From: "ioquatix (Samuel Williams) via ruby-core" <ruby-core@ml.ruby-lang.org>
To: ruby-core@ml.ruby-lang.org
Cc: "ioquatix (Samuel Williams)" <noreply@ruby-lang.org>
Subject: [ruby-core:122483] [Ruby Bug#21198] Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return
Date: Fri, 06 Jun 2025 09:36:34 +0000 (UTC) [thread overview]
Message-ID: <redmine.journal-113672.20250606093634.42491@ruby-lang.org> (raw)
In-Reply-To: <redmine.issue-21198.20250326180737.42491@ruby-lang.org>
Issue #21198 has been updated by ioquatix (Samuel Williams).
Status changed from Open to Closed
Assignee set to ioquatix (Samuel Williams)
Fixed in <https://github.com/ruby/ruby/pull/13437>.
----------------------------------------
Bug #21198: Fiber::Scheduler#blocking_operation_wait crash due to stack-use-after-return
https://bugs.ruby-lang.org/issues/21198#change-113672
* Author: peterzhu2118 (Peter Zhu)
* Status: Closed
* Assignee: ioquatix (Samuel Williams)
* Backport: 3.1: DONTNEED, 3.2: DONTNEED, 3.3: DONTNEED, 3.4: REQUIRED
----------------------------------------
The Fiber::Scheduler#blocking_operation_wait method is passed a proc through the `rb_fiber_scheduler_blocking_operation_wait` function. This function stack allocates the arguments used for the proc ([source](https://github.com/ruby/ruby/blob/2183899fd184ab1cfee80d57c0dd6f4dcd370375/scheduler.c#L755-L762)). If this proc is captured anywhere, then calling it again will illegally read from and write to stack space.
The following script demonstrates this issue using the [test/fiber/scheduler.rb](https://github.com/ruby/ruby/blob/master/test/fiber/scheduler.rb) scheduler:
```ruby
require_relative "test/fiber/scheduler"
class MyScheduler < Scheduler
def blocking_operation_wait(work)
super
$work = work
end
end
scheduler = MyScheduler.new
Fiber.set_scheduler(scheduler)
require "tempfile"
Fiber.schedule do
file = Tempfile.new
file.write("hello world!")
$work.call
end
scheduler.run
```
Crashes with:
```
test.rb:19: [BUG] Bus Error at 0xce0f57696add0045
ruby 3.4.2 (2025-02-15 revision d2930f8e7a) +PRISM [arm64-darwin24]
-- Crash Report log information --------------------------------------------
See Crash Report log file in one of the following locations:
* ~/Library/Logs/DiagnosticReports
* /Library/Logs/DiagnosticReports
for more details.
Don't forget to include the above Crash Report log file in bug reports.
-- Control frame information -----------------------------------------------
c:0003 p:---- s:0010 e:000009 IFUNC
c:0002 p:0017 s:0007 e:000006 BLOCK test.rb:19 [FINISH]
c:0001 p:---- s:0003 e:000002 DUMMY [FINISH]
-- Ruby level backtrace information ----------------------------------------
test.rb:19:in 'block in <main>'
-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1
Note that the Fiber scheduler is enabled
-- Machine register context ------------------------------------------------
x0: 0x000000010063a5f0 x1: 0x000000014b80ce00 x2: 0x0000000000000000
x3: 0x000000014b60f060 x4: 0x0000000000000000 x5: 0x0000000000000000
x6: 0x0000000000000004 x7: 0x0000000000000000 x18: 0x0000000000000000
x19: 0x000000014b6a4840 x20: 0xce0f57696add0045 x21: 0x000000010063a5f0
x22: 0x000000014b60f060 x23: 0x0000000000000000 x24: 0x000000014b60f998
x25: 0x0000000000014273 x26: 0x000000014b60f060 x27: 0x000000014b60f060
x28: 0x000000014b80ce00 lr: 0x0000000100d881d8 fp: 0x000000011bb039f0
sp: 0x000000011bb03980
-- C level backtrace information -------------------------------------------
SEGV received in BUS handler
[1] 52599 abort ruby test.rb
```
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/
next prev parent reply other threads:[~2025-06-06 9:37 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-26 18:07 [ruby-core:121443] " peterzhu2118 (Peter Zhu) via ruby-core
2025-03-27 5:21 ` [ruby-core:121447] " ioquatix (Samuel Williams) via ruby-core
2025-06-06 9:36 ` ioquatix (Samuel Williams) via ruby-core [this message]
2025-06-06 9:37 ` [ruby-core:122484] " ioquatix (Samuel Williams) via ruby-core
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=redmine.journal-113672.20250606093634.42491@ruby-lang.org \
--to=ruby-core@ml.ruby-lang.org \
--cc=noreply@ruby-lang.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).