* [ruby-core:122555] [Ruby Bug#21444] Crash in GC after accessing `object_id` (`obj_free` called for broken object)
@ 2025-06-18 12:53 Earlopain (Earlopain _) via ruby-core
2025-06-21 10:19 ` [ruby-core:122573] " Earlopain (Earlopain _) via ruby-core
0 siblings, 1 reply; 2+ messages in thread
From: Earlopain (Earlopain _) via ruby-core @ 2025-06-18 12:53 UTC (permalink / raw)
To: ruby-core; +Cc: Earlopain (Earlopain _)
Issue #21444 has been reported by Earlopain (Earlopain _).
----------------------------------------
Bug #21444: Crash in GC after accessing `object_id` (`obj_free` called for broken object)
https://bugs.ruby-lang.org/issues/21444
* Author: Earlopain (Earlopain _)
* Status: Open
* ruby -v: ruby 3.5.0dev (2025-06-18T07:13:12Z master 332f83d1ab) +PRISM [x86_64-linux]
* Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN
----------------------------------------
```rb
require 'bundler/inline'
gemfile do
source 'https://rubygems.org'
gem 'rubocop'
end
require 'objspace'
require 'tmpdir'
3.times { GC.start }
GC.disable
Dir.mktmpdir do |dir|
Dir.chdir(dir) do
File.open('Gemfile', 'w') {}
cli = RuboCop::CLI.new
cli.run([])
end
end
ObjectSpace.each_object do |obj|
obj.object_id
end
GC.enable
3.times { GC.start }
```
This is the smallest I could make it. I try to reduce and it magically starts passing. You may have to run it a few times for it to segfault but it's very reliable for me, just a handful of runs succeed.
The code is adapted to what the `memory_profiler` gem does to print its stats.
```
<internal:gc>:36: [BUG] obj_free() called for broken object
ruby 3.5.0dev (2025-06-18T07:13:12Z master 332f83d1ab) +PRISM [x86_64-linux]
-- Control frame information -----------------------------------------------
c:0005 p:0010 s:0026 e:000021 METHOD <internal:gc>:36
c:0004 p:0004 s:0014 e:000013 BLOCK test.rb:27
c:0003 p:0024 s:0011 e:000010 METHOD <internal:numeric>:257
c:0002 p:0056 s:0006 e:000005 EVAL test.rb:27 [FINISH]
c:0001 p:0000 s:0003 E:000a90 DUMMY [FINISH]
-- Ruby level backtrace information ----------------------------------------
test.rb:27:in '<main>'
<internal:numeric>:257:in 'times'
test.rb:27:in 'block in <main>'
<internal:gc>:36:in 'start'
-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1
-- C level backtrace information -------------------------------------------
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_print_backtrace+0x5) [0x7a80ec1772c6] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/vm_dump.c:843
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_vm_bugreport) /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/vm_dump.c:1175
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_bug_without_die_internal+0x71) [0x7a80ebe51a03] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/error.c:1097
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_bug) /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/error.c:1115
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_gc_obj_free+0xe) [0x7a80ebe52581] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/gc.c:1265
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_sweep_plane+0xad) [0x7a80ebf65c2a] gc/default/default.c:3476
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_sweep_page) gc/default/default.c:3561
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_sweep_step) gc/default/default.c:3842
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_sweep_rest+0xb) [0x7a80ebf6833b] gc/default/default.c:3910
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_sweep) gc/default/default.c:4080
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_start+0xbc4) [0x7a80ebf6ab84] gc/default/default.c:6426
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_multi_ractor_p+0x0) [0x7a80ebf6e219] gc/default/default.c:6307
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_vm_lock_leave) ./vm_sync.h:101
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_gc_vm_unlock) /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/gc.c:144
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(garbage_collect) gc/default/default.c:6309
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_gc_impl_start) gc/default/default.c:6759
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_start_internal) /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/gc.c:3479
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(vm_exec_core+0x4f6) [0x7a80ec1580e6] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/vm_insnhelper.c:7412
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(vm_exec_loop+0x72) [0x7a80ec15e9fa] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/vm.c:2652
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_vm_exec) /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/vm.c:2631
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_ec_exec_node+0x99) [0x7a80ebf3e999] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/eval.c:281
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(ruby_run_node+0x83) [0x7a80ebf44f43] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/eval.c:319
/home/user/.rbenv/versions/ruby-dev/bin/ruby(rb_main+0x21) [0x61c4abdb1100] ./main.c:42
/home/user/.rbenv/versions/ruby-dev/bin/ruby(main) ./main.c:62
/usr/lib/libc.so.6(0x7a80ebb3f6b5) [0x7a80ebb3f6b5]
/usr/lib/libc.so.6(__libc_start_main+0x89) [0x7a80ebb3f769]
[0x61c4abdb1145]
```
---Files--------------------------------
crash.log (32.7 KB)
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
* [ruby-core:122573] [Ruby Bug#21444] Crash in GC after accessing `object_id` (`obj_free` called for broken object)
2025-06-18 12:53 [ruby-core:122555] [Ruby Bug#21444] Crash in GC after accessing `object_id` (`obj_free` called for broken object) Earlopain (Earlopain _) via ruby-core
@ 2025-06-21 10:19 ` Earlopain (Earlopain _) via ruby-core
0 siblings, 0 replies; 2+ messages in thread
From: Earlopain (Earlopain _) via ruby-core @ 2025-06-21 10:19 UTC (permalink / raw)
To: ruby-core; +Cc: Earlopain (Earlopain _)
Issue #21444 has been updated by Earlopain (Earlopain _).
