| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
d4ee409ae912dec6eb719a5727da4566f817d9d8 should remove this line.
|
|
See https://github.com/mruby/mruby/pull/3142#issuecomment-201138873
|
|
|
|
mrb_vm_define_class() may realloc() mrb->c->stack because it calls
mrb_funcall() for inherited hook. If mrb->c->stack is realloc()-ed, regs
refers orphan address.
|
|
Think about the following Ruby script:
segv.rb:
begin
lambda do
lambda do
"x" * 1000 # NoMemoryError
end.call
end.call
rescue
raise
end
If memory can't allocate after `"x" * 1000`, mruby crashes.
Because L_RAISE: block in mrb_vm_exec() calls mrb_env_unshare() via
cipop() and mrb_env_unshare() uses allocated memory without NULL check:
L_RAISE: block:
L_RAISE:
// ...
while (ci[0].ridx == ci[-1].ridx) {
cipop(mrb);
// ...
}
cipop():
static void
cipop(mrb_state *mrb)
{
struct mrb_context *c = mrb->c;
if (c->ci->env) {
mrb_env_unshare(mrb, c->ci->env);
}
c->ci--;
}
mrb_env_unshare():
MRB_API void
mrb_env_unshare(mrb_state *mrb, struct REnv *e)
{
size_t len = (size_t)MRB_ENV_STACK_LEN(e);
// p is NULL in this case
mrb_value *p = (mrb_value *)mrb_malloc(mrb, sizeof(mrb_value)*len);
MRB_ENV_UNSHARE_STACK(e);
if (len > 0) {
stack_copy(p, e->stack, len); // p is NULL but used. It causes SEGV.
}
e->stack = p;
mrb_write_barrier(mrb, (struct RBasic *)e);
}
To solve the SEGV, this change always raises NoMemoryError even when
realloc() is failed after the first NoMemoryError in
mrb_realloc(). mrb_unv_unshare() doesn't need to check NULL with this
change.
But it causes infinite loop in the following while:
L_RAISE:
// ...
while (ci[0].ridx == ci[-1].ridx) {
cipop(mrb);
// ...
}
Because cipop() never pops ci.
This change includes cipop() change. The change pops ci even when
mrb_unv_unshare() is failed by NoMemoryError.
This case can be reproduced by the following program:
#include <stdlib.h>
#include <mruby.h>
#include <mruby/compile.h>
static void *
allocf(mrb_state *mrb, void *ptr, size_t size, void *ud)
{
static mrb_bool always_fail = FALSE;
if (size == 1001) {
always_fail = TRUE;
}
if (always_fail) {
return NULL;
}
if (size == 0) {
free(ptr);
return NULL;
} else {
return realloc(ptr, size);
}
}
int
main(int argc, char **argv)
{
mrb_state *mrb;
mrbc_context *c;
FILE *file;
mrb = mrb_open_allocf(allocf, NULL);
c = mrbc_context_new(mrb);
file = fopen(argv[1], "r");
mrb_load_file_cxt(mrb, file, c);
fclose(file);
mrbc_context_free(mrb, c);
mrb_close(mrb);
return EXIT_SUCCESS;
}
Try the following command lines:
% cc -I include -L build/host/lib -O0 -g3 -o no-memory no-memory.c -lmruby -lm
% ./no-memory segv.rb
|
|
|
|
|
|
|
|
mrb_funcall(); close #3056
|
|
|
|
GitHub: fix #2902, #2917
The current implementation traverses stack to retrieve backtrace. But
stack will be changed when some operations are occurred. It means that
backtrace may be broken after some operations.
This change (1) saves the minimum information to retrieve backtrace when
exception is raised and (2) restores backtrace from the minimum
information when backtrace is needed. It reduces overhead for creating
backtrace Ruby objects.
The space for the minimum information is reused by multiple
exceptions. So memory allocation isn't occurred for each exception.
|
|
|
|
changes:
* rename DISABLE_STDIO -> MRB_DISABLE_STDIO
* rename ENABLE_DEBUG -> MRB_ENABLE_DEBUG_HOOK
* no more opposite macro definitions (e.g. ENABLE_STDIO, DISABLE_DEBUG).
