- ruby-core - ml.ruby-lang.org

[ruby-core:121809] [Ruby Bug#21306] heap-use-after-free in set initialization via clearing the array while it’s being iterated
by cyruscyliu (Qiang Liu) 03 May '25

03 May '25

Issue #21306 has been reported by cyruscyliu (Qiang Liu). ---------------------------------------- Bug #21306: heap-use-after-free in set initialization via clearing the array while it’s being iterated https://bugs.ruby-lang.org/issues/21306 * Author: cyruscyliu (Qiang Liu) * Status: Open * ruby -v: 3.5.0 * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- Hi, we found a heap-use-after-free in set initialization via clearing the array while it’s being iterated. Here is the PoC. ``` $a = (1..100).to_a s = Set.new($a) { |x| $a.clear } ``` Initializing a Set with an array that has a block modifying the array causes memory corruption. In this case, the block clears $a while Set is being initialized, which can lead to inconsistent internal state and potential crashes. To reproduce, compile the recent Ruby with ASAN, and run the PoC. ``` $ git log | head -n3 commit 36c64b3be83f17992137d63ffd0b94f90e24424a Author: John Hawthorn <john(a)hawthorn.email> Date: Fri Apr 11 16:02:23 2025 -070 ./ruby set_initialize.rb `RubyGems' were not loaded. `error_highlight' was not loaded. `did_you_mean' was not loaded. `syntax_suggest' was not loaded. ================================================================= ==107246==ERROR: AddressSanitizer: heap-use-after-free on address 0x51900000dc88 at pc 0x5de0c6510d40 bp 0x7ffc82400690 sp 0x7ffc82400688 READ of size 8 at 0x51900000dc88 thread T0 #0 0x5de0c6510d3f in set_i_initialize /media/test/ruby/build/../set.c:502:17 #1 0x5de0c6658bb1 in vm_call0_cfunc_with_frame /media/test/ruby/build/../vm_eval.c:164:15 #2 0x5de0c6658bb1 in vm_call0_cfunc /media/test/ruby/build/../vm_eval.c:178:12 #3 0x5de0c6658bb1 in vm_call0_body /media/test/ruby/build/../vm_eval.c:229:15 #4 0x5de0c665c443 in vm_call0_cc /media/test/ruby/build/../vm_eval.c:101:12 #5 0x5de0c665c443 in rb_call0 /media/test/ruby/build/../vm_eval.c:554:12 #6 0x5de0c6613825 in rb_call /media/test/ruby/build/../vm_eval.c:873:12 #7 0x5de0c6613825 in rb_funcallv_kw /media/test/ruby/build/../vm_eval.c:1070:12 #8 0x5de0c63edc54 in rb_class_new_instance_pass_kw /media/test/ruby/build/../object.c:2203:5 #9 0x5de0c6646b3b in vm_call_cfunc_with_frame_ /media/test/ruby/build/../vm_insnhelper.c:3797:11 #10 0x5de0c662f4e3 in vm_call_method_each_type /media/test/ruby/build/../vm_insnhelper.c:4775:16 #11 0x5de0c662efd3 in vm_call_method /media/test/ruby/build/../vm_insnhelper.c #12 0x5de0c65f7f98 in vm_sendish /media/test/ruby/build/../vm_insnhelper.c:5972:15 #13 0x5de0c65f7f98 in vm_exec_core /media/test/ruby/build/../insns.def:851:11 #14 0x5de0c65eda47 in rb_vm_exec /media/test/ruby/build/../vm.c #15 0x5de0c62bfce0 in rb_ec_exec_node /media/test/ruby/build/../eval.c:281:9 #16 0x5de0c62bfce0 in ruby_run_node /media/test/ruby/build/../eval.c:319:30 #17 0x5de0c62bb3a0 in rb_main /media/test/ruby/build/../main.c:42:12 #18 0x5de0c62bb3a0 in main /media/test/ruby/build/../main.c:62:12 #19 0x77f098629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #20 0x77f098629e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #21 0x5de0c61e3d54 in _start (/media/test/ruby/build/ruby+0x148d54) (BuildId: 58c97094e0527fad484552e230da980d80ffa516) 0x51900000dc88 is located 8 bytes inside of 1024-byte region [0x51900000dc80,0x51900000e080) freed by thread T0 here: #0 0x5de0c627e37c in realloc (/media/test/ruby/build/ruby+0x1e337c) (BuildId: 58c97094e0527fad484552e230da980d80ffa516) #1 0x5de0c6320acb in rb_gc_impl_realloc /media/test/ruby/build/../gc/default/default.c:8330:5 #2 0x5de0c62fdfd9 in ruby_sized_xrealloc2_body /media/test/ruby/build/../gc.c:4772:12 #3 0x5de0c62fdfd9 in ruby_sized_xrealloc2 /media/test/ruby/build/../gc.c:4765:34 #4 0x5de0c62fdfd9 in ruby_xrealloc2 /media/test/ruby/build/../gc.c:4778:12 #5 0x5de0c66add64 in ary_heap_realloc /media/test/ruby/build/../array.c:370:5 #6 0x5de0c66add64 in ary_resize_capa /media/test/ruby/build/../array.c:412:24 #7 0x5de0c66b5663 in rb_ary_clear /media/test/ruby/build/../array.c:4750:13 #8 0x5de0c6646b3b in vm_call_cfunc_with_frame_ /media/test/ruby/build/../vm_insnhelper.c:3797:11 #9 0x5de0c662f4e3 in vm_call_method_each_type /media/test/ruby/build/../vm_insnhelper.c:4775:16 #10 0x5de0c662efd3 in vm_call_method /media/test/ruby/build/../vm_insnhelper.c #11 0x5de0c65f51d8 in vm_sendish /media/test/ruby/build/../vm_insnhelper.c:5972:15 #12 0x5de0c65f51d8 in vm_exec_core /media/test/ruby/build/../insns.def:899:11 #13 0x5de0c65eda47 in rb_vm_exec /media/test/ruby/build/../vm.c #14 0x5de0c66607b6 in invoke_iseq_block_from_c /media/test/ruby/build/../vm.c:1648:12 #15 0x5de0c66607b6 in invoke_block_from_c_bh /media/test/ruby/build/../vm.c:1662:20 #16 0x5de0c661502a in vm_yield_with_cref /media/test/ruby/build/../vm.c:1699:12 #17 0x5de0c661502a in vm_yield /media/test/ruby/build/../vm.c:1707:12 #18 0x5de0c661502a in rb_yield_0 /media/test/ruby/build/../vm_eval.c:1344:12 #19 0x5de0c661502a in rb_yield /media/test/ruby/build/../vm_eval.c #20 0x5de0c6510aa4 in set_i_initialize /media/test/ruby/build/../set.c:502:17 #21 0x5de0c6658bb1 in vm_call0_cfunc_with_frame /media/test/ruby/build/../vm_eval.c:164:15 #22 0x5de0c6658bb1 in vm_call0_cfunc /media/test/ruby/build/../vm_eval.c:178:12 #23 0x5de0c6658bb1 in vm_call0_body /media/test/ruby/build/../vm_eval.c:229:15 #24 0x5de0c665c443 in vm_call0_cc /media/test/ruby/build/../vm_eval.c:101:12 #25 0x5de0c665c443 in rb_call0 /media/test/ruby/build/../vm_eval.c:554:12 #26 0x5de0c6613825 in rb_call /media/test/ruby/build/../vm_eval.c:873:12 #27 0x5de0c6613825 in rb_funcallv_kw /media/test/ruby/build/../vm_eval.c:1070:12 #28 0x5de0c63edc54 in rb_class_new_instance_pass_kw /media/test/ruby/build/../object.c:2203:5 #29 0x5de0c6646b3b in vm_call_cfunc_with_frame_ /media/test/ruby/build/../vm_insnhelper.c:3797:11 #30 0x5de0c662f4e3 in vm_call_method_each_type /media/test/ruby/build/../vm_insnhelper.c:4775:16 #31 0x5de0c662efd3 in vm_call_method /media/test/ruby/build/../vm_insnhelper.c #32 0x5de0c65f7f98 in vm_sendish /media/test/ruby/build/../vm_insnhelper.c:5972:15 #33 0x5de0c65f7f98 in vm_exec_core /media/test/ruby/build/../insns.def:851:11 #34 0x5de0c65eda47 in rb_vm_exec /media/test/ruby/build/../vm.c #35 0x5de0c62bfce0 in rb_ec_exec_node /media/test/ruby/build/../eval.c:281:9 #36 0x5de0c62bfce0 in ruby_run_node /media/test/ruby/build/../eval.c:319:30 #37 0x5de0c62bb3a0 in rb_main /media/test/ruby/build/../main.c:42:12 #38 0x5de0c62bb3a0 in main /media/test/ruby/build/../main.c:62:12 #39 0x77f098629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 previously allocated by thread T0 here: #0 0x5de0c627e37c in realloc (/media/test/ruby/build/ruby+0x1e337c) (BuildId: 58c97094e0527fad484552e230da980d80ffa516) #1 0x5de0c6320acb in rb_gc_impl_realloc /media/test/ruby/build/../gc/default/default.c:8330:5 #2 0x5de0c62fdfd9 in ruby_sized_xrealloc2_body /media/test/ruby/build/../gc.c:4772:12 #3 0x5de0c62fdfd9 in ruby_sized_xrealloc2 /media/test/ruby/build/../gc.c:4765:34 #4 0x5de0c62fdfd9 in ruby_xrealloc2 /media/test/ruby/build/../gc.c:4778:12 #5 0x5de0c66add64 in ary_heap_realloc /media/test/ruby/build/../array.c:370:5 #6 0x5de0c66add64 in ary_resize_capa /media/test/ruby/build/../array.c:412:24 #7 0x5de0c66ad51b in ary_double_capa /media/test/ruby/build/../array.c:461:5 #8 0x5de0c66ad51b in ary_ensure_room_for_push /media/test/ruby/build/../array.c:620:9 #9 0x5de0c66ad0c4 in rb_ary_push /media/test/ruby/build/../array.c:1386:24 #10 0x5de0c68aceb9 in collect_all /media/test/ruby/build/../enum.c:636:5 #11 0x5de0c65e9803 in vm_yield_with_cfunc /media/test/ruby/build/../vm_insnhelper.c:5146:11 #12 0x5de0c66601f8 in invoke_block_from_c_bh /media/test/ruby/build/../vm.c:1667:16 #13 0x5de0c661502a in vm_yield_with_cref /media/test/ruby/build/../vm.c:1699:12 #14 0x5de0c661502a in vm_yield /media/test/ruby/build/../vm.c:1707:12 #15 0x5de0c661502a in rb_yield_0 /media/test/ruby/build/../vm_eval.c:1344:12 #16 0x5de0c661502a in rb_yield /media/test/ruby/build/../vm_eval.c #17 0x5de0c6444d87 in range_each_fixnum_loop /media/test/ruby/build/../range.c:1059:9 #18 0x5de0c6444d87 in range_each /media/test/ruby/build/../range.c:1096:16 #19 0x5de0c6658bb1 in vm_call0_cfunc_with_frame /media/test/ruby/build/../vm_eval.c:164:15 #20 0x5de0c6658bb1 in vm_call0_cfunc /media/test/ruby/build/../vm_eval.c:178:12 #21 0x5de0c6658bb1 in vm_call0_body /media/test/ruby/build/../vm_eval.c:229:15 #22 0x5de0c665c443 in vm_call0_cc /media/test/ruby/build/../vm_eval.c:101:12 #23 0x5de0c665c443 in rb_call0 /media/test/ruby/build/../vm_eval.c:554:12 #24 0x5de0c6616955 in rb_call /media/test/ruby/build/../vm_eval.c:873:12 #25 0x5de0c6616955 in iterate_method /media/test/ruby/build/../vm_eval.c:1528:12 #26 0x5de0c6616f55 in rb_iterate0 /media/test/ruby/build/../vm_eval.c:1470:18 #27 0x5de0c66167c9 in rb_iterate_internal /media/test/ruby/build/../vm_eval.c:1502:12 #28 0x5de0c66167c9 in rb_block_call_kw /media/test/ruby/build/../vm_eval.c:1551:12 #29 0x5de0c68a7b7b in enum_to_a /media/test/ruby/build/../enum.c:735:5 #30 0x5de0c6658bb1 in vm_call0_cfunc_with_frame /media/test/ruby/build/../vm_eval.c:164:15 #31 0x5de0c6658bb1 in vm_call0_cfunc /media/test/ruby/build/../vm_eval.c:178:12 #32 0x5de0c6658bb1 in vm_call0_body /media/test/ruby/build/../vm_eval.c:229:15 #33 0x5de0c6611076 in vm_call0_cc /media/test/ruby/build/../vm_eval.c:101:12 #34 0x5de0c6611076 in rb_vm_call0 /media/test/ruby/build/../vm_eval.c:61:12 #35 0x5de0c6611076 in rb_vm_call_kw /media/test/ruby/build/../vm_eval.c:326:12 #36 0x5de0c6611076 in vm_call_super /media/test/ruby/build/../vm_eval.c:350:12 #37 0x5de0c6611076 in rb_call_super_kw /media/test/ruby/build/../vm_eval.c:358:12 #38 0x5de0c6646b3b in vm_call_cfunc_with_frame_ /media/test/ruby/build/../vm_insnhelper.c:3797:11 #39 0x5de0c662f4e3 in vm_call_method_each_type /media/test/ruby/build/../vm_insnhelper.c:4775:16 #40 0x5de0c662efd3 in vm_call_method /media/test/ruby/build/../vm_insnhelper.c #41 0x5de0c65f51d8 in vm_sendish /media/test/ruby/build/../vm_insnhelper.c:5972:15 #42 0x5de0c65f51d8 in vm_exec_core /media/test/ruby/build/../insns.def:899:11 #43 0x5de0c65eda47 in rb_vm_exec /media/test/ruby/build/../vm.c #44 0x5de0c62bfce0 in rb_ec_exec_node /media/test/ruby/build/../eval.c:281:9 #45 0x5de0c62bfce0 in ruby_run_node /media/test/ruby/build/../eval.c:319:30 #46 0x5de0c62bb3a0 in rb_main /media/test/ruby/build/../main.c:42:12 #47 0x5de0c62bb3a0 in main /media/test/ruby/build/../main.c:62:12 #48 0x77f098629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: heap-use-after-free /media/test/ruby/build/../set.c:502:17 in set_i_initialize Shadow bytes around the buggy address: 0x51900000da00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x51900000da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x51900000db00: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa 0x51900000db80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51900000dc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x51900000dc80: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51900000dd00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51900000dd80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51900000de00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51900000de80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51900000df00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==107246==ABORTING ../triaged/set_initialize.rb:3: [BUG] ASAN error ruby 3.5.0dev (2025-05-02T21:28:25Z master 36c64b3be8) +PRISM [x86_64-linux] -- Control frame information ----------------------------------------------- c:0004 p:---- s:0015 e:000014 CFUNC :initialize c:0003 p:---- s:0012 e:000011 CFUNC :new c:0002 p:0013 s:0007 E:000c48 EVAL ../triaged/set_initialize.rb:3 [FINISH] c:0001 p:0000 s:0003 E:000540 DUMMY [FINISH] -- Ruby level backtrace information ---------------------------------------- ../triaged/set_initialize.rb:3:in '<main>' ../triaged/set_initialize.rb:3:in 'new' ../triaged/set_initialize.rb:3:in 'initialize' -- Threading information --------------------------------------------------- Total ractor count: 1 Ruby thread count for this ractor: 1 -- C level backtrace information ------------------------------------------- ./ruby(___interceptor_backtrace) [0x5de0c6228006] /media/test/ruby/build/ruby(rb_print_backtrace+0x14) [0x5de0c6976337] /media/test/ruby/build/../vm_dump.c:839 /media/test/ruby/build/ruby(rb_vm_bugreport) /media/test/ruby/build/../vm_dump.c:1171 /media/test/ruby/build/ruby(rb_bug_without_die_internal+0x23c) [0x5de0c68ca76c] /media/test/ruby/build/../error.c:1097 /media/test/ruby/build/ruby(rb_bug_without_die+0x127) [0x5de0c68ca487] /media/test/ruby/build/../error.c:1106 ./ruby(0x5de0c62a1bc6) [0x5de0c62a1bc6] ./ruby(0x5de0c6282c9f) [0x5de0c6282c9f] ./ruby(0x5de0c6285ce5) [0x5de0c6285ce5] ./ruby(__asan_report_load8) [0x5de0c6286988] /media/test/ruby/build/ruby(set_i_initialize+0x4c0) [0x5de0c6510d40] /media/test/ruby/build/../set.c:502 /media/test/ruby/build/ruby(vm_call0_cfunc_with_frame+0x280) [0x5de0c6658bb2] ../vm_eval.c:164 /media/test/ruby/build/ruby(vm_call0_cfunc) ../vm_eval.c:178 /media/test/ruby/build/ruby(vm_call0_body) ../vm_eval.c:229 /media/test/ruby/build/ruby(vm_call0_cc+0x141) [0x5de0c665c444] ../vm_eval.c:101 /media/test/ruby/build/ruby(rb_call0) ../vm_eval.c:554 /media/test/ruby/build/ruby(rb_funcallv_kw+0x86) [0x5de0c6613826] ../vm_eval.c:873 /media/test/ruby/build/ruby(rb_class_new_instance_pass_kw+0x35) [0x5de0c63edc55] /media/test/ruby/build/../object.c:2203 /media/test/ruby/build/ruby(vm_cfp_consistent_p+0x0) [0x5de0c6646b3c] ../vm_insnhelper.c:3797 /media/test/ruby/build/ruby(vm_call_cfunc_with_frame_) ../vm_insnhelper.c:3799 /media/test/ruby/build/ruby(vm_call_method_each_type+0x264) [0x5de0c662f4e4] ../vm_insnhelper.c:4775 ./ruby(vm_call_method+0x2d4) [0x5de0c662efd4] /media/test/ruby/build/ruby(vm_sendish+0x10e) [0x5de0c65f7f99] ../vm_insnhelper.c:5972 /media/test/ruby/build/ruby(vm_exec_core) ../insns.def:851 ./ruby(vm_exec_loop+0x0) [0x5de0c65eda48] /media/test/ruby/build/ruby(rb_vm_exec) /media/test/ruby/build/../vm.c:2621 /media/test/ruby/build/ruby(rb_ec_exec_node+0x53) [0x5de0c62bfce1] /media/test/ruby/build/../eval.c:281 /media/test/ruby/build/ruby(ruby_run_node) /media/test/ruby/build/../eval.c:319 /media/test/ruby/build/ruby(rb_main+0x29) [0x5de0c62bb3a1] /media/test/ruby/build/../main.c:42 /media/test/ruby/build/ruby(main) /media/test/ruby/build/../main.c:62 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_call_main+0x80) [0x77f098629d90] ../sysdeps/nptl/libc_start_call_main.h:58 /lib/x86_64-linux-gnu/libc.so.6(call_init+0x0) [0x77f098629e40] ../csu/libc-start.c:392 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main_impl) ../csu/libc-start.c:379 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main) (null):0 ./ruby(_start) [0x5de0c61e3d55] -- Other runtime information ----------------------------------------------- * Loaded script: ../triaged/set_initialize.rb * Loaded features: 0 enumerator.so 1 thread.rb 2 fiber.so 3 rational.so 4 complex.so 5 ruby2_keywords.rb 6 set.rb ``` -- https://bugs.ruby-lang.org/

