* [ruby-core:121443] [Ruby Bug#21198] Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return
@ 2025-03-26 18:07 peterzhu2118 (Peter Zhu) via ruby-core
2025-03-27 5:21 ` [ruby-core:121447] " ioquatix (Samuel Williams) via ruby-core
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: peterzhu2118 (Peter Zhu) via ruby-core @ 2025-03-26 18:07 UTC (permalink / raw)
To: ruby-core; +Cc: peterzhu2118 (Peter Zhu)
Issue #21198 has been reported by peterzhu2118 (Peter Zhu).
----------------------------------------
Bug #21198: Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return
https://bugs.ruby-lang.org/issues/21198
* Author: peterzhu2118 (Peter Zhu)
* Status: Open
* Backport: 3.1: DONTNEED, 3.2: DONTNEED, 3.3: DONTNEED, 3.4: REQUIRED
----------------------------------------
The Fiber::Scheduler#blocking_operation_wait method is passed a proc through the `rb_fiber_scheduler_blocking_operation_wait` function. This function stack allocates the arguments used for the proc ([source](https://github.com/ruby/ruby/blob/2183899fd184ab1cfee80d57c0dd6f4dcd370375/scheduler.c#L755-L762)). If this proc is captured anywhere, then calling it again will illegally read from and write to stack space.
The following script demonstrates this issue using the [test/fiber/scheduler.rb](https://github.com/ruby/ruby/blob/master/test/fiber/scheduler.rb) scheduler:
```ruby
require_relative "test/fiber/scheduler"
class MyScheduler < Scheduler
def blocking_operation_wait(work)
super
$work = work
end
end
scheduler = MyScheduler.new
Fiber.set_scheduler(scheduler)
require "tempfile"
Fiber.schedule do
file = Tempfile.new
file.write("hello world!")
$work.call
end
scheduler.run
```
Crashes with:
```
test.rb:19: [BUG] Bus Error at 0xce0f57696add0045
ruby 3.4.2 (2025-02-15 revision d2930f8e7a) +PRISM [arm64-darwin24]
-- Crash Report log information --------------------------------------------
See Crash Report log file in one of the following locations:
* ~/Library/Logs/DiagnosticReports
* /Library/Logs/DiagnosticReports
for more details.
Don't forget to include the above Crash Report log file in bug reports.
-- Control frame information -----------------------------------------------
c:0003 p:---- s:0010 e:000009 IFUNC
c:0002 p:0017 s:0007 e:000006 BLOCK test.rb:19 [FINISH]
c:0001 p:---- s:0003 e:000002 DUMMY [FINISH]
-- Ruby level backtrace information ----------------------------------------
test.rb:19:in 'block in <main>'
-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1
Note that the Fiber scheduler is enabled
-- Machine register context ------------------------------------------------
x0: 0x000000010063a5f0 x1: 0x000000014b80ce00 x2: 0x0000000000000000
x3: 0x000000014b60f060 x4: 0x0000000000000000 x5: 0x0000000000000000
x6: 0x0000000000000004 x7: 0x0000000000000000 x18: 0x0000000000000000
x19: 0x000000014b6a4840 x20: 0xce0f57696add0045 x21: 0x000000010063a5f0
x22: 0x000000014b60f060 x23: 0x0000000000000000 x24: 0x000000014b60f998
x25: 0x0000000000014273 x26: 0x000000014b60f060 x27: 0x000000014b60f060
x28: 0x000000014b80ce00 lr: 0x0000000100d881d8 fp: 0x000000011bb039f0
sp: 0x000000011bb03980
-- C level backtrace information -------------------------------------------
SEGV received in BUS handler
[1] 52599 abort ruby test.rb
```
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [ruby-core:121447] [Ruby Bug#21198] Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return
2025-03-26 18:07 [ruby-core:121443] [Ruby Bug#21198] Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return peterzhu2118 (Peter Zhu) via ruby-core
@ 2025-03-27 5:21 ` ioquatix (Samuel Williams) via ruby-core
2025-06-06 9:36 ` [ruby-core:122483] " ioquatix (Samuel Williams) via ruby-core
2025-06-06 9:37 ` [ruby-core:122484] " ioquatix (Samuel Williams) via ruby-core
2 siblings, 0 replies; 4+ messages in thread
From: ioquatix (Samuel Williams) via ruby-core @ 2025-03-27 5:21 UTC (permalink / raw)
To: ruby-core; +Cc: ioquatix (Samuel Williams)
Issue #21198 has been updated by ioquatix (Samuel Williams).
A solution to this would be to invalidate the proc afterwards. I don't know if this is possible but I can take a look.
----------------------------------------
Bug #21198: Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return
https://bugs.ruby-lang.org/issues/21198#change-112447
* Author: peterzhu2118 (Peter Zhu)
* Status: Open
* Backport: 3.1: DONTNEED, 3.2: DONTNEED, 3.3: DONTNEED, 3.4: REQUIRED
----------------------------------------
The Fiber::Scheduler#blocking_operation_wait method is passed a proc through the `rb_fiber_scheduler_blocking_operation_wait` function. This function stack allocates the arguments used for the proc ([source](https://github.com/ruby/ruby/blob/2183899fd184ab1cfee80d57c0dd6f4dcd370375/scheduler.c#L755-L762)). If this proc is captured anywhere, then calling it again will illegally read from and write to stack space.
The following script demonstrates this issue using the [test/fiber/scheduler.rb](https://github.com/ruby/ruby/blob/master/test/fiber/scheduler.rb) scheduler:
```ruby
require_relative "test/fiber/scheduler"
class MyScheduler < Scheduler
def blocking_operation_wait(work)
super
$work = work
end
end
scheduler = MyScheduler.new
Fiber.set_scheduler(scheduler)
require "tempfile"
Fiber.schedule do
file = Tempfile.new
file.write("hello world!")
$work.call
end
scheduler.run
```
Crashes with:
```
test.rb:19: [BUG] Bus Error at 0xce0f57696add0045
ruby 3.4.2 (2025-02-15 revision d2930f8e7a) +PRISM [arm64-darwin24]
-- Crash Report log information --------------------------------------------
See Crash Report log file in one of the following locations:
* ~/Library/Logs/DiagnosticReports
* /Library/Logs/DiagnosticReports
for more details.
Don't forget to include the above Crash Report log file in bug reports.
-- Control frame information -----------------------------------------------
c:0003 p:---- s:0010 e:000009 IFUNC
c:0002 p:0017 s:0007 e:000006 BLOCK test.rb:19 [FINISH]
c:0001 p:---- s:0003 e:000002 DUMMY [FINISH]
-- Ruby level backtrace information ----------------------------------------
test.rb:19:in 'block in <main>'
-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1
Note that the Fiber scheduler is enabled
-- Machine register context ------------------------------------------------
x0: 0x000000010063a5f0 x1: 0x000000014b80ce00 x2: 0x0000000000000000
x3: 0x000000014b60f060 x4: 0x0000000000000000 x5: 0x0000000000000000
x6: 0x0000000000000004 x7: 0x0000000000000000 x18: 0x0000000000000000
x19: 0x000000014b6a4840 x20: 0xce0f57696add0045 x21: 0x000000010063a5f0
x22: 0x000000014b60f060 x23: 0x0000000000000000 x24: 0x000000014b60f998
x25: 0x0000000000014273 x26: 0x000000014b60f060 x27: 0x000000014b60f060
x28: 0x000000014b80ce00 lr: 0x0000000100d881d8 fp: 0x000000011bb039f0
sp: 0x000000011bb03980
-- C level backtrace information -------------------------------------------
SEGV received in BUS handler
[1] 52599 abort ruby test.rb
```
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [ruby-core:122483] [Ruby Bug#21198] Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return
2025-03-26 18:07 [ruby-core:121443] [Ruby Bug#21198] Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return peterzhu2118 (Peter Zhu) via ruby-core
2025-03-27 5:21 ` [ruby-core:121447] " ioquatix (Samuel Williams) via ruby-core
@ 2025-06-06 9:36 ` ioquatix (Samuel Williams) via ruby-core
2025-06-06 9:37 ` [ruby-core:122484] " ioquatix (Samuel Williams) via ruby-core
2 siblings, 0 replies; 4+ messages in thread
From: ioquatix (Samuel Williams) via ruby-core @ 2025-06-06 9:36 UTC (permalink / raw)
To: ruby-core; +Cc: ioquatix (Samuel Williams)
Issue #21198 has been updated by ioquatix (Samuel Williams).
