From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS4713 221.184.0.0/13 X-Spam-Status: No, score=-2.9 required=3.0 tests=AWL,BAYES_00, DKIM_ADSP_CUSTOM_MED,FORGED_GMAIL_RCVD,FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS shortcircuit=no autolearn=no autolearn_force=no version=3.4.2 Received: from neon.ruby-lang.org (neon.ruby-lang.org [221.186.184.75]) by dcvr.yhbt.net (Postfix) with ESMTP id 694631F731 for ; Wed, 31 Jul 2019 09:37:36 +0000 (UTC) Received: from neon.ruby-lang.org (localhost [IPv6:::1]) by neon.ruby-lang.org (Postfix) with ESMTP id BD518120A3E; Wed, 31 Jul 2019 18:37:29 +0900 (JST) Received: from o1678916x28.outbound-mail.sendgrid.net (o1678916x28.outbound-mail.sendgrid.net [167.89.16.28]) by neon.ruby-lang.org (Postfix) with ESMTPS id 88F3D120A38 for ; Wed, 31 Jul 2019 18:37:27 +0900 (JST) Received: by filter0105p3iad2.sendgrid.net with SMTP id filter0105p3iad2-29080-5D416159-25 2019-07-31 09:37:29.84426768 +0000 UTC m=+398937.297144781 Received: from herokuapp.com (unknown [54.152.150.139]) by ismtpd0002p1iad2.sendgrid.net (SG) with ESMTP id LTh97TBQRGemJqtjc5TkbQ for ; Wed, 31 Jul 2019 09:37:29.774 +0000 (UTC) Date: Wed, 31 Jul 2019 09:37:29 +0000 (UTC) From: eregontp@gmail.com Message-ID: References: Mime-Version: 1.0 X-Redmine-MailingListIntegration-Message-Ids: 69576 X-Redmine-Project: ruby-trunk X-Redmine-Issue-Id: 15778 X-Redmine-Issue-Author: gsamokovarov X-Redmine-Issue-Assignee: ko1 X-Redmine-Sender: Eregon X-Mailer: Redmine X-Redmine-Host: bugs.ruby-lang.org X-Redmine-Site: Ruby Issue Tracking System X-Auto-Response-Suppress: All Auto-Submitted: auto-generated X-SG-EID: =?us-ascii?Q?KippOI8ZHtTweq7XfQzW93937kJ4QNWwSBuHnaMEcr3FXRYscdGPBRUPskVx19?= =?us-ascii?Q?enBlCaVy1mE09OQL5rih9RAnU=2FU74ehTw9f9dTE?= =?us-ascii?Q?7eDC9AE3+6+lZPCTp2Qza772JOjlu=2FKugXfPz8V?= =?us-ascii?Q?Z8LlNpzGylpSAS5ooLjGeUNcz360W+s+InZpxl+?= =?us-ascii?Q?M0ESPKKLuSItqfELLKAE9dbN=2F6Ejr6T2YqQ=3D=3D?= To: ruby-core@ruby-lang.org X-ML-Name: ruby-core X-Mail-Count: 94069 Subject: [ruby-core:94069] [Ruby master Feature#15778] Expose an API to pry-open the stack frames in Ruby X-BeenThere: ruby-core@ruby-lang.org X-Mailman-Version: 2.1.15 Precedence: list Reply-To: Ruby developers List-Id: Ruby developers List-Unsubscribe: , List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: ruby-core-bounces@ruby-lang.org Sender: "ruby-core" Issue #15778 has been updated by Eregon (Benoit Daloze). ko1 (Koichi Sasada) wrote: > I heard that one advantage that current `debug_inspector` gem has is we can declare the usage of this API in Gemfile. It means that we can avoid some kind of vulnerable feature in production explicitly. I see. Although the `rb_debug_inspector_open()` C API is still there (and could be called, e.g., via Fiddle I imagine). `Proc#binding` in Ruby also gives access to local variables potentially far from the current method. Similarly, `TracePoint#binding` already allows to read values from all over the program. That's why I think it's necessary to assume that the attacker cannot call arbitrary methods. So I think having the `caller_locations(debug: true)` API is safe enough. If the attacker can call `caller_locations` and pass it the extra :debug argument, then I think anyway all is already lost, they might as well #eval, #system, #exit, etc. I'd like to introduce this new keyword argument for `caller_locations`, it's one of the main features missing, and hiding it in the C API is not much of a safety, but it makes it inconvenient to use, inefficient (see above) and not portable (e.g., cannot be implemented on JRuby as a C API). ---------------------------------------- Feature #15778: Expose an API to pry-open the stack frames in Ruby https://bugs.ruby-lang.org/issues/15778#change-80299 * Author: gsamokovarov (Genadi Samokovarov) * Status: Open * Priority: Normal * Assignee: ko1 (Koichi Sasada) * Target version: ---------------------------------------- Hello, I'm the maintainer of the web-console (https://github.com/rails/web-console/) gem, where one of our features is to jump between the frames in which an error occurred. To accomplish this, I currently use the Debug Inspector CRuby API. I think we should expose this functionality in Rubyland, so tools like web-console don't need to resort to C code for this. This also makes it quite harder for me to support different implementations like JRuby or TruffleRuby as everyone is having a different way to create Ruby Binding objects that represent the frames. Here the API ideas: Add `Thread::Backtrace::Location#binding` method that can create a binding for a specific caller of the current frame. We can reuse the existing `Kernel.caller_locations` method to generate the array of `Thread::Backtrace::Location` objects. We can optionally have the `Kernel.caller_locations(debug: true)` argument if we cannot generate the bindings lazily on the VM that can instruct the VM to do the slower operation. - `Thread::Backtrace::Location#binding` returns `Binding|nil`. Nil result may mean that the current location is a C frame or a JITted/optimized frame and we cannot debug it. We can also expose the DebugInspector API directly, as done in the https://github.com/banister/debug_inspector gem, but for tools like web-console, we'd need to map the bindings with the backtrace, as we cannot generate Bindings for every frame (C frames) and this needs to be done in application code, so I think the `Thread::Backtrace::Location#binding` is the better API for Ruby-land. Such API can help us eventually write most of our debuggers in Ruby as right now we don't have a way to do Post-Mortem debugging without native code or even start our debuggers without monkey-patching `Binding`. I have presented this idea in a RubyKaigi's 2019 talk called "Writing Debuggers in Plain Ruby", you can check-out the slides for more context: http://kaigi-debuggers-in-ruby.herokuapp.com. -- https://bugs.ruby-lang.org/