3 2

[ruby-core:121808] [Ruby Bug#21305] heap-use-after-free of set#merge via mutating hash method
by cyruscyliu (Qiang Liu) 03 May '25

03 May '25

Issue #21305 has been reported by cyruscyliu (Qiang Liu). ---------------------------------------- Bug #21305: heap-use-after-free of set#merge via mutating hash method https://bugs.ruby-lang.org/issues/21305 * Author: cyruscyliu (Qiang Liu) * Status: Open * ruby -v: 3.5.0 * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- Hi, we found a heap-use-after-free of set#merge via mutating hash method. Here is the PoC. ``` class C def hash $a.clear return 0 end end $a = (1..100).to_a $a.insert(0, C.new) $b = Set.new([]) $b.merge($a) ``` Calling Set#merge on a set with an object whose hash method mutates the array causes memory corruption. In this case, C#hash clears $a while Set#merge is iterating over it, breaking internal state and potentially leading to a crash. To reproduce, compile the recent Ruby with ASAN, and run the PoC. ``` $ git log | head -n3 commit 36c64b3be83f17992137d63ffd0b94f90e24424a Author: John Hawthorn <john(a)hawthorn.email> Date: Fri Apr 11 16:02:23 2025 -070 `RubyGems' were not loaded. `error_highlight' was not loaded. `did_you_mean' was not loaded. `syntax_suggest' was not loaded. ================================================================= ==106456==ERROR: AddressSanitizer: heap-use-after-free on address 0x51900000dc88 at pc 0x5c83c02ed8b8 bp 0x7fff8201f1b0 sp 0x7fff8201f1a8 READ of size 8 at 0x51900000dc88 thread T0 #0 0x5c83c02ed8b7 in set_merge_enum_into /media/test/ruby/build/../set.c:1126:13 #1 0x5c83c02eb51f in set_i_merge /media/test/ruby/build/../set.c:1156:9 #2 0x5c83c041eb3b in vm_call_cfunc_with_frame_ /media/test/ruby/build/../vm_insnhelper.c:3797:11 #3 0x5c83c04074e3 in vm_call_method_each_type /media/test/ruby/build/../vm_insnhelper.c:4775:16 #4 0x5c83c0406fd3 in vm_call_method /media/test/ruby/build/../vm_insnhelper.c #5 0x5c83c03cd1d8 in vm_sendish /media/test/ruby/build/../vm_insnhelper.c:5972:15 #6 0x5c83c03cd1d8 in vm_exec_core /media/test/ruby/build/../insns.def:899:11 #7 0x5c83c03c5a47 in rb_vm_exec /media/test/ruby/build/../vm.c #8 0x5c83c0097ce0 in rb_ec_exec_node /media/test/ruby/build/../eval.c:281:9 #9 0x5c83c0097ce0 in ruby_run_node /media/test/ruby/build/../eval.c:319:30 #10 0x5c83c00933a0 in rb_main /media/test/ruby/build/../main.c:42:12 #11 0x5c83c00933a0 in main /media/test/ruby/build/../main.c:62:12 #12 0x72c910229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #13 0x72c910229e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #14 0x5c83bffbbd54 in _start (/media/test/ruby/build/ruby+0x148d54) (BuildId: 58c97094e0527fad484552e230da980d80ffa516) 0x51900000dc88 is located 8 bytes inside of 1024-byte region [0x51900000dc80,0x51900000e080) freed by thread T0 here: #0 0x5c83c005637c in realloc (/media/test/ruby/build/ruby+0x1e337c) (BuildId: 58c97094e0527fad484552e230da980d80ffa516) #1 0x5c83c00f8acb in rb_gc_impl_realloc /media/test/ruby/build/../gc/default/default.c:8330:5 #2 0x5c83c00d5fd9 in ruby_sized_xrealloc2_body /media/test/ruby/build/../gc.c:4772:12 #3 0x5c83c00d5fd9 in ruby_sized_xrealloc2 /media/test/ruby/build/../gc.c:4765:34 #4 0x5c83c00d5fd9 in ruby_xrealloc2 /media/test/ruby/build/../gc.c:4778:12 #5 0x5c83c0485d64 in ary_heap_realloc /media/test/ruby/build/../array.c:370:5 #6 0x5c83c0485d64 in ary_resize_capa /media/test/ruby/build/../array.c:412:24 #7 0x5c83c048d663 in rb_ary_clear /media/test/ruby/build/../array.c:4750:13 #8 0x5c83c041eb3b in vm_call_cfunc_with_frame_ /media/test/ruby/build/../vm_insnhelper.c:3797:11 #9 0x5c83c04074e3 in vm_call_method_each_type /media/test/ruby/build/../vm_insnhelper.c:4775:16 #10 0x5c83c0406fd3 in vm_call_method /media/test/ruby/build/../vm_insnhelper.c #11 0x5c83c03cd1d8 in vm_sendish /media/test/ruby/build/../vm_insnhelper.c:5972:15 #12 0x5c83c03cd1d8 in vm_exec_core /media/test/ruby/build/../insns.def:899:11 #13 0x5c83c03c5a47 in rb_vm_exec /media/test/ruby/build/../vm.c #14 0x5c83c04308ed in vm_call0_body /media/test/ruby/build/../vm_eval.c:225:20 #15 0x5c83c03eb3bb in vm_call0_cc /media/test/ruby/build/../vm_eval.c:101:12 #16 0x5c83c03eb3bb in rb_funcallv_scope /media/test/ruby/build/../vm_eval.c:1047:16 #17 0x5c83c03f3471 in vm_catch_protect /media/test/ruby/build/../vm_eval.c:2612:15 #18 0x5c83c03548b5 in exec_recursive /media/test/ruby/build/../thread.c:5300:22 #19 0x5c83c0100fd3 in obj_any_hash /media/test/ruby/build/../hash.c:238:16 #20 0x5c83c0100cf2 in any_hash /media/test/ruby/build/../hash.c:207:16 #21 0x5c83c02e3c42 in set_do_hash /media/test/ruby/build/../st.c:2349:33 #22 0x5c83c02e3c42 in rb_set_insert /media/test/ruby/build/../st.c:2892:18 #23 0x5c83c02ed75b in set_table_insert_wb /media/test/ruby/build/../set.c:378:15 #24 0x5c83c02ed75b in set_merge_enum_into /media/test/ruby/build/../set.c:1126:13 #25 0x5c83c02eb51f in set_i_merge /media/test/ruby/build/../set.c:1156:9 #26 0x5c83c041eb3b in vm_call_cfunc_with_frame_ /media/test/ruby/build/../vm_insnhelper.c:3797:11 #27 0x5c83c04074e3 in vm_call_method_each_type /media/test/ruby/build/../vm_insnhelper.c:4775:16 #28 0x5c83c0406fd3 in vm_call_method /media/test/ruby/build/../vm_insnhelper.c #29 0x5c83c03cd1d8 in vm_sendish /media/test/ruby/build/../vm_insnhelper.c:5972:15 #30 0x5c83c03cd1d8 in vm_exec_core /media/test/ruby/build/../insns.def:899:11 #31 0x5c83c03c5a47 in rb_vm_exec /media/test/ruby/build/../vm.c #32 0x5c83c0097ce0 in rb_ec_exec_node /media/test/ruby/build/../eval.c:281:9 #33 0x5c83c0097ce0 in ruby_run_node /media/test/ruby/build/../eval.c:319:30 #34 0x5c83c00933a0 in rb_main /media/test/ruby/build/../main.c:42:12 #35 0x5c83c00933a0 in main /media/test/ruby/build/../main.c:62:12 #36 0x72c910229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 previously allocated by thread T0 here: #0 0x5c83c005637c in realloc (/media/test/ruby/build/ruby+0x1e337c) (BuildId: 58c97094e0527fad484552e230da980d80ffa516) #1 0x5c83c00f8acb in rb_gc_impl_realloc /media/test/ruby/build/../gc/default/default.c:8330:5 #2 0x5c83c00d5fd9 in ruby_sized_xrealloc2_body /media/test/ruby/build/../gc.c:4772:12 #3 0x5c83c00d5fd9 in ruby_sized_xrealloc2 /media/test/ruby/build/../gc.c:4765:34 #4 0x5c83c00d5fd9 in ruby_xrealloc2 /media/test/ruby/build/../gc.c:4778:12 #5 0x5c83c0485d64 in ary_heap_realloc /media/test/ruby/build/../array.c:370:5 #6 0x5c83c0485d64 in ary_resize_capa /media/test/ruby/build/../array.c:412:24 #7 0x5c83c048551b in ary_double_capa /media/test/ruby/build/../array.c:461:5 #8 0x5c83c048551b in ary_ensure_room_for_push /media/test/ruby/build/../array.c:620:9 #9 0x5c83c04850c4 in rb_ary_push /media/test/ruby/build/../array.c:1386:24 #10 0x5c83c0684eb9 in collect_all /media/test/ruby/build/../enum.c:636:5 #11 0x5c83c03c1803 in vm_yield_with_cfunc /media/test/ruby/build/../vm_insnhelper.c:5146:11 #12 0x5c83c04381f8 in invoke_block_from_c_bh /media/test/ruby/build/../vm.c:1667:16 #13 0x5c83c03ed02a in vm_yield_with_cref /media/test/ruby/build/../vm.c:1699:12 #14 0x5c83c03ed02a in vm_yield /media/test/ruby/build/../vm.c:1707:12 #15 0x5c83c03ed02a in rb_yield_0 /media/test/ruby/build/../vm_eval.c:1344:12 #16 0x5c83c03ed02a in rb_yield /media/test/ruby/build/../vm_eval.c #17 0x5c83c021cd87 in range_each_fixnum_loop /media/test/ruby/build/../range.c:1059:9 #18 0x5c83c021cd87 in range_each /media/test/ruby/build/../range.c:1096:16 #19 0x5c83c0430bb1 in vm_call0_cfunc_with_frame /media/test/ruby/build/../vm_eval.c:164:15 #20 0x5c83c0430bb1 in vm_call0_cfunc /media/test/ruby/build/../vm_eval.c:178:12 #21 0x5c83c0430bb1 in vm_call0_body /media/test/ruby/build/../vm_eval.c:229:15 #22 0x5c83c0434443 in vm_call0_cc /media/test/ruby/build/../vm_eval.c:101:12 #23 0x5c83c0434443 in rb_call0 /media/test/ruby/build/../vm_eval.c:554:12 #24 0x5c83c03ee955 in rb_call /media/test/ruby/build/../vm_eval.c:873:12 #25 0x5c83c03ee955 in iterate_method /media/test/ruby/build/../vm_eval.c:1528:12 #26 0x5c83c03eef55 in rb_iterate0 /media/test/ruby/build/../vm_eval.c:1470:18 #27 0x5c83c03ee7c9 in rb_iterate_internal /media/test/ruby/build/../vm_eval.c:1502:12 #28 0x5c83c03ee7c9 in rb_block_call_kw /media/test/ruby/build/../vm_eval.c:1551:12 #29 0x5c83c067fb7b in enum_to_a /media/test/ruby/build/../enum.c:735:5 #30 0x5c83c0430bb1 in vm_call0_cfunc_with_frame /media/test/ruby/build/../vm_eval.c:164:15 #31 0x5c83c0430bb1 in vm_call0_cfunc /media/test/ruby/build/../vm_eval.c:178:12 #32 0x5c83c0430bb1 in vm_call0_body /media/test/ruby/build/../vm_eval.c:229:15 #33 0x5c83c03e9076 in vm_call0_cc /media/test/ruby/build/../vm_eval.c:101:12 #34 0x5c83c03e9076 in rb_vm_call0 /media/test/ruby/build/../vm_eval.c:61:12 #35 0x5c83c03e9076 in rb_vm_call_kw /media/test/ruby/build/../vm_eval.c:326:12 #36 0x5c83c03e9076 in vm_call_super /media/test/ruby/build/../vm_eval.c:350:12 #37 0x5c83c03e9076 in rb_call_super_kw /media/test/ruby/build/../vm_eval.c:358:12 #38 0x5c83c041eb3b in vm_call_cfunc_with_frame_ /media/test/ruby/build/../vm_insnhelper.c:3797:11 #39 0x5c83c04074e3 in vm_call_method_each_type /media/test/ruby/build/../vm_insnhelper.c:4775:16 #40 0x5c83c0406fd3 in vm_call_method /media/test/ruby/build/../vm_insnhelper.c #41 0x5c83c03cd1d8 in vm_sendish /media/test/ruby/build/../vm_insnhelper.c:5972:15 #42 0x5c83c03cd1d8 in vm_exec_core /media/test/ruby/build/../insns.def:899:11 #43 0x5c83c03c5a47 in rb_vm_exec /media/test/ruby/build/../vm.c #44 0x5c83c0097ce0 in rb_ec_exec_node /media/test/ruby/build/../eval.c:281:9 #45 0x5c83c0097ce0 in ruby_run_node /media/test/ruby/build/../eval.c:319:30 #46 0x5c83c00933a0 in rb_main /media/test/ruby/build/../main.c:42:12 #47 0x5c83c00933a0 in main /media/test/ruby/build/../main.c:62:12 #48 0x72c910229d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: heap-use-after-free /media/test/ruby/build/../set.c:1126:13 in set_merge_enum_into Shadow bytes around the buggy address: 0x51900000da00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x51900000da80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x51900000db00: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa 0x51900000db80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51900000dc00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x51900000dc80: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51900000dd00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51900000dd80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51900000de00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51900000de80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x51900000df00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==106456==ABORTING ../triaged/set_merge.rb:11: [BUG] ASAN error ruby 3.5.0dev (2025-05-02T21:28:25Z master 36c64b3be8) +PRISM [x86_64-linux] -- Control frame information ----------------------------------------------- c:0003 p:---- s:0011 e:000010 CFUNC :merge c:0002 p:0060 s:0006 e:000005 EVAL ../triaged/set_merge.rb:11 [FINISH] c:0001 p:0000 s:0003 E:000540 DUMMY [FINISH] -- Ruby level backtrace information ---------------------------------------- ../triaged/set_merge.rb:11:in '<main>' ../triaged/set_merge.rb:11:in 'merge' -- Threading information --------------------------------------------------- Total ractor count: 1 Ruby thread count for this ractor: 1 -- C level backtrace information ------------------------------------------- ./ruby(___interceptor_backtrace) [0x5c83c0000006] /media/test/ruby/build/ruby(rb_print_backtrace+0x14) [0x5c83c074e337] /media/test/ruby/build/../vm_dump.c:839 /media/test/ruby/build/ruby(rb_vm_bugreport) /media/test/ruby/build/../vm_dump.c:1171 /media/test/ruby/build/ruby(rb_bug_without_die_internal+0x23c) [0x5c83c06a276c] /media/test/ruby/build/../error.c:1097 /media/test/ruby/build/ruby(rb_bug_without_die+0x127) [0x5c83c06a2487] /media/test/ruby/build/../error.c:1106 ./ruby(0x5c83c0079bc6) [0x5c83c0079bc6] ./ruby(0x5c83c005ac9f) [0x5c83c005ac9f] ./ruby(0x5c83c005dce5) [0x5c83c005dce5] ./ruby(__asan_report_load8) [0x5c83c005e988] /media/test/ruby/build/ruby(set_merge_enum_into+0x428) [0x5c83c02ed8b8] /media/test/ruby/build/../set.c:1126 /media/test/ruby/build/ruby(set_i_merge+0xa0) [0x5c83c02eb520] /media/test/ruby/build/../set.c:1156 /media/test/ruby/build/ruby(vm_cfp_consistent_p+0x0) [0x5c83c041eb3c] ../vm_insnhelper.c:3797 /media/test/ruby/build/ruby(vm_call_cfunc_with_frame_) ../vm_insnhelper.c:3799 /media/test/ruby/build/ruby(vm_call_method_each_type+0x264) [0x5c83c04074e4] ../vm_insnhelper.c:4775 ./ruby(vm_call_method+0x2d4) [0x5c83c0406fd4] /media/test/ruby/build/ruby(vm_sendish+0x1c8) [0x5c83c03cd1d9] ../vm_insnhelper.c:5972 /media/test/ruby/build/ruby(vm_exec_core) ../insns.def:899 ./ruby(vm_exec_loop+0x0) [0x5c83c03c5a48] /media/test/ruby/build/ruby(rb_vm_exec) /media/test/ruby/build/../vm.c:2621 /media/test/ruby/build/ruby(rb_ec_exec_node+0x53) [0x5c83c0097ce1] /media/test/ruby/build/../eval.c:281 /media/test/ruby/build/ruby(ruby_run_node) /media/test/ruby/build/../eval.c:319 /media/test/ruby/build/ruby(rb_main+0x29) [0x5c83c00933a1] /media/test/ruby/build/../main.c:42 /media/test/ruby/build/ruby(main) /media/test/ruby/build/../main.c:62 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_call_main+0x80) [0x72c910229d90] ../sysdeps/nptl/libc_start_call_main.h:58 /lib/x86_64-linux-gnu/libc.so.6(call_init+0x0) [0x72c910229e40] ../csu/libc-start.c:392 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main_impl) ../csu/libc-start.c:379 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main) (null):0 ./ruby(_start) [0x5c83bffbbd55] -- Other runtime information ----------------------------------------------- * Loaded script: ../triaged/set_merge.rb * Loaded features: 0 enumerator.so 1 thread.rb 2 fiber.so 3 rational.so 4 complex.so 5 ruby2_keywords.rb 6 set.rb ``` -- https://bugs.ruby-lang.org/

