Simple script segfaults 1.8.6-p230

rst · June 26, 2008, 6:30am

When I run the following 10-line ruby script on 1.8.6-p230
as shipped (built on 32-bit x86 Debian Etch, with configure
arguments at defaults), it pretty reliably segfaults. My
patch to get rails working (by reverting changeset 17222
on the ruby_1_8_6 branch) eliminates this problem as well,
so this may be the simplest demonstration of the problem
that’s been killing Rails apps on this Ruby release.

The script:

obj = Object.new

class << obj
def meth(x, y)
end
end

10000.times do
obj = obj.clone
end

rst · June 26, 2008, 7:00am

On Jun 25, 2008, at 21:28 PM, Robert Thau wrote:

When I run the following 10-line ruby script on 1.8.6-p230
as shipped (built on 32-bit x86 Debian Etch, with configure
arguments at defaults), it pretty reliably segfaults. My
patch to get rails working (by reverting changeset 17222
on the ruby_1_8_6 branch) eliminates this problem as well,
so this may be the simplest demonstration of the problem
that’s been killing Rails apps on this Ruby release.

It seems that this has been fixed but not backported:

$ ruby18 -v -
ruby 1.8.7 (2008-06-25 revision 17572) [i686-darwin9.3.0]
obj = Object.new

class << obj
def meth(x, y)
end
end

10000.times do
obj = obj.clone
end
$ echo $?
0

p232 crashes for me:

$ ./miniruby -v -
ruby 1.8.6 (2008-06-24 patchlevel 232) [i686-darwin9.3.0]

[code]
miniruby(83566) malloc: *** error for object 0x120a90: double free
*** set a breakpoint in malloc_error_break to debug
[…]
miniruby(83566) malloc: *** error for object 0x120a90: double free
*** set a breakpoint in malloc_error_break to debug
-:9: [BUG] Segmentation fault
ruby 1.8.6 (2008-06-24) [i686-darwin9.3.0]

Abort trap
$

Backtrace points to:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0xc000000f
st_free_table (table=0x120c90) at st.c:211
211 next = ptr->next;
(gdb) bt
#0 st_free_table (table=0x120c90) at st.c:211
#1 0x000363ae in garbage_collect () at gc.c:1177
#2 0x00036695 in rb_newobj () at gc.c:384
#3 0x0005718c in rb_node_newnode (type=NODE_METHOD, a0=1182448,
a1=1182448, a2=1182448) at parse.y:4520
#4 0x0000c01a in clone_method (mid=3221225475, body=0x20006c,
data=0xbfffe248) at class.c:70
#5 0x00085b81 in st_foreach (table=0x176c40, func=0xbfe0
<clone_method>, arg=3221217864) at st.c:487
#6 0x0000cc63 in rb_singleton_class_clone (obj=<value temporarily
unavailable, due to optimizations>) at class.c:160