Issue #6171 has been updated by Joshua Ballanco.

File patch.diff added

It seems that free_method_entry_i is missing a check for marks on method entries. The attached patch fixes the bug.
----------------------------------------
Bug #6171: Segfault in rb_free_method_entry
https://bugs.ruby-lang.org/issues/6171#change-24687

Author: Joshua Ballanco
Status: Open
Priority: High
Assignee: 
Category: core
Target version: 1.9.3
ruby -v: ruby 2.0.0dev (2012-03-17 trunk 35075) [x86_64-darwin11.3.0]


=begin
Running the following script in both Ruby 1.9.3p125 and trunk causes a segfault:

    class Bug
      def initialize(target)
        define_singleton_method(:reverse, target.method(:reverse).to_proc)
      end
    end
    
    1000.times { p = Bug.new('test'); 10000.times { p.reverse } }

and the corresponding backtrace:

    (gdb) bt
    #0  0x00007fff9337a6c1 in tiny_free_list_remove_ptr ()
    #1  0x00007fff9337e55d in szone_free_definite_size ()
    #2  0x00007fff933b7789 in free ()
    #3  0x000000010007373c in vm_xfree (objspace=0x10081a800, ptr=0x100460470) at gc.c:880
    #4  0x0000000100073ae6 in ruby_xfree (x=0x100460470) at gc.c:944
    #5  0x00000001002079f1 in rb_free_method_entry (me=0x100460470) at vm_method.c:157
    #6  0x0000000100207920 in rb_sweep_method_entry (pvm=0x100401780) at vm_method.c:127
    #7  0x0000000100077abd in before_gc_sweep (objspace=0x10081a800) at gc.c:2296
    #8  0x00000001000781f5 in gc_lazy_sweep (objspace=0x10081a800) at gc.c:2385
    #9  0x0000000100074b63 in rb_newobj () at gc.c:1324
    #10 0x00000001000066c1 in ary_alloc (klass=4304249320) at array.c:301
    #11 0x0000000100006869 in ary_new (klass=4304249320, capa=0) at array.c:320
    #12 0x0000000100006955 in rb_ary_new2 (capa=0) at array.c:334
    #13 0x0000000100006cbf in rb_ary_new4 (n=0, elts=0x7fff5fbfa2e0) at array.c:370
    #14 0x00000001001f6350 in vm_yield_with_cfunc (th=0x100401b60, block=0x100499f00, self=4304013680, argc=0, argv=0x7fff5fbfa2e0, blockargptr=0x0) at vm_insnhelper.c:763
    #15 0x00000001002126b5 in invoke_block_from_c (th=0x100401b60, block=0x100499f00, self=4304013680, argc=0, argv=0x7fff5fbfa2e0, blockptr=0x0, cref=0x0) at vm.c:609
    #16 0x0000000100212844 in rb_vm_invoke_proc (th=0x100401b60, proc=0x100499f00, self=4304013680, argc=0, argv=0x7fff5fbfa2e0, blockptr=0x0) at vm.c:652
    #17 0x000000010020680a in vm_call_bmethod (th=0x100401b60, recv=4304013680, argc=0, argv=0x7fff5fbfa2e0, blockptr=0x0, me=0x100499f80) at vm_insnhelper.c:479
    #18 0x000000010020524e in vm_call_method (th=0x100401b60, cfp=0x1006ffce8, num=0, blockptr=0x0, flag=0, id=2112, me=0x100499f80, recv=4304013680) at vm_insnhelper.c:608
    #19 0x00000001001fd465 in vm_exec_core (th=0x100401b60, initial=0) at insns.def:1018
    #20 0x00000001002143eb in vm_exec (th=0x100401b60) at vm.c:1223
    #21 0x0000000100212662 in invoke_block_from_c (th=0x100401b60, block=0x1006ffe18, self=4304315600, argc=1, argv=0x7fff5fbfbbb8, blockptr=0x0, cref=0x0) at vm.c:606