3 2

[ruby-core:121807] [Ruby Bug#21304] heap-use-after-free of Array#hash via mutating hash method
by cyruscyliu (Qiang Liu) 03 May '25

03 May '25

Issue #21304 has been reported by cyruscyliu (Qiang Liu). ---------------------------------------- Bug #21304: heap-use-after-free of Array#hash via mutating hash method https://bugs.ruby-lang.org/issues/21304 * Author: cyruscyliu (Qiang Liu) * Status: Open * ruby -v: 3.5.0 * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- Hi, we found a heap-use-after-free of Array#hash via mutating hash method. Here is the PoC. ``` class C def hash() puts $a $a.push(*1..100000) return 0 end end c = C.new $a = [c] $a.push(*1..10) $a.hash puts "!" puts $a ``` Calling Array#hash on an array containing an object whose hash method mutates the array causes memory corruption. In this example, C#hash appends a large number of elements to $a while Array#hash is iterating over it, leading to inconsistent internal state and potentially a crash. To reproduce, compile the recent Ruby with ASAN, and run the PoC. ``` $ git log | head -n3 commit 36c64b3be83f17992137d63ffd0b94f90e24424a Author: John Hawthorn <john(a)hawthorn.email> Date: Fri Apr 11 16:02:23 2025 -070 $ ./ruby ../triaged/array_hash.rb `RubyGems' were not loaded. `error_highlight' was not loaded. `did_you_mean' was not loaded. `syntax_suggest' was not loaded. #<C:0x000071c87a142f30> 1 2 3 4 5 6 7 8 9 10 ================================================================= ==105169==ERROR: AddressSanitizer: heap-use-after-free on address 0x511000009c88 at pc 0x601bf620302b bp 0x7ffd48775e70 sp 0x7ffd48775e68 READ of size 8 at 0x511000009c88 thread T0 #0 0x601bf620302a in rb_ary_hash_values /media/test/ruby/build/../array.c:5334:21 #1 0x601bf6193b3b in vm_call_cfunc_with_frame_ /media/test/ruby/build/../vm_insnhelper.c:3797:11 #2 0x601bf617c4e3 in vm_call_method_each_type /media/test/ruby/build/../vm_insnhelper.c:4775:16 #3 0x601bf617bfd3 in vm_call_method /media/test/ruby/build/../vm_insnhelper.c #4 0x601bf61421d8 in vm_sendish /media/test/ruby/build/../vm_insnhelper.c:5972:15 #5 0x601bf61421d8 in vm_exec_core /media/test/ruby/build/../insns.def:899:11 #6 0x601bf613aa47 in rb_vm_exec /media/test/ruby/build/../vm.c #7 0x601bf5e0cce0 in rb_ec_exec_node /media/test/ruby/build/../eval.c:281:9 #8 0x601bf5e0cce0 in ruby_run_node /media/test/ruby/build/../eval.c:319:30 #9 0x601bf5e083a0 in rb_main /media/test/ruby/build/../main.c:42:12 #10 0x601bf5e083a0 in main /media/test/ruby/build/../main.c:62:12 #11 0x71c87a629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #12 0x71c87a629e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #13 0x601bf5d30d54 in _start (/media/test/ruby/build/ruby+0x148d54) (BuildId: 58c97094e0527fad484552e230da980d80ffa516) 0x511000009c88 is located 8 bytes inside of 216-byte region [0x511000009c80,0x511000009d58) freed by thread T0 here: #0 0x601bf5dcb37c in realloc (/media/test/ruby/build/ruby+0x1e337c) (BuildId: 58c97094e0527fad484552e230da980d80ffa516) #1 0x601bf5e6dacb in rb_gc_impl_realloc /media/test/ruby/build/../gc/default/default.c:8330:5 #2 0x601bf5e4afd9 in ruby_sized_xrealloc2_body /media/test/ruby/build/../gc.c:4772:12 #3 0x601bf5e4afd9 in ruby_sized_xrealloc2 /media/test/ruby/build/../gc.c:4765:34 #4 0x601bf5e4afd9 in ruby_xrealloc2 /media/test/ruby/build/../gc.c:4778:12 #5 0x601bf61fad64 in ary_heap_realloc /media/test/ruby/build/../array.c:370:5 #6 0x601bf61fad64 in ary_resize_capa /media/test/ruby/build/../array.c:412:24 #7 0x601bf61fa51b in ary_double_capa /media/test/ruby/build/../array.c:461:5 #8 0x601bf61fa51b in ary_ensure_room_for_push /media/test/ruby/build/../array.c:620:9 #9 0x601bf6208ba7 in rb_ary_cat /media/test/ruby/build/../array.c:1399:24 #10 0x601bf6208ba7 in rb_ary_push_m /media/test/ruby/build/../array.c:1426:12 #11 0x601bf6193b3b in vm_call_cfunc_with_frame_ /media/test/ruby/build/../vm_insnhelper.c:3797:11 #12 0x601bf61421d8 in vm_sendish /media/test/ruby/build/../vm_insnhelper.c:5972:15 #13 0x601bf61421d8 in vm_exec_core /media/test/ruby/build/../insns.def:899:11 #14 0x601bf613aa47 in rb_vm_exec /media/test/ruby/build/../vm.c #15 0x601bf61a58ed in vm_call0_body /media/test/ruby/build/../vm_eval.c:225:20 #16 0x601bf61603bb in vm_call0_cc /media/test/ruby/build/../vm_eval.c:101:12 #17 0x601bf61603bb in rb_funcallv_scope /media/test/ruby/build/../vm_eval.c:1047:16 #18 0x601bf6168471 in vm_catch_protect /media/test/ruby/build/../vm_eval.c:2612:15 #19 0x601bf60c98b5 in exec_recursive /media/test/ruby/build/../thread.c:5300:22 #20 0x601bf5e75fd3 in obj_any_hash /media/test/ruby/build/../hash.c:238:16 #21 0x601bf5e75cf2 in any_hash /media/test/ruby/build/../hash.c:207:16 #22 0x601bf5e7621f in rb_hash /media/test/ruby/build/../hash.c:269:21 #23 0x601bf6202fda in rb_ary_hash_values /media/test/ruby/build/../array.c:5334:13 #24 0x601bf6193b3b in vm_call_cfunc_with_frame_ /media/test/ruby/build/../vm_insnhelper.c:3797:11 #25 0x601bf617c4e3 in vm_call_method_each_type /media/test/ruby/build/../vm_insnhelper.c:4775:16 #26 0x601bf617bfd3 in vm_call_method /media/test/ruby/build/../vm_insnhelper.c #27 0x601bf61421d8 in vm_sendish /media/test/ruby/build/../vm_insnhelper.c:5972:15 #28 0x601bf61421d8 in vm_exec_core /media/test/ruby/build/../insns.def:899:11 #29 0x601bf613aa47 in rb_vm_exec /media/test/ruby/build/../vm.c #30 0x601bf5e0cce0 in rb_ec_exec_node /media/test/ruby/build/../eval.c:281:9 #31 0x601bf5e0cce0 in ruby_run_node /media/test/ruby/build/../eval.c:319:30 #32 0x601bf5e083a0 in rb_main /media/test/ruby/build/../main.c:42:12 #33 0x601bf5e083a0 in main /media/test/ruby/build/../main.c:62:12 #34 0x71c87a629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 previously allocated by thread T0 here: #0 0x601bf5dcaf8f in malloc (/media/test/ruby/build/ruby+0x1e2f8f) (BuildId: 58c97094e0527fad484552e230da980d80ffa516) #1 0x601bf5e6cde5 in rb_gc_impl_malloc /media/test/ruby/build/../gc/default/default.c:8240:5 #2 0x601bf5e4ac51 in ruby_xmalloc2_body /media/test/ruby/build/../gc.c:4713:12 #3 0x601bf5e4ac51 in ruby_xmalloc2 /media/test/ruby/build/../gc.c:4707:34 #4 0x601bf61fae7f in ary_heap_alloc_buffer /media/test/ruby/build/../array.c:351:12 #5 0x601bf61fae7f in ary_resize_capa /media/test/ruby/build/../array.c:404:26 #6 0x601bf61fa51b in ary_double_capa /media/test/ruby/build/../array.c:461:5 #7 0x601bf61fa51b in ary_ensure_room_for_push /media/test/ruby/build/../array.c:620:9 #8 0x601bf6208ba7 in rb_ary_cat /media/test/ruby/build/../array.c:1399:24 #9 0x601bf6208ba7 in rb_ary_push_m /media/test/ruby/build/../array.c:1426:12 #10 0x601bf6193b3b in vm_call_cfunc_with_frame_ /media/test/ruby/build/../vm_insnhelper.c:3797:11 #11 0x601bf617c4e3 in vm_call_method_each_type /media/test/ruby/build/../vm_insnhelper.c:4775:16 #12 0x601bf617bfd3 in vm_call_method /media/test/ruby/build/../vm_insnhelper.c #13 0x601bf61421d8 in vm_sendish /media/test/ruby/build/../vm_insnhelper.c:5972:15 #14 0x601bf61421d8 in vm_exec_core /media/test/ruby/build/../insns.def:899:11 #15 0x601bf613aa47 in rb_vm_exec /media/test/ruby/build/../vm.c #16 0x601bf5e0cce0 in rb_ec_exec_node /media/test/ruby/build/../eval.c:281:9 #17 0x601bf5e0cce0 in ruby_run_node /media/test/ruby/build/../eval.c:319:30 #18 0x601bf5e083a0 in rb_main /media/test/ruby/build/../main.c:42:12 #19 0x601bf5e083a0 in main /media/test/ruby/build/../main.c:62:12 #20 0x71c87a629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 SUMMARY: AddressSanitizer: heap-use-after-free /media/test/ruby/build/../array.c:5334:21 in rb_ary_hash_values Shadow bytes around the buggy address: 0x511000009a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x511000009a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x511000009b00: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x511000009b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x511000009c00: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa =>0x511000009c80: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x511000009d00: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x511000009d80: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 0x511000009e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x511000009e80: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 0x511000009f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==105169==ABORTING ../triaged/array_hash.rb:12: [BUG] ASAN error ruby 3.5.0dev (2025-05-02T21:28:25Z master 36c64b3be8) +PRISM [x86_64-linux] -- Control frame information ----------------------------------------------- c:0003 p:---- s:0011 e:000010 CFUNC :hash c:0002 p:0044 s:0007 E:000e48 EVAL ../triaged/array_hash.rb:12 [FINISH] c:0001 p:0000 s:0003 E:000540 DUMMY [FINISH] -- Ruby level backtrace information ---------------------------------------- ../triaged/array_hash.rb:12:in '<main>' ../triaged/array_hash.rb:12:in 'hash' -- Threading information --------------------------------------------------- Total ractor count: 1 Ruby thread count for this ractor: 1 -- C level backtrace information ------------------------------------------- ./ruby(___interceptor_backtrace) [0x601bf5d75006] /media/test/ruby/build/ruby(rb_print_backtrace+0x14) [0x601bf64c3337] /media/test/ruby/build/../vm_dump.c:839 /media/test/ruby/build/ruby(rb_vm_bugreport) /media/test/ruby/build/../vm_dump.c:1171 /media/test/ruby/build/ruby(rb_bug_without_die_internal+0x23c) [0x601bf641776c] /media/test/ruby/build/../error.c:1097 /media/test/ruby/build/ruby(rb_bug_without_die+0x127) [0x601bf6417487] /media/test/ruby/build/../error.c:1106 ./ruby(0x601bf5deebc6) [0x601bf5deebc6] ./ruby(0x601bf5dcfc9f) [0x601bf5dcfc9f] ./ruby(0x601bf5dd2ce5) [0x601bf5dd2ce5] ./ruby(__asan_report_load8) [0x601bf5dd3988] /media/test/ruby/build/ruby(rb_ary_hash_values+0xcb) [0x601bf620302b] /media/test/ruby/build/../array.c:5334 /media/test/ruby/build/ruby(vm_cfp_consistent_p+0x0) [0x601bf6193b3c] ../vm_insnhelper.c:3797 /media/test/ruby/build/ruby(vm_call_cfunc_with_frame_) ../vm_insnhelper.c:3799 /media/test/ruby/build/ruby(vm_call_method_each_type+0x264) [0x601bf617c4e4] ../vm_insnhelper.c:4775 ./ruby(vm_call_method+0x2d4) [0x601bf617bfd4] /media/test/ruby/build/ruby(vm_sendish+0x1c8) [0x601bf61421d9] ../vm_insnhelper.c:5972 /media/test/ruby/build/ruby(vm_exec_core) ../insns.def:899 ./ruby(vm_exec_loop+0x0) [0x601bf613aa48] /media/test/ruby/build/ruby(rb_vm_exec) /media/test/ruby/build/../vm.c:2621 /media/test/ruby/build/ruby(rb_ec_exec_node+0x53) [0x601bf5e0cce1] /media/test/ruby/build/../eval.c:281 /media/test/ruby/build/ruby(ruby_run_node) /media/test/ruby/build/../eval.c:319 /media/test/ruby/build/ruby(rb_main+0x29) [0x601bf5e083a1] /media/test/ruby/build/../main.c:42 /media/test/ruby/build/ruby(main) /media/test/ruby/build/../main.c:62 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_call_main+0x80) [0x71c87a629d90] ../sysdeps/nptl/libc_start_call_main.h:58 /lib/x86_64-linux-gnu/libc.so.6(call_init+0x0) [0x71c87a629e40] ../csu/libc-start.c:392 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main_impl) ../csu/libc-start.c:379 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main) (null):0 ./ruby(_start) [0x601bf5d30d55] -- Other runtime information ----------------------------------------------- * Loaded script: ../triaged/array_hash.rb * Loaded features: 0 enumerator.so 1 thread.rb 2 fiber.so 3 rational.so 4 complex.so 5 ruby2_keywords.rb 6 set.rb ``` -- https://bugs.ruby-lang.org/

2 1

[ruby-core:121806] [Ruby Bug#21303] heap-buffer-overflow of Array#difference via mutating hash method
by cyruscyliu (Qiang Liu) 03 May '25