Status changed from Open to Closed
Assignee set to ioquatix (Samuel Williams)
Fixed in <https://github.com/ruby/ruby/pull/13437>.
----------------------------------------
Bug #21198: Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return
https://bugs.ruby-lang.org/issues/21198#change-113672
* Author: peterzhu2118 (Peter Zhu)
* Status: Closed
* Assignee: ioquatix (Samuel Williams)
* Backport: 3.1: DONTNEED, 3.2: DONTNEED, 3.3: DONTNEED, 3.4: REQUIRED
----------------------------------------
The Fiber::Scheduler#blocking_operation_wait method is passed a proc through the `rb_fiber_scheduler_blocking_operation_wait` function. This function stack allocates the arguments used for the proc ([source](https://github.com/ruby/ruby/blob/2183899fd184ab1cfee80d57c0dd6f4dcd370375/scheduler.c#L755-L762)). If this proc is captured anywhere, then calling it again will illegally read from and write to stack space.
The following script demonstrates this issue using the [test/fiber/scheduler.rb](https://github.com/ruby/ruby/blob/master/test/fiber/scheduler.rb) scheduler:
```ruby
require_relative "test/fiber/scheduler"
class MyScheduler < Scheduler
def blocking_operation_wait(work)
super
$work = work
end
end
scheduler = MyScheduler.new
Fiber.set_scheduler(scheduler)
require "tempfile"
Fiber.schedule do
file = Tempfile.new
file.write("hello world!")
$work.call
end
scheduler.run
```
Crashes with:
```
test.rb:19: [BUG] Bus Error at 0xce0f57696add0045
ruby 3.4.2 (2025-02-15 revision d2930f8e7a) +PRISM [arm64-darwin24]
-- Crash Report log information --------------------------------------------
See Crash Report log file in one of the following locations:
* ~/Library/Logs/DiagnosticReports
* /Library/Logs/DiagnosticReports
for more details.
Don't forget to include the above Crash Report log file in bug reports.
-- Control frame information -----------------------------------------------
c:0003 p:---- s:0010 e:000009 IFUNC
c:0002 p:0017 s:0007 e:000006 BLOCK test.rb:19 [FINISH]
c:0001 p:---- s:0003 e:000002 DUMMY [FINISH]
-- Ruby level backtrace information ----------------------------------------
test.rb:19:in 'block in <main>'
-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1
Note that the Fiber scheduler is enabled
-- Machine register context ------------------------------------------------
x0: 0x000000010063a5f0 x1: 0x000000014b80ce00 x2: 0x0000000000000000
x3: 0x000000014b60f060 x4: 0x0000000000000000 x5: 0x0000000000000000
x6: 0x0000000000000004 x7: 0x0000000000000000 x18: 0x0000000000000000
x19: 0x000000014b6a4840 x20: 0xce0f57696add0045 x21: 0x000000010063a5f0
x22: 0x000000014b60f060 x23: 0x0000000000000000 x24: 0x000000014b60f998
x25: 0x0000000000014273 x26: 0x000000014b60f060 x27: 0x000000014b60f060
x28: 0x000000014b80ce00 lr: 0x0000000100d881d8 fp: 0x000000011bb039f0
sp: 0x000000011bb03980
-- C level backtrace information -------------------------------------------
SEGV received in BUS handler
[1] 52599 abort ruby test.rb
```
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [ruby-core:122484] [Ruby Bug#21198] Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return
2025-03-26 18:07 [ruby-core:121443] [Ruby Bug#21198] Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return peterzhu2118 (Peter Zhu) via ruby-core
2025-03-27 5:21 ` [ruby-core:121447] " ioquatix (Samuel Williams) via ruby-core
2025-06-06 9:36 ` [ruby-core:122483] " ioquatix (Samuel Williams) via ruby-core
@ 2025-06-06 9:37 ` ioquatix (Samuel Williams) via ruby-core
2 siblings, 0 replies; 4+ messages in thread
From: ioquatix (Samuel Williams) via ruby-core @ 2025-06-06 9:37 UTC (permalink / raw)
To: ruby-core; +Cc: ioquatix (Samuel Williams)
Issue #21198 has been updated by ioquatix (Samuel Williams).
