x00000001000781f5 in gc_lazy_sweep (objspace=0x10081a800) at gc.c:2385
#9  0x0000000100074b63 in rb_newobj () at gc.c:1324
#10 0x00000001000066c1 in ary_alloc (klass=4304249320) at array.c:301
#11 0x0000000100006869 in ary_new (klass=4304249320, capa=0) at array.c:320
#12 0x0000000100006955 in rb_ary_new2 (capa=0) at array.c:334
#13 0x0000000100006cbf in rb_ary_new4 (n=0, elts=0x7fff5fbfa2e0) at array.c:370
#14 0x00000001001f6350 in vm_yield_with_cfunc (th=0x100401b60, block=0x100499f00, self=4304013680, argc=0, argv=0x7fff5fbfa2e0, blockargptr=0x0) at vm_insnhelper.c:763
#15 0x00000001002126b5 in invoke_block_from_c (th=0x100401b60, block=0x100499f00, self=4304013680, argc=0, argv=0x7fff5fbfa2e0, blockptr=0x0, cref=0x0) at vm.c:609
#16 0x0000000100212844 in rb_vm_invoke_proc (th=0x100401b60, proc=0x100499f00, self=4304013680, argc=0, argv=0x7fff5fbfa2e0, blockptr=0x0) at vm.c:652
#17 0x000000010020680a in vm_call_bmethod (th=0x100401b60, recv=4304013680, argc=0, argv=0x7fff5fbfa2e0, blockptr=0x0, me=0x100499f80) at vm_insnhelper.c:479
#18 0x000000010020524e in vm_call_method (th=0x100401b60, cfp=0x1006ffce8, num=0, blockptr=0x0, flag=0, id=2112, me=0x100499f80, recv=4304013680) at vm_insnhelper.c:608
#19 0x00000001001fd465 in vm_exec_core (th=0x100401b60, initial=0) at insns.def:1018
#20 0x00000001002143eb in vm_exec (th=0x100401b60) at vm.c:1223
#21 0x0000000100212662 in invoke_block_from_c (th=0x100401b60, block=0x1006ffe18, self=4304315600, argc=1, argv=0x7fff5fbfbbb8, blockptr=0x0, cref=0x0) at vm.c:606
#22 0x0000000100212730 in vm_yield (th=0x100401b60, argc=1, argv=0x7fff5fbfbbb8) at vm.c:636
#23 0x000000010020daec in rb_yield_0 (argc=1, argv=0x7fff5fbfbbb8) at vm_eval.c:780
#24 0x000000010020daa8 in rb_yield (val=13317) at vm_eval.c:790
#25 0x00000001000c8a8a in int_dotimes (num=20001) at numeric.c:3410
#26 0x0000000100206c28 in call_cfunc (func=0x1000c89e0 <int_dotimes>, recv=20001, len=0, argc=0, argv=0x100600078) at vm_insnhelper.c:370
#27 0x000000010020666c in vm_call_cfunc (th=0x100401b60, reg_cfp=0x1006ffdf0, num=0, recv=20001, blockptr=0x1006ffe18, me=0x100426c00) at vm_insnhelper.c:454
#28 0x0000000100204dfe in vm_call_method (th=0x100401b60, cfp=0x1006ffdf0, num=0, blockptr=0x1006ffe18, flag=0, id=3376, me=0x100426c00, recv=20001) at vm_insnhelper.c:580
#29 0x00000001001fd465 in vm_exec_core (th=0x100401b60, initial=0) at insns.def:1018
#30 0x00000001002143eb in vm_exec (th=0x100401b60) at vm.c:1223
#31 0x0000000100212662 in invoke_block_from_c (th=0x100401b60, block=0x1006fff20, self=4304315600, argc=1, argv=0x7fff5fbfd808, blockptr=0x0, cref=0x0) at vm.c:606
#32 0x0000000100212730 in vm_yield (th=0x100401b60, argc=1, argv=0x7fff5fbfd808) at vm.c:636
#33 0x000000010020daec in rb_yield_0 (argc=1, argv=0x7fff5fbfd808) at vm_eval.c:780
#34 0x000000010020daa8 in rb_yield (val=11) at vm_eval.c:790
#35 0x00000001000c8a8a in int_dotimes (num=2001) at numeric.c:3410
#36 0x0000000100206c28 in call_cfunc (func=0x1000c89e0 <int_dotimes>, recv=2001, len=0, argc=0, argv=0x100600038) at vm_insnhelper.c:370
#37 0x000000010020666c in vm_call_cfunc (th=0x100401b60, reg_cfp=0x1006ffef8, num=0, recv=2001, blockptr=0x1006fff20, me=0x100426c00) at vm_insnhelper.c:454
#38 0x0000000100204dfe in vm_call_method (th=0x100401b60, cfp=0x1006ffef8, num=0, blockptr=0x1006fff20, flag=0, id=3376, me=0x100426c00, recv=2001) at vm_insnhelper.c:580
#39 0x00000001001fd465 in vm_exec_core (th=0x100401b60, initial=0) at insns.def:1018
#40 0x00000001002143eb in vm_exec (th=0x100401b60) at vm.c:1223
#41 0x0000000100215106 in rb_iseq_eval_main (iseqval=4304147120) at vm.c:1463
#42 0x0000000100059e4a in ruby_exec_internal (n=0x1008c12b0) at eval.c:204
#43 0x0000000100059fc4 in ruby_exec_node (n=0x1008c12b0) at eval.c:251
#44 0x0000000100059f76 in ruby_run_node (n=0x1008c12b0) at eval.c:244
#45 0x00000001000008d2 in main (argc=2, argv=0x7fff5fbff4a0) at main.c:38