03 May '25

Issue #21303 has been reported by cyruscyliu (Qiang Liu). ---------------------------------------- Bug #21303: heap-buffer-overflow of Array#difference via mutating hash method https://bugs.ruby-lang.org/issues/21303 * Author: cyruscyliu (Qiang Liu) * Status: Open * ruby -v: ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux-gnu] * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- Hi, we found a heap-buffer-overflow of Array#difference via mutating hash method. Here is the PoC. ``` class C def hash $a.clear return 0 end def eql?(other) return true end end $b = (1..20).to_a $a = (1..10000).to_a $a.push(C.new) $a.difference($b, $b) ``` Specifically, calling Array#difference on an array with an object whose hash method mutates the array causes memory corruption. Here, C#hash clears $a while difference is iterating over it, breaking internal invariants and leading to a crash or invalid memory access. To reproduce, compile the recent Ruby with ASAN, and run the PoC. ``` $ ruby -v ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux-gnu] $ ruby array_difference.rb `RubyGems' were not loaded. `error_highlight' was not loaded. `did_you_mean' was not loaded. `syntax_suggest' was not loaded. ================================================================= ==88761==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x51100001d500 at pc 0x598237a7f324 bp 0x7ffc9d9f0150 sp 0x7ffc9d9f0148 READ of size 8 at 0x51100001d500 thread T0 #0 0x598237a7f323 in RARRAY_AREF /media/test/ruby/build/../internal/array.h:147:11 #1 0x598237a7f323 in rb_ary_difference_multi /media/test/ruby/build/../array.c:5616:52 #2 0x598237a0ab3b in vm_call_cfunc_with_frame_ /media/test/ruby/build/../vm_insnhelper.c:3797:11 #3 0x5982379f34e3 in vm_call_method_each_type /media/test/ruby/build/../vm_insnhelper.c:4775:16 #4 0x5982379f2fd3 in vm_call_method /media/test/ruby/build/../vm_insnhelper.c #5 0x5982379b91d8 in vm_sendish /media/test/ruby/build/../vm_insnhelper.c:5972:15 #6 0x5982379b91d8 in vm_exec_core /media/test/ruby/build/../insns.def:899:11 #7 0x5982379b1a47 in rb_vm_exec /media/test/ruby/build/../vm.c #8 0x598237683ce0 in rb_ec_exec_node /media/test/ruby/build/../eval.c:281:9 #9 0x598237683ce0 in ruby_run_node /media/test/ruby/build/../eval.c:319:30 #10 0x59823767f3a0 in rb_main /media/test/ruby/build/../main.c:42:12 #11 0x59823767f3a0 in main /media/test/ruby/build/../main.c:62:12 #12 0x7f619c429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16 #13 0x7f619c429e3f in __libc_start_main csu/../csu/libc-start.c:392:3 #14 0x5982375a7d54 in _start (/media/test/ruby/build/ruby+0x148d54) (BuildId: 58c97094e0527fad484552e230da980d80ffa516) Address 0x51100001d500 is a wild pointer inside of access range of size 0x000000000008. SUMMARY: AddressSanitizer: heap-buffer-overflow /media/test/ruby/build/../internal/array.h:147:11 in RARRAY_AREF Shadow bytes around the buggy address: 0x51100001d280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51100001d300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51100001d380: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51100001d400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51100001d480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x51100001d500:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51100001d580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51100001d600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51100001d680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51100001d700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x51100001d780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==88761==ABORTING ../triaged/array_difference.rb:16: [BUG] ASAN error ruby 3.5.0dev (2025-05-02T21:28:25Z master 36c64b3be8) +PRISM [x86_64-linux] -- Control frame information ----------------------------------------------- c:0003 p:---- s:0012 e:000011 CFUNC :difference c:0002 p:0048 s:0006 e:000005 EVAL ../triaged/array_difference.rb:16 [FINISH] c:0001 p:0000 s:0003 E:000540 DUMMY [FINISH] -- Ruby level backtrace information ---------------------------------------- ../triaged/array_difference.rb:16:in '<main>' ../triaged/array_difference.rb:16:in 'difference' -- Threading information --------------------------------------------------- Total ractor count: 1 Ruby thread count for this ractor: 1 -- C level backtrace information ------------------------------------------- ./ruby(___interceptor_backtrace) [0x5982375ec006] /media/test/ruby/build/ruby(rb_print_backtrace+0x14) [0x598237d3a337] /media/test/ruby/build/../vm_dump.c:839 /media/test/ruby/build/ruby(rb_vm_bugreport) /media/test/ruby/build/../vm_dump.c:1171 /media/test/ruby/build/ruby(rb_bug_without_die_internal+0x23c) [0x598237c8e76c] /media/test/ruby/build/../error.c:1097 /media/test/ruby/build/ruby(rb_bug_without_die+0x127) [0x598237c8e487] /media/test/ruby/build/../error.c:1106 ./ruby(0x598237665bc6) [0x598237665bc6] ./ruby(0x598237646c9f) [0x598237646c9f] ./ruby(0x598237649ce5) [0x598237649ce5] ./ruby(__asan_report_load8) [0x59823764a988] /media/test/ruby/build/ruby(rb_ary_difference_multi+0xb64) [0x598237a7f324] ../internal/array.h:147 /media/test/ruby/build/ruby(vm_cfp_consistent_p+0x0) [0x598237a0ab3c] ../vm_insnhelper.c:3797 /media/test/ruby/build/ruby(vm_call_cfunc_with_frame_) ../vm_insnhelper.c:3799 /media/test/ruby/build/ruby(vm_call_method_each_type+0x264) [0x5982379f34e4] ../vm_insnhelper.c:4775 ./ruby(vm_call_method+0x2d4) [0x5982379f2fd4] /media/test/ruby/build/ruby(vm_sendish+0x1c8) [0x5982379b91d9] ../vm_insnhelper.c:5972 /media/test/ruby/build/ruby(vm_exec_core) ../insns.def:899 ./ruby(vm_exec_loop+0x0) [0x5982379b1a48] /media/test/ruby/build/ruby(rb_vm_exec) /media/test/ruby/build/../vm.c:2621 /media/test/ruby/build/ruby(rb_ec_exec_node+0x53) [0x598237683ce1] /media/test/ruby/build/../eval.c:281 /media/test/ruby/build/ruby(ruby_run_node) /media/test/ruby/build/../eval.c:319 /media/test/ruby/build/ruby(rb_main+0x29) [0x59823767f3a1] /media/test/ruby/build/../main.c:42 /media/test/ruby/build/ruby(main) /media/test/ruby/build/../main.c:62 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_call_main+0x80) [0x7f619c429d90] ../sysdeps/nptl/libc_start_call_main.h:58 /lib/x86_64-linux-gnu/libc.so.6(call_init+0x0) [0x7f619c429e40] ../csu/libc-start.c:392 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main_impl) ../csu/libc-start.c:379 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main) (null):0 ./ruby(_start) [0x5982375a7d55] -- Other runtime information ----------------------------------------------- * Loaded script: ../triaged/array_difference.rb * Loaded features: 0 enumerator.so 1 thread.rb 2 fiber.so 3 rational.so 4 complex.so 5 ruby2_keywords.rb 6 set.rb ``` -- https://bugs.ruby-lang.org/

2 1

[ruby-core:121798] [Ruby Feature#21300] Suggestion: Method for Array truncation
by sigsys (Math Ieu) 02 May '25

02 May '25

Issue #21300 has been reported by sigsys (Math Ieu). ---------------------------------------- Feature #21300: Suggestion: Method for Array truncation https://bugs.ruby-lang.org/issues/21300 * Author: sigsys (Math Ieu) * Status: Open ---------------------------------------- `#pop(n)` and `#slice!(...)` can be used for truncation, but they both allocate a new array for the deleted elements (unless you do it one at a time with `#pop()`...), which is not always needed. I propose adding a `#size=` method for truncating without allocating a new array: ``` a = [10, 20, 30] a.size = 2 a # [10, 20] ``` Growing the array could be allowed as well... ``` a = [10, 20] a.size = 4 a # [10, 20, nil, nil] ``` -- https://bugs.ruby-lang.org/

2 1

[ruby-core:121792] [Ruby Misc#21299] Proposal: Remove Continuation Feature from Ruby Core
by ianks (Ian Ker-Seymer) 01 May '25