    #22 0x0000000100212730 in vm_yield (th=0x100401b60, argc=1, argv=0x7fff5fbfbbb8) at vm.c:636
    #23 0x000000010020daec in rb_yield_0 (argc=1, argv=0x7fff5fbfbbb8) at vm_eval.c:780
    #24 0x000000010020daa8 in rb_yield (val=13317) at vm_eval.c:790
    #25 0x00000001000c8a8a in int_dotimes (num=20001) at numeric.c:3410
    #26 0x0000000100206c28 in call_cfunc (func=0x1000c89e0 <int_dotimes>, recv=20001, len=0, argc=0, argv=0x100600078) at vm_insnhelper.c:370
    #27 0x000000010020666c in vm_call_cfunc (th=0x100401b60, reg_cfp=0x1006ffdf0, num=0, recv=20001, blockptr=0x1006ffe18, me=0x100426c00) at vm_insnhelper.c:454
    #28 0x0000000100204dfe in vm_call_method (th=0x100401b60, cfp=0x1006ffdf0, num=0, blockptr=0x1006ffe18, flag=0, id=3376, me=0x100426c00, recv=20001) at vm_insnhelper.c:580
    #29 0x00000001001fd465 in vm_exec_core (th=0x100401b60, initial=0) at insns.def:1018
    #30 0x00000001002143eb in vm_exec (th=0x100401b60) at vm.c:1223
    #31 0x0000000100212662 in invoke_block_from_c (th=0x100401b60, block=0x1006fff20, self=4304315600, argc=1, argv=0x7fff5fbfd808, blockptr=0x0, cref=0x0) at vm.c:606
    #32 0x0000000100212730 in vm_yield (th=0x100401b60, argc=1, argv=0x7fff5fbfd808) at vm.c:636
    #33 0x000000010020daec in rb_yield_0 (argc=1, argv=0x7fff5fbfd808) at vm_eval.c:780
    #34 0x000000010020daa8 in rb_yield (val=11) at vm_eval.c:790
    #35 0x00000001000c8a8a in int_dotimes (num=2001) at numeric.c:3410
    #36 0x0000000100206c28 in call_cfunc (func=0x1000c89e0 <int_dotimes>, recv=2001, len=0, argc=0, argv=0x100600038) at vm_insnhelper.c:370
    #37 0x000000010020666c in vm_call_cfunc (th=0x100401b60, reg_cfp=0x1006ffef8, num=0, recv=2001, blockptr=0x1006fff20, me=0x100426c00) at vm_insnhelper.c:454
    #38 0x0000000100204dfe in vm_call_method (th=0x100401b60, cfp=0x1006ffef8, num=0, blockptr=0x1006fff20, flag=0, id=3376, me=0x100426c00, recv=2001) at vm_insnhelper.c:580
    #39 0x00000001001fd465 in vm_exec_core (th=0x100401b60, initial=0) at insns.def:1018
    #40 0x00000001002143eb in vm_exec (th=0x100401b60) at vm.c:1223
    #41 0x0000000100215106 in rb_iseq_eval_main (iseqval=4304147120) at vm.c:1463
    #42 0x0000000100059e4a in ruby_exec_internal (n=0x1008c12b0) at eval.c:204
    #43 0x0000000100059fc4 in ruby_exec_node (n=0x1008c12b0) at eval.c:251
    #44 0x0000000100059f76 in ruby_run_node (n=0x1008c12b0) at eval.c:244
    #45 0x00000001000008d2 in main (argc=2, argv=0x7fff5fbff4a0) at main.c:38
    
Running also occasionally results in the following error:

    malloc: *** error for object 0x7fe658c8e9c0: incorrect checksum for freed object - object was probably modified after being freed.
    *** set a breakpoint in malloc_error_break to debug

This is on OS X 10.7.3. I've tried compiling with gcc and clang, and get the same results (also the crash occurs at both -O3 and -O0).
=end


-- 
http://bugs.ruby-lang.org/