1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00

[Bug #18928] Fix crash in WeakMap

In wmap_live_p, if is_pointer_to_heap returns false, then the page is
either in the tomb or has already been freed, so the object is dead. In
this case, wmap_live_p should return false.
This commit is contained in:
Peter Zhu 2022-07-19 15:51:39 -04:00
parent fa5724cca9
commit 86d061294d
Notes: git 2022-07-20 21:40:52 +09:00

21
gc.c
View file

@ -12706,20 +12706,21 @@ static int
wmap_live_p(rb_objspace_t *objspace, VALUE obj)
{
if (SPECIAL_CONST_P(obj)) return TRUE;
if (is_pointer_to_heap(objspace, (void *)obj)) {
void *poisoned = asan_unpoison_object_temporary(obj);
/* If is_pointer_to_heap returns false, the page could be in the tomb heap
* or have already been freed. */
if (!is_pointer_to_heap(objspace, (void *)obj)) return FALSE;
enum ruby_value_type t = BUILTIN_TYPE(obj);
int ret = (!(t == T_NONE || t >= T_FIXNUM || t == T_ICLASS) &&
is_live_object(objspace, obj));
void *poisoned = asan_unpoison_object_temporary(obj);
if (poisoned) {
asan_poison_object(obj);
}
enum ruby_value_type t = BUILTIN_TYPE(obj);
int ret = (!(t == T_NONE || t >= T_FIXNUM || t == T_ICLASS) &&
is_live_object(objspace, obj));
return ret;
if (poisoned) {
asan_poison_object(obj);
}
return TRUE;
return ret;
}
static int