* rewrite above macro references throughout the code.
* update documents
|
|
|
|
#3000
|
|
|
|
|
|
|
|
|
|
|
|
Note: arguments of mrb_no_method_error() has changed. You need to replace
3rd and 4th argument (say n, argv) to mrb_ary_new_from_values(mrb, n, argv).
|
|
|
|
|
|
Related to #2760.
|
|
It isn't needed as it's very similar to mrb_define_method_raw() and also
there's only one place where mrb_proc_ptr() actually has to be called.
Inspired by @furunkel's method cache patch (#2764).
|
|
|
|
|
|
|
|
mrb_f_send needs stack_extend like OP_SEND
Signed-off-by: Go Saito <[email protected]>
|
|
3df32161797aa9c6e9df259e8d8571b454cb2333 says so but there is no warning
with GCC 4.9 on my Debian GNU/Linux environment.
|
|
delete prototypes of undefined functions
|
|
|
|
|
|
The following program reproduces this problem:
#include <mruby.h>
static mrb_value
recursive(mrb_state *mrb, mrb_value self)
{
mrb_int n;
mrb_get_args(mrb, "i", &n);
if (n == 0) {
mrb_raise(mrb, E_RUNTIME_ERROR, "XXX");
} else {
mrb_funcall(mrb, self, "recursive", 1, mrb_fixnum_value(n - 1));
}
return self;
}
int
main(void)
{
mrb_state *mrb;
mrb = mrb_open();
mrb_define_method(mrb, mrb->kernel_module, "recursive", recursive,
MRB_ARGS_REQ(1));
mrb_funcall(mrb, mrb_top_self(mrb), "recursive", 1, mrb_fixnum_value(30));
mrb_close(mrb);
}
Recursive method call isn't required. It's just for expanding call info
stack.
If mrb_realloc() is called in cipush(), cibase address is changed. So,
we shouldn't compare ci before mrb_realloc() and cibase after
mrb_realloc(). It accesses unknown address and causes crash.
|
|
In src/vm.c: mrb_funcall_with_block
stack_extend may realloc mrb->c->stbase, if argv points on mruby's stack,
then it points invalid address after stack_extend.
e.g. src/class.c: mrb_instance_new
This code:
```ruby
class A
def initialize(a0,a1,a2,a3,a4)
a0.is_a? Array
end
end
def f(a0,a1,a2,a3,a4)
A.new(a0,a1,a2,a3,a4)
f(a0,a1,a2,a3,a4)
end
f(0,1,2,3,4)
```
is expected to get exception
```
stack level too deep. (limit=(0x40000 - 128)) (SystemStackError)
```
but get segfault.
Signed-off-by: Go Saito <[email protected]>
|
|
How to reproduce:
class A
def x
yield
ensure
y
end
def y
end
end
# Work
A.new.x do
end
# Not work
# trace:
# [2] /tmp/a.rb:5:in A.x
# [0] /tmp/a.rb:15
# /tmp/a.rb:5: undefined method 'y' for main (NoMethodError)
A.new.x do
break
end
# trace:
# [2] /tmp/a.rb:5:in A.call
# [0] /tmp/a.rb:19
# /tmp/a.rb:5: undefined method 'y' for main (NoMethodError)
lambda do
A.new.x do
return
end
end.call
`self` in ensure is broken when yield and break/return are used.
|
|
|
|
still works
|
|
arguments. This fix makes the following code workable:
Expected:
class MRBTime < Time; def self.new; super(2012, 4, 21); end; end
MRBTime.new # => Sat Apr 21 00:00:00 2012
Actual:
class MRBTime < Time; def self.new; super(2012, 4, 21); end; end
MRBTime.new # => can't convert nil into Integer (TypeError)
|
|
|
|
Mostly by renaming the shadowing variable.
If a shadowing variable was deleted,
the shadowed one can be used instead.
|
|
|
|
|
|
It's defined in mruby/version.h which gets included in mruby.h, so it's
safe to use.
|
|
Class method defined in singleton class should be evaluated in class
context not singleton class context.
fix #2515
|
|
|
|
|
|
|
