Issue #18117 has been reported by vinistock (Vinicius Stock).

----------------------------------------
Bug #18117: Segmentation fault when yielding values from Ractors during GC sweeping
https://bugs.ruby-lang.org/issues/18117

* Author: vinistock (Vinicius Stock)
* Status: Open
* Priority: Normal
* ruby -v: ruby 3.1.0dev (2021-08-16T08:00:19Z master a8714b83c4) [x86_64-linux]
* Backport: 2.6: UNKNOWN, 2.7: UNKNOWN, 3.0: UNKNOWN
----------------------------------------
[Link for GitHub PR containing the fix]()

Ractors may invoke `rb_objspace_reachable_objects_from` when yielding values back to the main-Ractor. If this occurs during a sweeping pass of the GC, then it might lead to a segmentation fault.

The following script creates a worker pool. For each worker, we create some dummy objects to make GC trigger eventually and then we yield back `Time.now`. Within a few iterations, the scenario occurs and a segmentation fault is thrown.

**Reproduction script**

```ruby
workers = (0...8).map do
  Ractor.new do
    loop do
      10_000.times.map { Object.new }
      Ractor.yield Time.now
    end
  end
end
  
1_000.times { idle_worker, tmp_reporter = Ractor.select(*workers) }
```

**Backtrace**
```
<internal:ractor>:267: warning: Ractor is experimental, and the behavior may change in future versions of Ruby! Also there are many implementation issues.
<internal:ractor>:627: [BUG] rb_objspace_reachable_objects_from() is not supported while during_gc == true
ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-darwin20]

-- Crash Report log information --------------------------------------------
   See Crash Report log file under the one of following:
     * ~/Library/Logs/DiagnosticReports
     * /Library/Logs/DiagnosticReports
   for more details.
Don't forget to include the above Crash Report log file in bug reports.

-- Control frame information -----------------------------------------------
c:0005 p:0003 s:0020 e:000019 METHOD <internal:ractor>:627
c:0004 p:0032 s:0013 e:000012 BLOCK  example.rb:5 [FINISH]
c:0003 p:---- s:0010 e:000009 CFUNC  :loop
c:0002 p:0005 s:0006 e:000005 BLOCK  example.rb:3 [FINISH]
c:0001 p:---- s:0003 e:000002 (none) [FINISH]

-- Ruby level backtrace information ----------------------------------------
example.rb:3:in `block (2 levels) in <main>'
example.rb:3:in `loop'
example.rb:5:in `block (3 levels) in <main>'
<internal:ractor>:627:in `yield'

-- C level backtrace information -------------------------------------------
/opt/rubies/3.0.2/bin/ruby(rb_vm_bugreport+0x6cf) [0x10e1f60bf]
/opt/rubies/3.0.2/bin/ruby(rb_bug_without_die+0x184) [0x10e010914]
/opt/rubies/3.0.2/bin/ruby(rb_bug+0x6f) [0x10e202ec9]
/opt/rubies/3.0.2/bin/ruby(rb_objspace_reachable_objects_from.cold.1+0x12) [0x10e203522]
/opt/rubies/3.0.2/bin/ruby(rb_objspace_reachable_objects_from+0xce) [0x10e032a2e]
/opt/rubies/3.0.2/bin/ruby(obj_traverse_replace_i+0x3c9) [0x10e0ff369]
/opt/rubies/3.0.2/bin/ruby(ractor_basket_setup+0x1b9) [0x10e0febf9]
/opt/rubies/3.0.2/bin/ruby(ractor_select+0x1c6) [0x10e1005f6]
/opt/rubies/3.0.2/bin/ruby(builtin_inline_class_627+0x3e) [0x10e0fd01e]
/opt/rubies/3.0.2/bin/ruby(vm_exec_core+0x8d4c) [0x10e1cdbec]
/opt/rubies/3.0.2/bin/ruby(rb_vm_exec+0xcab) [0x10e1def1b]
/opt/rubies/3.0.2/bin/ruby(invoke_block_from_c_bh+0x70c) [0x10e1efcdc]
/opt/rubies/3.0.2/bin/ruby(loop_i+0x4c) [0x10e1f069c]
/opt/rubies/3.0.2/bin/ruby(rb_vrescue2+0x181) [0x10e01c981]
/opt/rubies/3.0.2/bin/ruby(rb_rescue2+0x7b) [0x10e01c7db]
/opt/rubies/3.0.2/bin/ruby(vm_call_cfunc_with_frame+0x14f) [0x10e1ebbef]
/opt/rubies/3.0.2/bin/ruby(vm_sendish+0x516) [0x10e1e3806]
/opt/rubies/3.0.2/bin/ruby(vm_exec_core+0x399d) [0x10e1c883d]
/opt/rubies/3.0.2/bin/ruby(rb_vm_exec+0xcab) [0x10e1def1b]
/opt/rubies/3.0.2/bin/ruby(vm_invoke_proc+0x809) [0x10e1dd339]
/opt/rubies/3.0.2/bin/ruby(thread_do_start_proc+0x1e3) [0x10e1980f3]
/opt/rubies/3.0.2/bin/ruby(thread_start_func_2+0x490) [0x10e197a70]
/opt/rubies/3.0.2/bin/ruby(thread_start_func_1+0x10d) [0x10e19741d]
/usr/lib/system/libsystem_pthread.dylib(_pthread_start+0xe0) [0x7fff2049b8fc]
```



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>