Running also occasionally results in the following error:

malloc: *** error for object 0x7fe658c8e9c0: incorrect checksum for freed object - object was probably modified after being freed.
*** set a breakpoint in malloc_error_break to debug

This is on OS X 10.7.3. I've tried compiling with gcc and clang, and get the same results (also the crash occurs at both -O3 and -O0).
=end


Files

patch.diff (409 Bytes) patch.diff Patch to fix bug jballanc (Joshua Ballanco), 03/18/2012 12:39 PM

Associated revisions

Revision 2555f3f5
Added by nobu (Nobuyoshi Nakada) over 7 years ago

  • gc.c (free_method_entry_i): method entry may be in unlinked_method_entry_list. [ruby-core:43383][Bug #6171]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35080 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 35080
Added by nobu (Nobuyoshi Nakada) over 7 years ago

  • gc.c (free_method_entry_i): method entry may be in unlinked_method_entry_list. [ruby-core:43383][Bug #6171]

Revision 35080
Added by nobu (Nobuyoshi Nakada) over 7 years ago

  • gc.c (free_method_entry_i): method entry may be in unlinked_method_entry_list. [ruby-core:43383][Bug #6171]

Revision 35080
Added by nobu (Nobuyoshi Nakada) over 7 years ago

  • gc.c (free_method_entry_i): method entry may be in unlinked_method_entry_list. [ruby-core:43383][Bug #6171]

Revision 35080
Added by nobu (Nobuyoshi Nakada) over 7 years ago

  • gc.c (free_method_entry_i): method entry may be in unlinked_method_entry_list. [ruby-core:43383][Bug #6171]

Revision 35080
Added by nobu (Nobuyoshi Nakada) over 7 years ago

  • gc.c (free_method_entry_i): method entry may be in unlinked_method_entry_list. [ruby-core:43383][Bug #6171]

Revision 35080
Added by nobu (Nobuyoshi Nakada) over 7 years ago

  • gc.c (free_method_entry_i): method entry may be in unlinked_method_entry_list. [ruby-core:43383][Bug #6171]

Revision 1fc11119
Added by usa (Usaku NAKAMURA) almost 7 years ago

merge revision(s) 35080: [Backport #7353]

    * gc.c (free_method_entry_i): method entry may be in
      unlinked_method_entry_list.  [ruby-core:43383][Bug #6171]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@37660 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 37660
Added by usa (Usaku NAKAMURA) almost 7 years ago

merge revision(s) 35080: [Backport #7353]

* gc.c (free_method_entry_i): method entry may be in
  unlinked_method_entry_list.  [ruby-core:43383][Bug #6171]

History

Updated by jballanc (Joshua Ballanco) over 7 years ago

It seems that free_method_entry_i is missing a check for marks on method entries. The attached patch fixes the bug.

#2

Updated by nobu (Nobuyoshi Nakada) over 7 years ago

  • Status changed from Open to Closed
  • % Done changed from 0 to 100

This issue was solved with changeset r35080.
Joshua, thank you for reporting this issue.
Your contribution to Ruby is greatly appreciated.
May Ruby be with you.


  • gc.c (free_method_entry_i): method entry may be in unlinked_method_entry_list. [ruby-core:43383][Bug #6171]
#3

Updated by nagachika (Tomoyuki Chikanaga) over 7 years ago

  • Tracker changed from Bug to Backport
  • Project changed from Ruby master to Backport193
  • Category deleted (core)
  • Target version deleted (1.9.3)

Also available in: Atom PDF