[ruby-core:117380] [Ruby master Bug#20402] Double-free in TestIseqLoad#test_stressful_roundtrip

30 Mar 2024

      Issue #20402 has been reported by kjtsanaktsidis (KJ Tsanaktsidis).

----------------------------------------
Bug #20402: Double-free in TestIseqLoad#test_stressful_roundtrip
https://bugs.ruby-lang.org/issues/20402

* Author: kjtsanaktsidis (KJ Tsanaktsidis)
* Status: Open
* Assignee: kjtsanaktsidis (KJ Tsanaktsidis)
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
----------------------------------------
With ASAN enabled, the TestIseqLoad#test_stressful_roundtrip fails with the following output:

```
2/9] TestIseqLoad#test_stressful_roundtrip = 7.26 s
  1) Failure:
TestIseqLoad#test_stressful_roundtrip [/home/kj/ruby/test/-ext-/iseq_load/test_iseq_load.rb:20]:
pid 172821 killed by SIGSEGV (signal 11) (core dumped)
| -:10: [BUG] Segmentation fault at 0x0000000000000018
| ruby 3.4.0dev (2024-03-28T23:13:25Z master 02d40b6c17) [x86_64-linux]
|
| -- Control frame information -----------------------------------------------
| c:0005 p:---- s:0023 e:000022 CFUNC  :iseq_load
| c:0004 p:0037 s:0018 e:000017 METHOD -:10
| c:0003 p:0005 s:0010 e:000009 METHOD -:16
| c:0002 p:0054 s:0006 e:000005 EVAL   -:26 [FINISH]
| c:0001 p:0000 s:0003 E:000540 DUMMY  [FINISH]
|
| -- Ruby level backtrace information ----------------------------------------
| -:26:in '<main>'
| -:16:in 'test_bug8543'
| -:10:in 'assert_iseq_roundtrip'
| -:10:in 'iseq_load'
|
| -- Threading information ---------------------------------------------------
| Total ractor count: 1
| Ruby thread count for this ractor: 1
|
| -- Machine register context ------------------------------------------------
|  RIP: 0x0000556b3dc84a08 RBP: 0x00007ffeff1f6d40 RSP: 0x00007ffeff1f6c10
|  RAX: 0x0000000000000003 RBX: 0x0000000000000000 RCX: 0x00000fe916945e7a
|  RDX: 0x0000000000000001 RDI: 0x0000000000000018 RSI: 0x0000000000000000
|   R8: 0x00000000003ba300  R9: 0x0000000000000000 R10: 0x00000a4a000000b7
|  R11: 0x0000000000000000 R12: 0x000051b000016c80 R13: 0x00007f48b4a2f3b0
|  R14: 0x00007f48d283bb80 R15: 0x00000fe91a507760 EFL: 0x0000000000010246
|
| -- C level backtrace information -------------------------------------------
| /home/kj/ruby/build/ruby(___interceptor_backtrace+0x39) [0x556b3d8cf379] /home/kj/llvm-project/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:4358
| /home/kj/ruby/build/ruby(rb_print_backtrace+0x14) [0x556b3ddef67c] /home/kj/ruby/build/../vm_dump.c:820
| /home/kj/ruby/build/ruby(rb_vm_bugreport) /home/kj/ruby/build/../vm_dump.c:1151
| /home/kj/ruby/build/ruby(rb_bug_for_fatal_signal+0x2db) [0x556b3e0190fb] /home/kj/ruby/build/../error.c:1087
| /home/kj/ruby/build/ruby(sigsegv+0x184) [0x556b3dc78ca4] /home/kj/ruby/build/../signal.c:926
| /lib64/libc.so.6(__restore_rt+0x0) [0x7f48d46429a0] /usr/src/debug/glibc-2.38-16.fc39.x86_64/signal/sigaction.c:34
| /home/kj/ruby/build/ruby(rb_st_free_table+0x18) [0x556b3dc84a08] /home/kj/ruby/build/../st.c:661
| /home/kj/ruby/build/ruby(finalize_deferred_heap_pages+0x224) [0x556b3d9dd0b4] /home/kj/ruby/build/../gc.c:4128
| /home/kj/ruby/build/ruby(gc_finalize_deferred+0x97) [0x556b3d9d7127] /home/kj/ruby/build/../gc.c:4195
| /home/kj/ruby/build/ruby(rb_postponed_job_flush+0x501) [0x556b3ddfde81] /home/kj/ruby/build/../vm_trace.c:1849
| /home/kj/ruby/build/ruby(rb_threadptr_execute_interrupts+0x35d) [0x556b3dce9ddd] /home/kj/ruby/build/../thread.c:2464
| /home/kj/ruby/build/ruby(rb_vm_pop_frame+0x18d) [0x556b3dd5b0dd] ../vm_core.h:2103
| /home/kj/ruby/build/ruby(vm_call_cfunc_with_frame_+0x392) [0x556b3ddc6d72] ../vm_insnhelper.c:3529
| /home/kj/ruby/build/ruby(vm_call_method_each_type+0x2a6) [0x556b3ddae576] ../vm_insnhelper.c:4470
| /home/kj/ruby/build/ruby(vm_call_method+0x2a2) [0x556b3ddadb22]
| /home/kj/ruby/build/ruby(vm_sendish+0xec7) [0x556b3dd63687]
| /home/kj/ruby/build/ruby(vm_exec_core+0x68fc) [0x556b3dd6cf4c] ../insns.def:891
| /home/kj/ruby/build/ruby(rb_vm_exec+0x350) [0x556b3dd64520] /home/kj/ruby/build/../vm.c:2552
| /home/kj/ruby/build/ruby(rb_ec_exec_node+0x264) [0x556b3d9b5844] /home/kj/ruby/build/../eval.c:282
| /home/kj/ruby/build/ruby(ruby_run_node+0x6e) [0x556b3d9b552e] /home/kj/ruby/build/../eval.c:320
| /home/kj/ruby/build/ruby(rb_main+0x29) [0x556b3d9b0981] /home/kj/ruby/build/../main.c:40
| /home/kj/ruby/build/ruby(main) /home/kj/ruby/build/../main.c:59
| /lib64/libc.so.6(__libc_start_call_main+0x7a) [0x7f48d462c14a] ../sysdeps/nptl/libc_start_call_main.h:58
| /lib64/libc.so.6(__libc_start_main_alias_2+0x8b) [0x7f48d462c20b] ../csu/libc-start.c:360
| [0x556b3d87ee05]
```

Reversing execution with `rr` reveals that `DATA_PTR(labels_wrapper) = 0` in `iseq_build_from_ary_body` (https://github.com/ruby/ruby/blob/cdb8d208c919bbc72b3b07d24c118d3a4af95d11/c...) is being executed after `labels_wrapper` is collected. We need to protect `lables_wrapper` with an RB_GC_GUARD.

-- 
https://bugs.ruby-lang.org/