From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Original-To: poffice@blade.nagaokaut.ac.jp Delivered-To: poffice@blade.nagaokaut.ac.jp Received: from kankan.nagaokaut.ac.jp (kankan.nagaokaut.ac.jp [133.44.2.24]) by blade.nagaokaut.ac.jp (Postfix) with ESMTP id 3276517DEE4A for ; Tue, 16 Jun 2015 18:01:48 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [133.44.2.201]) by kankan.nagaokaut.ac.jp (Postfix) with ESMTP id 4D0B0B5D95C for ; Tue, 16 Jun 2015 18:24:05 +0900 (JST) Received: from funfun.nagaokaut.ac.jp (localhost.nagaokaut.ac.jp [127.0.0.1]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 6DD2297A838 for ; Tue, 16 Jun 2015 18:24:07 +0900 (JST) X-Virus-Scanned: amavisd-new at nagaokaut.ac.jp Authentication-Results: funfun.nagaokaut.ac.jp (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=sendgrid.me Received: from funfun.nagaokaut.ac.jp ([127.0.0.1]) by funfun.nagaokaut.ac.jp (funfun.nagaokaut.ac.jp [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vc7auZCbtb18 for ; Tue, 16 Jun 2015 18:24:07 +0900 (JST) Received: from voscc.nagaokaut.ac.jp (voscc.nagaokaut.ac.jp [133.44.1.100]) by funfun.nagaokaut.ac.jp (Postfix) with ESMTP id 1328297A827 for ; Tue, 16 Jun 2015 18:24:07 +0900 (JST) Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by voscc.nagaokaut.ac.jp (Postfix) with ESMTP id E292395243E for ; Tue, 16 Jun 2015 18:24:04 +0900 (JST) Received: from [221.186.184.76] (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id 32114120458; Tue, 16 Jun 2015 18:24:03 +0900 (JST) X-Original-To: ruby-core@ruby-lang.org Delivered-To: ruby-core@ruby-lang.org Received: from o2.heroku.sendgrid.net (o2.heroku.sendgrid.net [67.228.50.55]) by neon.ruby-lang.org (Postfix) with ESMTPS id EE47312044C for ; Tue, 16 Jun 2015 18:23:54 +0900 (JST) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.me; h=from:to:references:subject:mime-version:content-type:content-transfer-encoding:list-id; s=smtpapi; bh=XNk6LLhwwzycAp+IMLp7es1yF6w=; b=DBoEBNvU/2BJqQlxla iYfz/5qMbWAtCiHZSOJvA4qGv2P2F01uJsdY8H81iDyQUxwSijxngxU35jJPTjC/ Wl9KzPmzNfWmlJ6NZkGXq4Oya5PM+Ezp/2xhuP6hbN8FEdeo+9Seo/5YAMH6YYIc 92LHYBJ8bX5e+GzlSXdx0y/uo= Received: by filter0416p1mdw1.sendgrid.net with SMTP id filter0416p1mdw1.10194.557FEB1F18 2015-06-16 09:23:51.02861459 +0000 UTC Received: from herokuapp.com (ec2-54-81-39-135.compute-1.amazonaws.com [54.81.39.135]) by ismtpd-017 (SG) with ESMTP id 14dfbae8fb7.1134.20a386 Tue, 16 Jun 2015 09:23:50 +0000 (UTC) Date: Tue, 16 Jun 2015 09:23:50 +0000 From: ko1@atdot.net To: ruby-core@ruby-lang.org Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Redmine-MailingListIntegration-Message-Ids: 44128 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 10871 X-Redmine-Issue-Author: evanphx X-Redmine-Issue-Assignee: ko1 X-Redmine-Sender: ko1 X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: ync6xU2WACa70kv/Ymy4QrNMhiuLXJG8OTL2vJD1yS5PBIf+V54uUS4S+j2IyWpU9g0fFroNjckWxW cUnsxunRUEGBRr6fpoZAAfmaBCF/KZSu+yE5ceY/lIEZrxJDi9JqrzkgpuLZJ5lCfzYhlVRu/cqaOO eagSNarsC64X2P/BD9lj/QLNwjfZasq3LKrh X-ML-Name: ruby-core X-Mail-Count: 69603 Subject: [ruby-core:69603] [Ruby trunk - Bug #10871] Sclass thread unsafe due to CREF sharing X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #10871 has been updated by Koichi Sasada. This is an ad-hoc fix only for this issue. Not complete fix. I wrote explanation about it in ChangeLog entry. ```diff Index: insns.def =================================================================== --- insns.def (revision 50914) +++ insns.def (working copy) @@ -914,6 +914,7 @@ (VALUE val) { VALUE klass; + VALUE class_iseq_val = class_iseq->self; rb_vm_defineclass_type_t type = VM_DEFINECLASS_TYPE(flags); switch (type) { @@ -963,7 +964,17 @@ case VM_DEFINECLASS_TYPE_SINGLETON_CLASS: /* val is dummy. classdef returns class scope value */ /* super is dummy */ - klass = rb_singleton_class(cbase); + { + klass = rb_singleton_class(cbase); + + /* Copy iseq to duplicate cref_stack place. + * This is ad-hoc solution for [Bug #10871]. + * and this does not solve more complicated source code with singleton class. + * If you need to solve everything, use Ruby 2.3 and later. + */ + class_iseq_val = rb_iseq_clone(class_iseq->self, cbase); + GetISeqPtr(class_iseq_val, class_iseq); + } break; case VM_DEFINECLASS_TYPE_MODULE: /* val is dummy. classdef returns class scope value */ @@ -998,6 +1009,9 @@ klass, 0, VM_ENVVAL_BLOCK_PTR(GET_BLOCK_PTR()), class_iseq->iseq_encoded, GET_SP(), class_iseq->local_size, 0, class_iseq->stack_max); + + RB_GC_GUARD(class_iseq_val); + RESTORE_REGS(); NEXT_INSN(); } ``` ChangeLog ``` Tue Jun 16 18:17:31 2015 Koichi Sasada * insns.def (defineclass): introduce an ad-hoc patch to avoid an issue reported on [Bug #10871]. This patch does not fix completely. For example, method definition in a block (like 1.times{def ...; end}) still causes same issue. To solve all, we need a huge patch and it seems difficult for stable branch. Use Ruby 2.3 and later to solve this issue completely. (See [Bug #10943]) ``` ---------------------------------------- Bug #10871: Sclass thread unsafe due to CREF sharing https://bugs.ruby-lang.org/issues/10871#change-52947 * Author: Evan Phoenix * Status: Open * Priority: High * Assignee: Koichi Sasada * ruby -v: 2.2.0p0, trunk * Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN, 2.2: UNKNOWN ---------------------------------------- When entering an sclass, the context is tracked via the same cref mechanism used for class and module, specifically on the iseq->cref_stack. The bug is that the cref_stack is the wrong place to put the new cref because the scope is specific only to that sclass body. Mutating and using the iseq->cref_stack causes any code that reads the cref via this cref_stack to incorrectly pick up the sclass instance instead of the proper scope! This is major thread safety bug because it means that all uses of `class << obj` are thread-unsafe and can cause random code to fail. Here is a simple reproduction of the bug: https://gist.github.com/evanphx/6eef92f2c40662a4171b I attempted to fix the bug by treating an sclass body the same as an eval, which already has special handling for cref's but I don't understand the code enough to make that change quickly. I believe this is a major bug and hope that ruby-core can address it soon. Thank you! -- https://bugs.ruby-lang.org/