Issue #20050 has been updated by mame (Yusuke Endoh).
I'm not sure if this is really the same problem, but I was able to segfault with the
following code.
```ruby
srand(0)
class Foo
def to_a
[]
end
def hash
$h.delete($h.keys.sample) if rand < 0.1
to_a.hash
end
end
GC.stress = true
100.times do
$h = {}
(0..10).each {|i| $h[Foo.new] ||= {} }
end
```
```
t.rb:17: [BUG] Segmentation fault at 0x0000000000000034
ruby 3.3.0dev (2023-12-14T08:39:42Z master e51f9e9f75) [x86_64-linux]
-- Control frame information -----------------------------------------------
c:0007 p:---- s:0029 e:000028 CFUNC :hash
c:0006 p:0021 s:0026 e:000021 BLOCK ../t.rb:17 [FINISH]
c:0005 p:---- s:0018 e:000017 CFUNC :each
c:0004 p:0009 s:0014 e:000013 BLOCK ../t.rb:17
c:0003 p:0025 s:0011 e:000010 METHOD <internal:numeric>:237
c:0002 p:0025 s:0006 e:000005 EVAL ../t.rb:15 [FINISH]
c:0001 p:0000 s:0003 E:001dd0 DUMMY [FINISH]
-- Ruby level backtrace information ----------------------------------------
../t.rb:15:in `<main>'
<internal:numeric>:237:in `times'
../t.rb:17:in `block in <main>'
../t.rb:17:in `each'
../t.rb:17:in `block (2 levels) in <main>'
../t.rb:17:in `hash'
-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1
-- Machine register context ------------------------------------------------
RIP: 0x0000564aa444d3ab RBP: 0x00007f48494e4b00 RSP: 0x00007fffa788b410
RAX: 0x0000000000000000 RBX: 0x0000564aa6749e40 RCX: 0x0000564aa444d370
RDX: 0x0000000000000000 RDI: 0x0000000000000024 RSI: 0x0000000000000000
R8: 0x0000000000000ac1 R9: 0x00007f48494e4b00 R10: 0x0000000000000000
R11: 0x0000000000000024 R12: 0x0000564aa6709580 R13: 0x0000564aa6709580
R14: 0x00007f48495feec0 R15: 0x0000000000000000 EFL: 0x0000000000010293
-- C level backtrace information -------------------------------------------
/home/mame/work/ruby/miniruby(rb_print_backtrace+0x14) [0x564aa4585a94]
/home/mame/work/ruby/vm_dump.c:820
/home/mame/work/ruby/miniruby(rb_vm_bugreport) /home/mame/work/ruby/vm_dump.c:1151
/home/mame/work/ruby/miniruby(rb_bug_for_fatal_signal+0x14c) [0x564aa43bd4dc]
/home/mame/work/ruby/error.c:1065
/home/mame/work/ruby/miniruby(sigsegv+0x53) [0x564aa44e6633]
/home/mame/work/ruby/signal.c:920
/lib/x86_64-linux-gnu/libc.so.6(0x7f4849a42910) [0x7f4849a42910]
./miniruby(rb_float_noflonum_value+0x0) [0x564aa444d3ab]
/home/mame/work/ruby/miniruby(rb_float_flonum_value) ./internal/numeric.h:240
/home/mame/work/ruby/miniruby(rb_float_value_inline) ./internal/numeric.h:238
/home/mame/work/ruby/miniruby(flo_hash) /home/mame/work/ruby/numeric.c:1652
/home/mame/work/ruby/miniruby(vm_call0_cfunc_with_frame+0xca) [0x564aa457e356]
./vm_eval.c:173
/home/mame/work/ruby/miniruby(vm_call0_cfunc) ./vm_eval.c:187
/home/mame/work/ruby/miniruby(vm_call0_body) ./vm_eval.c:233
/home/mame/work/ruby/miniruby(rb_funcallv+0x212) [0x564aa4564902] ./vm_eval.c:110
/home/mame/work/ruby/miniruby(vm_catch_protect+0xfe) [0x564aa456a91e] ./vm_eval.c:2369
/home/mame/work/ruby/miniruby(exec_recursive+0x216) [0x564aa4529e76]
/home/mame/work/ruby/thread.c:5179
/home/mame/work/ruby/miniruby(obj_any_hash+0x56) [0x564aa43f2486]
/home/mame/work/ruby/hash.c:218
/home/mame/work/ruby/miniruby(any_hash+0x4c) [0x564aa43f239c]
/home/mame/work/ruby/hash.c:203
/home/mame/work/ruby/miniruby(do_hash+0x6) [0x564aa44ee2d8] /home/mame/work/ruby/st.c:320
/home/mame/work/ruby/miniruby(rb_st_add_direct) /home/mame/work/ruby/st.c:1183
/home/mame/work/ruby/miniruby(ar_try_convert_table+0xbf) [0x564aa43f35df]
/home/mame/work/ruby/hash.c:714
/home/mame/work/ruby/miniruby(RHASH_ST_TABLE+0x0) [0x564aa43f456e]
/home/mame/work/ruby/hash.c:1641
/home/mame/work/ruby/miniruby(rb_hash_stlike_update) /home/mame/work/ruby/hash.c:1648
/home/mame/work/ruby/miniruby(tbl_update) /home/mame/work/ruby/hash.c:1689
./miniruby(rb_hash_aset+0xa7) [0x564aa43f44f7]
/home/mame/work/ruby/miniruby(vm_exec_core+0x5708) [0x564aa4560098]
./vm_insnhelper.c:6328
/home/mame/work/ruby/miniruby(vm_exec_loop+0x0) [0x564aa45598ad]
/home/mame/work/ruby/vm.c:2486
/home/mame/work/ruby/miniruby(rb_vm_exec) /home/mame/work/ruby/vm.c:2489
./miniruby(invoke_block_from_c_bh+0x469) [0x564aa4580439]
/home/mame/work/ruby/miniruby(vm_yield_with_cref+0x46) [0x564aa45686f5]
/home/mame/work/ruby/vm.c:1634
/home/mame/work/ruby/miniruby(vm_yield) /home/mame/work/ruby/vm.c:1642
/home/mame/work/ruby/miniruby(rb_yield_0) ./vm_eval.c:1366
/home/mame/work/ruby/miniruby(rb_yield) ./vm_eval.c:1382
/home/mame/work/ruby/miniruby(range_each_fixnum_loop+0x32) [0x564aa44a1df8]
/home/mame/work/ruby/range.c:911
/home/mame/work/ruby/miniruby(range_each) /home/mame/work/ruby/range.c:948
