node.c (rb_ast_new): imemo_ast is WB-unprotected

mame · mame · commit 2c7d3b3a722c · 2021-04-26T22:46:51.000+09:00
Previously imemo_ast was handled as WB-protected which caused a segfault
of the following code:

    # shareable_constant_value: literal
    M0 = {}
    M1 = {}
    ...
    M100000 = {}

My analysis is here: `shareable_constant_value: literal` creates many
Hash instances during parsing, and add them to node_buffer of imemo_ast.
However, the contents are missed because imemo_ast is incorrectly
WB-protected.

This changeset makes imemo_ast as WB-unprotected.
diff --git a/gc.c b/gc.c
@@ -2435,6 +2435,13 @@ rb_imemo_new(enum imemo_type type, VALUE v1, VALUE v2, VALUE v3, VALUE v0)
     return newobj_of(v0, flags, v1, v2, v3, TRUE);
 }
 
+rb_ast_t *
+rb_imemo_ast_new(VALUE node_buffer)
+{
+    VALUE flags = T_IMEMO | (imemo_ast << FL_USHIFT);
+    return (rb_ast_t *)newobj_of(node_buffer, flags, 0, 0, 0, FALSE);
+}
+
 static VALUE
 rb_imemo_tmpbuf_new(VALUE v1, VALUE v2, VALUE v3, VALUE v0)
 {
diff --git a/internal/imemo.h b/internal/imemo.h
@@ -130,6 +130,7 @@ struct MEMO {
 
 typedef struct rb_imemo_tmpbuf_struct rb_imemo_tmpbuf_t;
 VALUE rb_imemo_new(enum imemo_type type, VALUE v1, VALUE v2, VALUE v3, VALUE v0);
+struct rb_ast_struct *rb_imemo_ast_new(VALUE node_buffer);
 rb_imemo_tmpbuf_t *rb_imemo_tmpbuf_parser_heap(void *buf, rb_imemo_tmpbuf_t *old_heap, size_t cnt);
 struct vm_ifunc *rb_vm_ifunc_new(rb_block_call_func_t func, const void *data, int min_argc, int max_argc);
 void rb_strterm_mark(VALUE obj);
diff --git a/node.c b/node.c
@@ -1299,7 +1299,7 @@ rb_ast_t *
 rb_ast_new(void)
 {
     node_buffer_t *nb = rb_node_buffer_new();
-    rb_ast_t *ast = (rb_ast_t *)rb_imemo_new(imemo_ast, 0, 0, 0, (VALUE)nb);
+    rb_ast_t *ast = rb_imemo_ast_new((VALUE)nb);
     return ast;
 }
 
diff --git a/test/ruby/test_gc.rb b/test/ruby/test_gc.rb
@@ -494,4 +494,11 @@ def test_object_ids_never_repeat
     b = 1000.times.map { Object.new.object_id }
     assert_empty(a & b)
   end
+
+  def test_ast_node_buffer
+    # https://github.com/ruby/ruby/pull/4416
+    Module.new.class_eval do
+      eval((["# shareable_constant_value: literal"] + (0..100000).map {|i| "M#{ i } = {}" }).join("\n"))
+    end
+  end
 end

Original file line number	Diff line number	Diff line change
`@@ -2435,6 +2435,13 @@ rb_imemo_new(enum imemo_type type, VALUE v1, VALUE v2, VALUE v3, VALUE v0)`
`2435`	`2435`	`return newobj_of(v0, flags, v1, v2, v3, TRUE);`
`2436`	`2436`	`}`
`2437`	`2437`
	`2438`	`+rb_ast_t *`
	`2439`	`+rb_imemo_ast_new(VALUE node_buffer)`
	`2440`	`+{`
	`2441`	`+ VALUE flags = T_IMEMO \| (imemo_ast << FL_USHIFT);`
	`2442`	`+ return (rb_ast_t *)newobj_of(node_buffer, flags, 0, 0, 0, FALSE);`
	`2443`	`+}`
	`2444`	`+`
`2438`	`2445`	`static VALUE`
`2439`	`2446`	`rb_imemo_tmpbuf_new(VALUE v1, VALUE v2, VALUE v3, VALUE v0)`
`2440`	`2447`	`{`
Original file line number	Diff line number	Diff line change
`@@ -1299,7 +1299,7 @@ rb_ast_t *`
`1299`	`1299`	`rb_ast_new(void)`
`1300`	`1300`	`{`
`1301`	`1301`	`node_buffer_t *nb = rb_node_buffer_new();`
`1302`		`- rb_ast_t ast = (rb_ast_t )rb_imemo_new(imemo_ast, 0, 0, 0, (VALUE)nb);`
	`1302`	`+ rb_ast_t *ast = rb_imemo_ast_new((VALUE)nb);`
`1303`	`1303`	`return ast;`
`1304`	`1304`	`}`
`1305`	`1305`