Probably the same as https://bugs.ruby-lang.org/issues/21445, during reduction I started hitting `push_mark_stack() called for broken object` instead.
----------------------------------------
Bug #21444: Crash in GC after accessing `object_id` (`obj_free` called for broken object)
https://bugs.ruby-lang.org/issues/21444#change-113803
* Author: Earlopain (Earlopain _)
* Status: Open
* ruby -v: ruby 3.5.0dev (2025-06-18T07:13:12Z master 332f83d1ab) +PRISM [x86_64-linux]
* Backport: 3.2: UNKNOWN, 3.3: UNKNOWN, 3.4: UNKNOWN
----------------------------------------
```rb
require 'bundler/inline'
gemfile do
source 'https://rubygems.org'
gem 'rubocop'
end
require 'objspace'
require 'tmpdir'
3.times { GC.start }
GC.disable
Dir.mktmpdir do |dir|
Dir.chdir(dir) do
File.open('Gemfile', 'w') {}
cli = RuboCop::CLI.new
cli.run([])
end
end
ObjectSpace.each_object do |obj|
obj.object_id
end
GC.enable
3.times { GC.start }
```
This is the smallest I could make it. I try to reduce and it magically starts passing. You may have to run it a few times for it to segfault but it's very reliable for me, just a handful of runs succeed.
The code is adapted to what the `memory_profiler` gem does to print its stats.
```
<internal:gc>:36: [BUG] obj_free() called for broken object
ruby 3.5.0dev (2025-06-18T07:13:12Z master 332f83d1ab) +PRISM [x86_64-linux]
-- Control frame information -----------------------------------------------
c:0005 p:0010 s:0026 e:000021 METHOD <internal:gc>:36
c:0004 p:0004 s:0014 e:000013 BLOCK test.rb:27
c:0003 p:0024 s:0011 e:000010 METHOD <internal:numeric>:257
c:0002 p:0056 s:0006 e:000005 EVAL test.rb:27 [FINISH]
c:0001 p:0000 s:0003 E:000a90 DUMMY [FINISH]
-- Ruby level backtrace information ----------------------------------------
test.rb:27:in '<main>'
<internal:numeric>:257:in 'times'
test.rb:27:in 'block in <main>'
<internal:gc>:36:in 'start'
-- Threading information ---------------------------------------------------
Total ractor count: 1
Ruby thread count for this ractor: 1
-- C level backtrace information -------------------------------------------
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_print_backtrace+0x5) [0x7a80ec1772c6] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/vm_dump.c:843
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_vm_bugreport) /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/vm_dump.c:1175
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_bug_without_die_internal+0x71) [0x7a80ebe51a03] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/error.c:1097
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_bug) /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/error.c:1115
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_gc_obj_free+0xe) [0x7a80ebe52581] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/gc.c:1265
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_sweep_plane+0xad) [0x7a80ebf65c2a] gc/default/default.c:3476
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_sweep_page) gc/default/default.c:3561
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_sweep_step) gc/default/default.c:3842
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_sweep_rest+0xb) [0x7a80ebf6833b] gc/default/default.c:3910
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_sweep) gc/default/default.c:4080
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_start+0xbc4) [0x7a80ebf6ab84] gc/default/default.c:6426
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_multi_ractor_p+0x0) [0x7a80ebf6e219] gc/default/default.c:6307
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_vm_lock_leave) ./vm_sync.h:101
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_gc_vm_unlock) /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/gc.c:144
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(garbage_collect) gc/default/default.c:6309
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_gc_impl_start) gc/default/default.c:6759
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(gc_start_internal) /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/gc.c:3479
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(vm_exec_core+0x4f6) [0x7a80ec1580e6] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/vm_insnhelper.c:7412
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(vm_exec_loop+0x72) [0x7a80ec15e9fa] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/vm.c:2652
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_vm_exec) /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/vm.c:2631
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(rb_ec_exec_node+0x99) [0x7a80ebf3e999] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/eval.c:281
/home/user/.rbenv/versions/ruby-dev/lib/libruby.so.3.5(ruby_run_node+0x83) [0x7a80ebf44f43] /tmp/ruby-build.20250618094201.28027.3MG6OR/ruby-master/eval.c:319
/home/user/.rbenv/versions/ruby-dev/bin/ruby(rb_main+0x21) [0x61c4abdb1100] ./main.c:42
/home/user/.rbenv/versions/ruby-dev/bin/ruby(main) ./main.c:62
/usr/lib/libc.so.6(0x7a80ebb3f6b5) [0x7a80ebb3f6b5]
/usr/lib/libc.so.6(__libc_start_main+0x89) [0x7a80ebb3f769]
[0x61c4abdb1145]
```
---Files--------------------------------
crash.log (32.7 KB)
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-06-21 10:20 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2025-06-18 12:53 [ruby-core:122555] [Ruby Bug#21444] Crash in GC after accessing `object_id` (`obj_free` called for broken object) Earlopain (Earlopain _) via ruby-core
2025-06-21 10:19 ` [ruby-core:122573] " Earlopain (Earlopain _) via ruby-core
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).