/home/mame/work/ruby/miniruby(vm_call_cfunc_with_frame_+0xf4) [0x564aa4578574]
./vm_insnhelper.c:3490
/home/mame/work/ruby/miniruby(vm_sendish+0xd6) [0x564aa455cd2b] ./vm_insnhelper.c:5581
/home/mame/work/ruby/miniruby(vm_exec_core) /home/mame/work/ruby/insns.def:814
/home/mame/work/ruby/miniruby(vm_exec_loop+0x0) [0x564aa45598ad]
/home/mame/work/ruby/vm.c:2486
/home/mame/work/ruby/miniruby(rb_vm_exec) /home/mame/work/ruby/vm.c:2489
/home/mame/work/ruby/miniruby(rb_ec_exec_node+0x2b) [0x564aa43c985b]
/home/mame/work/ruby/eval.c:287
/home/mame/work/ruby/miniruby(ruby_run_node) /home/mame/work/ruby/eval.c:328
/home/mame/work/ruby/miniruby(rb_main+0x1c) [0x564aa4318605] ./main.c:39
/home/mame/work/ruby/miniruby(main) ./main.c:58
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_call_main+0x80) [0x7f4849a280d0]
../sysdeps/nptl/libc_start_call_main.h:58
/lib/x86_64-linux-gnu/libc.so.6(call_init+0x0) [0x7f4849a28189] ../csu/libc-start.c:360
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main_impl) ../csu/libc-start.c:347
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main) (null):0
[0x564aa43184c5]
```
@martinemde Question to confirm if this is the same problem as yours: Does bundler access
the hash in question ([Bundler::Checksum::Store's
@store](https://github.com/rubygems/rubygems/commit/34d6c6c72f6099c83860d81b9810d0b1441d802d#diff-63b5dabde4934e1fdd1bf24aea2b5bcfa5c4c3bbcf28112bc10e46cb4a73c30aL167))
from multiple threads in parallel?
The problem I found occurs when a Hash is updated from another thread while
`ar_try_convert_table` is converting the internal representation of the hash. Since the
key implements `#hash` method in Ruby, I think a context switch is possible during the
conversion of `ar_try_convert_table`.
----------------------------------------
Bug #20050: Segfault on Ruby 3.2.2 (and 3.1) on x86_64 Darwin 20 (rb_id_table_lookup for
#hash)
https://bugs.ruby-lang.org/issues/20050#change-105675
* Author: martinemde (Martin Emde)
* Status: Open
* Priority: Normal
* ruby -v: ruby 3.2.2 (2023-03-30 revision e51014f9c0) [x86_64-darwin20]
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN
----------------------------------------
Hi,
In the rubygems & bundler repositories we've now had two segfaults in the same
exact code within days of merging a change to that code, both on ruby 3.2.2 on darwin20.
1.
https://github.com/rubygems/rubygems/actions/runs/7110489973/job/1935706778…
2.
https://github.com/rubygems/rubygems/actions/runs/7131889001/job/1942130416…
The specific error seems to happen when calculating the hash of the array in
Gem::NameTuple#hash. The array contents that is being `.hash`ed both times should be
exactly: `["has_metadata", "1.0", "ruby"]`. If I'm
reading this correctly, this indicates that the crash is related either to creating this
hash or storing this hash in the hash table (I'm not quite sure which is triggering
the crash).
An excerpt of the C backtrace shows the same backtrace for both crashes:
```
-- C level backtrace information -------------------------------------------
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_vm_bugreport+0x7c4)
[0x10cb0f994]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_bug_for_fatal_signal+0x1d0)
[0x10c9158c0]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(sigsegv+0x5b)
[0x10ca609ab]
/usr/lib/system/libsystem_platform.dylib(_sigtramp+0x1d) [0x7ff810c14dfd]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_id_table_lookup+0x16)
[0x10caa2a56]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(callable_method_entry_or_negative+0x5e)
[0x10cae9c8e]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_check_funcall_basic_kw+0x129)
[0x10caf0039]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(obj_any_hash+0x3c)
[0x10c94bd2c]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(any_hash+0x52)
[0x10c94bc12]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_st_add_direct+0x1d)
[0x10ca69b7d]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(ar_try_convert_table+0x85)
[0x10c94d015]
/Users/runner/hostedtoolcache/Ruby/3.2.2/x64/lib/libruby.3.2.dylib(rb_hash_aset+0x18f)
[0x10c94e26f]
```
I'm not sure how to follow this instruction in this case on GitHub actions:
"Don't forget to include the Crash Report log file under DiagnosticReports
directory in bug reports."
I have not been able to reproduce this locally with the same version of ruby (but I'm
on darwin22 instead of 20). I will follow up if we continue to see this same crash.
--
https://bugs.ruby-lang.org/