class.c: Make cvc_tbl a managed object

[Bug #21952]

Solves the double-free or use after-free concern with boxes.
Now entries can safely be used for copy-on-write.

Also is likely necessary to make it save to read cvar from
secondary ractors, as allowed since: ab32c0e

Author: byroot

class.c

@@ -84,14 +84,6 @@ static void rb_class_remove_from_super_subclasses(VALUE klass);
 static void rb_class_remove_from_module_subclasses(VALUE klass);
 static void rb_class_classext_free_subclasses(rb_classext_t *ext);
 
-static enum rb_id_table_iterator_result
-cvar_table_free_i(VALUE value, void *ctx)
-{
-    struct rb_cvar_class_tbl_entry *entry = (struct rb_cvar_class_tbl_entry *)value;
-    SIZED_FREE(entry);
-    return ID_TABLE_CONTINUE;
-}
-
 rb_classext_t *
 rb_class_unlink_classext(VALUE klass, const rb_box_t *box)
 {
@@ -114,11 +106,6 @@ rb_class_classext_free(VALUE klass, rb_classext_t *ext, bool is_prime)
         rb_free_const_table(tbl);
     }
 
-    if ((tbl = RCLASSEXT_CVC_TBL(ext)) != NULL) {
-        rb_id_table_foreach_values(tbl, cvar_table_free_i, NULL);
-        rb_id_table_free(tbl);
-    }
-
     if (is_prime) {
         rb_class_remove_from_super_subclasses(klass);
         rb_class_classext_free_subclasses(ext);
@@ -254,33 +241,6 @@ duplicate_classext_m_tbl(struct rb_id_table *orig, VALUE klass, bool init_missin
     return tbl;
 }
 
-static enum rb_id_table_iterator_result
-duplicate_classext_cvc_tbl_i(ID key, VALUE value, void *data)
-{
-    struct rb_id_table *tbl = (struct rb_id_table *)data;
-    struct rb_cvar_class_tbl_entry *cvc_entry = (struct rb_cvar_class_tbl_entry *)value;
-    struct rb_cvar_class_tbl_entry *copy = ALLOC(struct rb_cvar_class_tbl_entry);
-    MEMCPY(copy, cvc_entry, struct rb_cvar_class_tbl_entry, 1);
-    rb_id_table_insert(tbl, key, (VALUE)copy);
-    return ID_TABLE_CONTINUE;
-}
-
-static struct rb_id_table *
-duplicate_classext_cvc_tbl(struct rb_id_table *orig, bool init_missing)
-{
-    struct rb_id_table *tbl;
-
-    if (!orig) {
-        if (init_missing)
-            return rb_id_table_create(0);
-        else
-            return NULL;
-    }
-    tbl = rb_id_table_create(rb_id_table_size(orig));
-    rb_id_table_foreach(orig, duplicate_classext_cvc_tbl_i, tbl);
-    return tbl;
-}
-
 static rb_const_entry_t *
 duplicate_classext_const_entry(rb_const_entry_t *src, VALUE klass)
 {
@@ -414,7 +374,14 @@ rb_class_duplicate_classext(rb_classext_t *orig, VALUE klass, const rb_box_t *bo
      * RCLASSEXT_CC_TBL(copy) = NULL
      */
 
-    RCLASSEXT_CVC_TBL(ext) = duplicate_classext_cvc_tbl(RCLASSEXT_CVC_TBL(orig), dup_iclass);
+    VALUE cvc_table = RCLASSEXT_CVC_TBL(orig);
+    if (cvc_table) {
+        cvc_table = rb_marked_id_table_dup(cvc_table);
+    }
+    else if (dup_iclass) {
+        cvc_table = rb_marked_id_table_new(2);
+    }
+    RB_OBJ_WRITE(klass, &RCLASSEXT_CVC_TBL(ext), cvc_table);
 
     // Subclasses/back-pointers are only in the prime classext.
 
@@ -981,9 +948,15 @@ class_init_copy_check(VALUE clone, VALUE orig)
 
 struct cvc_table_copy_ctx {
     VALUE clone;
-    struct rb_id_table * new_table;
+    VALUE new_table;
 };
 
+static struct rb_cvar_class_tbl_entry *
+cvc_table_entry_alloc(void)
+{
+    return (struct rb_cvar_class_tbl_entry *)SHAREABLE_IMEMO_NEW(struct rb_cvar_class_tbl_entry, imemo_cvar_entry, 0);
+}
+
 static enum rb_id_table_iterator_result
 cvc_table_copy(ID id, VALUE val, void *data)
 {
@@ -993,13 +966,11 @@ cvc_table_copy(ID id, VALUE val, void *data)
 
     struct rb_cvar_class_tbl_entry *ent;
 