01 May '25

Issue #21299 has been reported by ianks (Ian Ker-Seymer). ---------------------------------------- Misc #21299: Proposal: Remove Continuation Feature from Ruby Core https://bugs.ruby-lang.org/issues/21299 * Author: ianks (Ian Ker-Seymer) * Status: Open * Assignee: ioquatix (Samuel Williams) ---------------------------------------- Continuations have been obsolete since Ruby 2.2 but still add complexity to the core codebase. I propose removing all continuation support from Ruby Core. ### Reasons #### Simplifies fiber code - Current fiber code in `cont.c` is complicated by shared logic with continuations - Removing continuations will simplify stack management, context switching, and reduce edge cases - Ultimately leading to: cleaner code, easier maintenance, possible performance improvements #### Low compatibility risk - Major libraries (e.g., [Metasploit](https://github.com/rapid7/metasploit-framework/pull/2413)) stopped using continuation years ago - Projects needing this functionality have found workarounds (e.g., hyperion_http simulates `callcc`) - [TruffleRuby does not support continuations](https://github.com/oracle/truffleruby/blob/ac88a0fe68bf957f7…, yet maintains high compatibility ### Proposed steps 1. Remove the continuation gem from default gems. 2. Delete all continuation-specific code in `cont.c`. 3. Add a stub gem that raises an exception if continuations are used. 4. Optionally document alternative approaches for users who still need this feature. -- https://bugs.ruby-lang.org/

2 2

[ruby-core:121778] [Ruby Bug#21296] The builds of `RUBY_DEBUG` and `VM_CHECK_MODE` are broken
by hsbt (Hiroshi SHIBATA) 01 May '25

01 May '25

Issue #21296 has been reported by hsbt (Hiroshi SHIBATA). ---------------------------------------- Bug #21296: The builds of `RUBY_DEBUG` and `VM_CHECK_MODE` are broken https://bugs.ruby-lang.org/issues/21296 * Author: hsbt (Hiroshi SHIBATA) * Status: Open * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- `RUBY_DEBUG` and `VM_CHECK_MODE` are broken from 4-5 days ago. * https://github.com/ruby/ruby/actions/runs/14731314851/job/41346072323?pr=13… * https://github.com/ruby/ruby/actions/runs/14731314851/job/41346071897?pr=13… ``` /github/workspace/src/vm_core.h:1990: Assertion Failed: rb_current_execution_context:ec == rb_current_ec_noinline() ruby 3.5.0dev (2025-04-29T12:32:24Z pull/13200/merge 22fe2a6945) +PRISM [x86_64-linux] ``` I'm not sure what's root cause for that. But omnibus compilations 8 and 9 are broken since merging https://github.com/ruby/ruby/pull/13080. You can track that results from https://github.com/ruby/ruby/actions/workflows/compilers.yml -- https://bugs.ruby-lang.org/

2 2

[ruby-core:121769] [Ruby Bug#21293] C23/GCC 15 build breakage with rb_define_method() and friends
by alanwu (Alan Wu) 01 May '25

01 May '25

Issue #21293 has been reported by alanwu (Alan Wu). ---------------------------------------- Bug #21293: C23/GCC 15 build breakage with rb_define_method() and friends https://bugs.ruby-lang.org/issues/21293 * Author: alanwu (Alan Wu) * Status: Open * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- GCC 15 defaults to `-std=gnu23`, which breaks rb_define_method() in some corner cases: ```diff diff --git a/object.c b/object.c index 5a379e9..958f421 100644 --- a/object.c +++ b/object.c @@ -4613,7 +4613,8 @@ InitVM_Object(void) rb_cFalseClass = rb_define_class("FalseClass", rb_cObject); rb_cFalseClass_to_s = rb_fstring_enc_lit("false", rb_usascii_encoding()); rb_vm_register_global_object(rb_cFalseClass_to_s); - rb_define_method(rb_cFalseClass, "to_s", rb_false_to_s, 0); + int zero = 0; + rb_define_method(rb_cFalseClass, "to_s", rb_false_to_s, zero); rb_define_alias(rb_cFalseClass, "inspect", "to_s"); rb_define_method(rb_cFalseClass, "&", false_and, 1); rb_define_method(rb_cFalseClass, "|", false_or, 1); ``` Applying the above is fine prior to C23, but on GCC 15 it triggers a build error: ```text compiling object.c In file included from ./include/ruby/ruby.h:27, from constant.h:13, from object.c:22: object.c: In function 'InitVM_Object': ./include/ruby/internal/anyargs.h:288:135: error: passing argument 3 of 'rb_define_method_m3' from incompatible pointer type [-Wincompatible-pointer-types] 288 | #define rb_define_method(klass, mid, func, arity) RBIMPL_ANYARGS_DISPATCH_rb_define_method((arity), (func))((klass), (mid), (func), (arity)) | ^~~~~~ | | | VALUE (*)(VALUE) {aka long unsigned int (*)(long unsigned int)} object.c:4617:5: note: in expansion of macro 'rb_define_method' 4617 | rb_define_method(rb_cFalseClass, "to_s", rb_false_to_s, kek); | ^~~~~~~~~~~~~~~~ ./include/ruby/internal/anyargs.h:277:21: note: expected 'VALUE (*)(void)' {aka 'long unsigned int (*)(void)'} but argument is of type 'VALUE (*)(VALUE)' {aka 'long unsigned int (*)(long unsigned int)'} 277 | RBIMPL_ANYARGS_DECL(rb_define_method, VALUE, const char *) | ^~~~~~~~~~~~~~~~ ./include/ruby/internal/anyargs.h:252:41: note: in definition of macro 'RBIMPL_ANYARGS_DECL' 252 | RBIMPL_ANYARGS_ATTRSET(sym) static void sym ## _m3(__VA_ARGS__, VALUE(*)(ANYARGS), int); \ | ^~~ object.c:1605:1: note: 'rb_false_to_s' declared here 1605 | rb_false_to_s(VALUE obj) | ^~~~~~~~~~~~~ At top level: cc1: note: unrecognized command-line option '-Wno-self-assign' may have been intended to silence earlier diagnostics cc1: note: unrecognized command-line option '-Wno-parentheses-equality' may have been intended to silence earlier diagnostics cc1: note: unrecognized command-line option '-Wno-constant-logical-operand' may have been intended to silence earlier diagnostics make: *** [Makefile:464: object.o] Error 1 ``` This also happens for C method that takes a large number of arguments. This because in C23 `void foo();` no longers means "foo takes an unspecified number of arguments" anymore, and there is no way to implement a working `ANYARGS` AFAIK. Not something people would run into in practice, I hope. (related: #21286 but this one is not Windows specific) -- https://bugs.ruby-lang.org/

2 1

[ruby-core:121775] [Ruby Bug#21295] ruby/ruby-dev-builder - macos-13 debug build failures, stops GHA master build updates
by MSP-Greg (Greg L) 30 Apr '25

30 Apr '25

Issue #21295 has been reported by MSP-Greg (Greg L). ---------------------------------------- Bug #21295: ruby/ruby-dev-builder - macos-13 debug build failures, stops GHA master build updates https://bugs.ruby-lang.org/issues/21295 * Author: MSP-Greg (Greg L) * Status: Open * ruby -v: master * Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN ---------------------------------------- @Eregon [ruby/ruby-dev-builder](https://github.com/ruby/ruby-dev-builder) has issues turned off, which I can understand. It is the repo that creates the Ubuntu & macOS MRI master/head builds used in GHA (GitHub Actions). Recently, there have been test-all failures in the 'macos-13 debug' job. Also, the tests take longer to run than macos-14. I believe macos-13 is x64, macos-14 is arm64. It would certainly be nice to fix the problem. In at least a few workflow runs, it is the only job failure. A more significant issue is that any failure in the workflow's jobs stops a new release from being created. The 'macos-13 debug' jobs have failed on the last two days runs (it . Recently `Set` was updated, I believe it's been a few days, but I don't recall any API changes. I believe no tests were changed/added, but marshalling set was covered in test suites. Hence, that was overlooked, and a subsequent PR/commit fixed it. But, the first commit was done where a new release was created. Since the the 2nd commit was done, all the 'macos-13 debug' jobs have been failing. Hence, it's not available in GHA. So, there are two issues: 1. 'macos-13 debug' is failing test-all 2. ruby/ruby-dev-builder cannot update any master build if one or more of the master builds fail. -- https://bugs.ruby-lang.org/

3 5

[ruby-core:121727] [Ruby Feature#21284] Request: add `Array#pad` method
by MatzFan (Brian Cohen) 30 Apr '25

30 Apr '25

Issue #21284 has been reported by MatzFan (Brian Cohen). ---------------------------------------- Feature #21284: Request: add `Array#pad` method https://bugs.ruby-lang.org/issues/21284 * Author: MatzFan (Brian Cohen) * Status: Open ---------------------------------------- A method to pad an array of arbitrary length with objects up to a specified array size does not currently exist. `Array#fill` does not do this and I therefore propose the following method: ``` ruby class Array def pad(pad_to_length, object = nil) fill(object, size, pad_to_length - size) end end ``` I have provided an [answer](https://stackoverflow.com/a/79591610/4114896) to a Stack Overflow question asking how this can be done in Ruby. I've also explained in a comment on the answer which suggests using `Array#fill` why this does not meet the exact need. -- https://bugs.ruby-lang.org/

3 6