diff options
| author | k0kubun <k0kubun@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-05-08 15:06:11 +0000 |
|---|---|---|
| committer | k0kubun <k0kubun@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2018-05-08 15:06:11 +0000 |
| commit | bdb42689287dd62d116c17e9a3a04b76b30e8de9 (patch) | |
| tree | 046e14d5d87e867732a3a39578166bda84d65c18 /tool/ruby_vm/views | |
| parent | b755fe889a7f37bce869c719662747dc0891c46e (diff) | |
_mjit_compile_pc_and_sp.erb: make sure no uninitialized
area on VM stack to prevent SEGV on GC. GC may mark every value in VM
stack.
Unfortunately I couldn't write a test for it... So let me explain the
situation.
SEGV example:
https://gist.github.com/k0kubun/c7cea2b5761ffdff29ec79ea1a8f7f91
```
$ ruby --dump=insns -e 'def oct(num, len); "%0#{len}o" % num; end'
== disasm: #<ISeq:oct@-e:1 (1,0)-(1,41)> (catch: FALSE)
local table (size: 2, argc: 2 [opts: 0, rest: -1, post: 0, block: -1, kw: -1@-1, kwrest: -1])
[ 2] num@0<Arg> [ 1] len@1<Arg>
0000 putobject "%0" ( 1)[LiCa]
0002 getlocal_WC_0 len@1
0004 dup
0005 checktype T_STRING
0007 branchif 14
0009 dup
0010 opt_send_without_block <callinfo!mid:to_s, argc:0, FCALL|ARGS_SIMPLE>, <callcache>
0013 tostring
0014 putobject "o"
0016 concatstrings 3
0018 getlocal_WC_0 num@0
0020 opt_mod <callinfo!mid:%, argc:1, ARGS_SIMPLE>, <callcache>
0023 leave [Re]
```
Prior to this commit, after arguments are pushed on 0010, stacks were:
VM stack: [uninitialized, uninitialized, len]
JIT stack: ["%0", len, len]
And then, when GC is invoked on 0016, VM stack will be [uninitialized, uninitialized]
and those uninitialized values will be marked by GC.
With this commit, after arguments are pushed on 0010, stacks will be:
VM stack: [len]
JIT stack: ["%0", len, len]
And VM stack will be [] on 0016.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@63360 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'tool/ruby_vm/views')
| -rw-r--r-- | tool/ruby_vm/views/_mjit_compile_pc_and_sp.erb | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/tool/ruby_vm/views/_mjit_compile_pc_and_sp.erb b/tool/ruby_vm/views/_mjit_compile_pc_and_sp.erb index 084a3dd6c8..26037e1191 100644 --- a/tool/ruby_vm/views/_mjit_compile_pc_and_sp.erb +++ b/tool/ruby_vm/views/_mjit_compile_pc_and_sp.erb @@ -20,12 +20,11 @@ % # sp motion is optimized away for `handles_frame? #=> false` case. % # Thus sp should be set properly before `goto cancel`. % if insn.handles_frame? - fprintf(f, " reg_cfp->sp = (VALUE *)reg_cfp->bp + stack_size + 1 - <%= insn.pops.size %>;\n"); /* POPN(INSN_ATTR(popn)); */ -% % # JIT-only behavior (pushing JIT's local variables to VM's stack): { rb_snum_t i, push_size; push_size = -<%= insn.call_attribute('sp_inc') %> + <%= insn.rets.size %> - <%= insn.pops.size %>; + fprintf(f, " reg_cfp->sp = (VALUE *)reg_cfp->bp + %ld + 1;\n", push_size); /* POPN(INSN_ATTR(popn)); */ for (i = 0; i < push_size; i++) { /* TODO: use memcpy? */ fprintf(f, " *(reg_cfp->sp + %ld) = stack[%ld];\n", i - push_size, (rb_snum_t)b->stack_size - push_size + i); } |