You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> x=FFI::MemoryPointer.new(:int,20_000_000){|mm| nil}.write_array_of_int([12]*2_000_00)Traceback(mostrecentcalllast):
2: from(irb):11:in`evaluate' 1: from org/jruby/ext/ffi/AbstractMemory.java:1555:in `write_array_of_int32'RuntimeError (attempting to access freed memory)> x.read_intTraceback (most recent call last): 2: from (irb):12:in `evaluate'1: fromorg/jruby/ext/ffi/AbstractMemory.java:1555:in `write_array_of_int32'
RuntimeError(attemptingtoaccessfreedmemory)
>
MRI (affected)
> x=FFI::MemoryPointer.new(:int,20_000_000){|mm| nil}.write_array_of_int([12]*2_000_00)
> x.read_int(irb):20: [BUG]Segmentationfaultat0x00007f25833b4010ruby3.0.0p0(2020-12-25revision95aff21468)[x86_64-linux]
-- Controlframeinformation -----------------------------------------------
c:0022p:---- s:0109e:000108CFUNC:read_int32# snip many lines of the crash...
Using FFI 1.15.5
Caveat: I know this is possible with a manual LibC.free(ptr) where FFI isn't aware of the status of the pointer, but I didn't expect this SEGV with MemoryPointer autorelease blocks. I was pleased that JRuby blocks this by default.
I have long been frustrated that MemoryPointer.new { 5 } returns not 5, but self, like MemoryPointer.new, and unlike the common Ruby-ism of returning the block argument return value. I'd love to see that changed, which would mostly take mostly take care of this use-after-free, though that may be a separate, API-breaking issue in and of itself. As long as the block returns something that doesn't allow write access, like the JRuby implementation, that should solve this issue.
The text was updated successfully, but these errors were encountered:
byteit101
changed the title
Usse-after-free allowed with autorelease block
Use-after-free allowed with autorelease block
Oct 16, 2022
JRuby (safe):
MRI (affected)
Using FFI 1.15.5
Caveat: I know this is possible with a manual
LibC.free(ptr)
where FFI isn't aware of the status of the pointer, but I didn't expect this SEGV with MemoryPointer autorelease blocks. I was pleased that JRuby blocks this by default.I have long been frustrated that
MemoryPointer.new { 5 }
returns not5
, butself
, likeMemoryPointer.new
, and unlike the common Ruby-ism of returning the block argument return value. I'd love to see that changed, which would mostly take mostly take care of this use-after-free, though that may be a separate, API-breaking issue in and of itself. As long as the block returns something that doesn't allow write access, like the JRuby implementation, that should solve this issue.The text was updated successfully, but these errors were encountered: