[pull] master from ruby:master #257
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
We should assert that i is within bounds to prevent buffer overflows.
We should access the last element first before we shrink the length of the array.
For parameters without names, accessing the name in array index 1 would be an out-of-bounds read.
The following script causes an out-of-bounds read on the $LOADED_FEATURES
array when it is modified by another thread:
require "tempfile"
PATH = Tempfile.create(["test", ".rb"]).path
2.times.map do
Thread.new do
20.times do
require PATH
$LOADED_FEATURES.delete_if { |p| p == PATH }
end
end
end.each(&:join)
Crashes with:
internal/array.h:143: Assertion Failed: RARRAY_AREF:i < RARRAY_LEN(ary)
ruby 3.5.0dev (2025-09-10T18:47:06Z array-aref-assert-.. 765a3fd01c) +PRISM [arm64-darwin24]
-- Crash Report log information --------------------------------------------
See Crash Report log file in one of the following locations:
* ~/Library/Logs/DiagnosticReports
* /Library/Logs/DiagnosticReports
for more details.
Don't forget to include the above Crash Report log file in bug reports.
-- Control frame information -----------------------------------------------
c:0005 p:---- s:0019 e:000018 CFUNC :require
c:0004 p:0005 s:0014 e:000013 BLOCK test.rb:19
c:0003 p:0024 s:0011 e:000010 METHOD <internal:numeric>:257
c:0002 p:0005 s:0006 e:000005 BLOCK test.rb:18 [FINISH]
c:0001 p:---- s:0003 e:000002 DUMMY [FINISH]
-- Ruby level backtrace information ----------------------------------------
test.rb:18:in 'block (2 levels) in <main>'
<internal:numeric>:257:in 'times'
test.rb:19:in 'block (3 levels) in <main>'
test.rb:19:in 'require'
-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 2
-- C level backtrace information -------------------------------------------
miniruby(rb_vm_bugreport+0xb88) [0x100f3f1d4] vm_dump.c:1175
miniruby(rb_vm_bugreport) (null):0
miniruby(rb_assert_failure_detail+0xd4) [0x10108d920] error.c:1215
miniruby(rb_assert_failure_detail+0x0) [0x10108d84c] error.c:1191
miniruby(rb_assert_failure) (null):0
miniruby(rb_ary_pop.cold.9+0x0) [0x101087198] internal/array.h:143
miniruby(RARRAY_AREF) (null):0
miniruby(rb_ary_pop.cold.7) array.c:1443
miniruby(rb_feature_p+0x720) [0x100dbe28c] internal/array.h:143
miniruby(search_required+0x2cc) [0x100dbcb78] load.c:1203
miniruby(require_internal+0x144) [0x100dbd108] load.c:1434
miniruby(rb_require_string_internal+0x78) [0x100dbc6bc] load.c:1581
miniruby(rb_require_string+0x20) [0x100dbc56c] load.c:1567
miniruby(rb_f_require) load.c:1160
miniruby(vm_call_cfunc_with_frame_+0xe8) [0x100f2e998] vm_insnhelper.c:3873
miniruby(vm_sendish+0x718) [0x100f08b20]
miniruby(vm_exec_core+0x6044) [0x100f10a94]
miniruby(rb_vm_exec+0x170) [0x100f08e3c] vm.c:2639
miniruby(vm_invoke_proc+0x200) [0x100f1f564] vm.c:1669
miniruby(thread_do_start_proc+0x2f4) [0x100ed8420] thread.c:605
miniruby(thread_start_func_2+0x37c) [0x100ed7714] thread.c:622
miniruby(call_thread_start_func_2+0x18) [0x100eda144] thread_pthread.c:2234
miniruby(nt_start) thread_pthread.c:2279
/usr/lib/system/libsystem_pthread.dylib(_pthread_start+0x88) [0x19c0e7c0c]
rb_location_ary_to_backtrace was not checking the length of the array before
reading the first element. It can be reproduced by the following script:
begin
raise
rescue
$@ = []
end
With assertions enabled, it crashes with:
internal/array.h:143: Assertion Failed: RARRAY_AREF:i < RARRAY_LEN(ary)
ruby 3.5.0dev (2025-09-10T19:01:16Z array-aref-assert-.. c431de0) +PRISM [arm64-darwin24]
-- Crash Report log information --------------------------------------------
See Crash Report log file in one of the following locations:
* ~/Library/Logs/DiagnosticReports
* /Library/Logs/DiagnosticReports
for more details.
Don't forget to include the above Crash Report log file in bug reports.
-- Control frame information -----------------------------------------------
c:0004 p:---- s:0015 e:000014 CFUNC :set_backtrace
c:0003 p:0013 s:0012 e:000009 RESCUE test.rb:4
c:0002 p:0004 s:0006 e:000005 EVAL test.rb:1 [FINISH]
c:0001 p:0000 s:0003 E:001bb0 DUMMY [FINISH]
-- Ruby level backtrace information ----------------------------------------
test.rb:1:in '<main>'
test.rb:4:in 'rescue in <main>'
test.rb:4:in 'set_backtrace'
-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1
-- C level backtrace information -------------------------------------------
miniruby(rb_vm_bugreport+0xb88) [0x1002adb88] vm_dump.c:1175
miniruby(rb_vm_bugreport) (null):0
miniruby(rb_assert_failure_detail+0xd4) [0x1003fbf90] error.c:1215
miniruby(rb_assert_failure_detail+0x0) [0x1003fbebc] error.c:1191
miniruby(rb_assert_failure) (null):0
miniruby(RARRAY_AREF+0x20) [0x1003f82c8] internal/array.h:143
miniruby(rb_keyword_error_new.cold.2) class.c:2867
miniruby(rb_keyword_error_new.cold.4) (null):0
miniruby(rb_location_ary_to_backtrace+0x244) [0x1002a8a60] internal/array.h:143
miniruby(RB_TEST+0x0) [0x1000ba648] error.c:2111
miniruby(exc_set_backtrace) error.c:2112
miniruby(vm_call0_body+0x7d0) [0x1002a414c] vm_eval.c:164
miniruby(rb_vm_call0+0x100) [0x100286ee4] vm_eval.c:101
miniruby(set_backtrace+0xfc) [0x1000c88a4] eval_error.c:75
miniruby(rb_gvar_set_entry+0x10) [0x100269230] variable.c:990
miniruby(rb_gvar_set) variable.c:1021
miniruby(vm_exec_core+0x1258) [0x10027a744] insns.def:319
miniruby(rb_vm_exec+0x324) [0x100277a8c] vm.c:2666
miniruby(rb_ec_exec_node+0x74) [0x1000c4a38] eval.c:282
miniruby(ruby_run_node+0x64) [0x1000c4968] eval.c:320
miniruby(rb_main+0x1c) [0x100000980] main.c:42
miniruby(main) main.c:62
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.3)
Can you help keep this open source service alive? 💖 Please sponsor : )