Backport changed from 3.1: DONTNEED, 3.2: DONTNEED, 3.3: DONTNEED, 3.4: REQUIRED to 3.1: DONTNEED, 3.2: DONTNEED, 3.3: DONTNEED, 3.4: DONTNEED
It's going to be tricky to back port this, and it's not a major issue since there are bigger problems with 3.4's implementation of `blocking_operation_wait` which make it unstable. Therefore, let's not try to backport this.
----------------------------------------
Bug #21198: Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return
https://bugs.ruby-lang.org/issues/21198#change-113673
* Author: peterzhu2118 (Peter Zhu)
* Status: Closed
* Assignee: ioquatix (Samuel Williams)
* Backport: 3.1: DONTNEED, 3.2: DONTNEED, 3.3: DONTNEED, 3.4: DONTNEED
----------------------------------------
The Fiber::Scheduler#blocking_operation_wait method is passed a proc through the `rb_fiber_scheduler_blocking_operation_wait` function. This function stack allocates the arguments used for the proc ([source](https://github.com/ruby/ruby/blob/2183899fd184ab1cfee80d57c0dd6f4dcd370375/scheduler.c#L755-L762)). If this proc is captured anywhere, then calling it again will illegally read from and write to stack space.
The following script demonstrates this issue using the [test/fiber/scheduler.rb](https://github.com/ruby/ruby/blob/master/test/fiber/scheduler.rb) scheduler:
```ruby
require_relative "test/fiber/scheduler"
class MyScheduler < Scheduler
def blocking_operation_wait(work)
super
$work = work
end
end
scheduler = MyScheduler.new
Fiber.set_scheduler(scheduler)
require "tempfile"
Fiber.schedule do
file = Tempfile.new
file.write("hello world!")
$work.call
end
scheduler.run
```
Crashes with:
```
test.rb:19: [BUG] Bus Error at 0xce0f57696add0045
ruby 3.4.2 (2025-02-15 revision d2930f8e7a) +PRISM [arm64-darwin24]
-- Crash Report log information --------------------------------------------
See Crash Report log file in one of the following locations:
* ~/Library/Logs/DiagnosticReports
* /Library/Logs/DiagnosticReports
for more details.
Don't forget to include the above Crash Report log file in bug reports.
-- Control frame information -----------------------------------------------
c:0003 p:---- s:0010 e:000009 IFUNC
c:0002 p:0017 s:0007 e:000006 BLOCK test.rb:19 [FINISH]
c:0001 p:---- s:0003 e:000002 DUMMY [FINISH]
-- Ruby level backtrace information ----------------------------------------
test.rb:19:in 'block in <main>'
-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1
Note that the Fiber scheduler is enabled
-- Machine register context ------------------------------------------------
x0: 0x000000010063a5f0 x1: 0x000000014b80ce00 x2: 0x0000000000000000
x3: 0x000000014b60f060 x4: 0x0000000000000000 x5: 0x0000000000000000
x6: 0x0000000000000004 x7: 0x0000000000000000 x18: 0x0000000000000000
x19: 0x000000014b6a4840 x20: 0xce0f57696add0045 x21: 0x000000010063a5f0
x22: 0x000000014b60f060 x23: 0x0000000000000000 x24: 0x000000014b60f998
x25: 0x0000000000014273 x26: 0x000000014b60f060 x27: 0x000000014b60f060
x28: 0x000000014b80ce00 lr: 0x0000000100d881d8 fp: 0x000000011bb039f0
sp: 0x000000011bb03980
-- C level backtrace information -------------------------------------------
SEGV received in BUS handler
[1] 52599 abort ruby test.rb
```
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-06-06 9:38 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-03-26 18:07 [ruby-core:121443] [Ruby Bug#21198] Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return peterzhu2118 (Peter Zhu) via ruby-core
2025-03-27 5:21 ` [ruby-core:121447] " ioquatix (Samuel Williams) via ruby-core
2025-06-06 9:36 ` [ruby-core:122483] " ioquatix (Samuel Williams) via ruby-core
2025-06-06 9:37 ` [ruby-core:122484] " ioquatix (Samuel Williams) via ruby-core
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).