-    ent = ALLOC(struct rb_cvar_class_tbl_entry);
-    ent->class_value = ctx->clone;
-    ent->cref = orig_entry->cref;
+    ent = cvc_table_entry_alloc();
+    RB_OBJ_WRITE((VALUE)ent, &ent->class_value, ctx->clone);
+    RB_OBJ_WRITE(ctx->clone, &ent->cref, orig_entry->cref);
     ent->global_cvar_state = orig_entry->global_cvar_state;
-    rb_id_table_insert(ctx->new_table, id, (VALUE)ent);
-
-    RB_OBJ_WRITTEN(ctx->clone, Qundef, ent->cref);
+    rb_marked_id_table_insert(ctx->new_table, id, (VALUE)ent);
 
     return ID_TABLE_CONTINUE;
 }
@@ -1012,13 +983,13 @@ copy_tables(VALUE clone, VALUE orig)
         RCLASS_WRITE_CONST_TBL(clone, 0, false);
     }
     if (RCLASS_CVC_TBL(orig)) {
-        struct rb_id_table *rb_cvc_tbl = RCLASS_CVC_TBL(orig);
-        struct rb_id_table *rb_cvc_tbl_dup = rb_id_table_create(rb_id_table_size(rb_cvc_tbl));
+        VALUE rb_cvc_tbl = RCLASS_CVC_TBL(orig);
+        VALUE rb_cvc_tbl_dup = rb_marked_id_table_new(rb_marked_id_table_size(rb_cvc_tbl));
 
         struct cvc_table_copy_ctx ctx;
         ctx.clone = clone;
         ctx.new_table = rb_cvc_tbl_dup;
-        rb_id_table_foreach(rb_cvc_tbl, cvc_table_copy, &ctx);
+        rb_marked_id_table_foreach(rb_cvc_tbl, cvc_table_copy, &ctx);
         RCLASS_WRITE_CVC_TBL(clone, rb_cvc_tbl_dup);
     }
     rb_id_table_free(RCLASS_M_TBL(clone));

debug_counter.h

@@ -305,6 +305,7 @@ RB_DEBUG_COUNTER(obj_imemo_ment)
 RB_DEBUG_COUNTER(obj_imemo_iseq)
 RB_DEBUG_COUNTER(obj_imemo_env)
 RB_DEBUG_COUNTER(obj_imemo_tmpbuf)
+RB_DEBUG_COUNTER(obj_imemo_cvar_entry)
 RB_DEBUG_COUNTER(obj_imemo_cref)
 RB_DEBUG_COUNTER(obj_imemo_svar)
 RB_DEBUG_COUNTER(obj_imemo_throw_data)

ext/objspace/objspace.c

@@ -451,6 +451,7 @@ count_imemo_objects(int argc, VALUE *argv, VALUE self)
         INIT_IMEMO_TYPE_ID(imemo_ment);
         INIT_IMEMO_TYPE_ID(imemo_iseq);
         INIT_IMEMO_TYPE_ID(imemo_tmpbuf);
+        INIT_IMEMO_TYPE_ID(imemo_cvar_entry);
         INIT_IMEMO_TYPE_ID(imemo_callinfo);
         INIT_IMEMO_TYPE_ID(imemo_callcache);
         INIT_IMEMO_TYPE_ID(imemo_constcache);

gc.c

@@ -1302,6 +1302,7 @@ rb_gc_imemo_needs_cleanup_p(VALUE obj)
       case imemo_svar:
       case imemo_callcache:
       case imemo_throw_data:
+      case imemo_cvar_entry:
         return false;
 
       case imemo_env:
@@ -2522,9 +2523,6 @@ classext_memsize(rb_classext_t *ext, bool prime, VALUE box_value, void *arg)
     if (RCLASSEXT_M_TBL(ext)) {
         s += rb_id_table_memsize(RCLASSEXT_M_TBL(ext));
     }
-    if (RCLASSEXT_CVC_TBL(ext)) {
-        s += rb_id_table_memsize(RCLASSEXT_CVC_TBL(ext));
-    }
     if (RCLASSEXT_CONST_TBL(ext)) {
         s += rb_id_table_memsize(RCLASSEXT_CONST_TBL(ext));
     }
@@ -3046,26 +3044,6 @@ mark_const_tbl(rb_objspace_t *objspace, struct rb_id_table *tbl)
     rb_id_table_foreach_values(tbl, mark_const_entry_i, objspace);
 }
 
-static enum rb_id_table_iterator_result
-mark_cvc_tbl_i(VALUE cvc_entry, void *objspace)
-{
-    struct rb_cvar_class_tbl_entry *entry;
-
-    entry = (struct rb_cvar_class_tbl_entry *)cvc_entry;
-
-    RUBY_ASSERT(entry->cref == 0 || (BUILTIN_TYPE((VALUE)entry->cref) == T_IMEMO && IMEMO_TYPE_P(entry->cref, imemo_cref)));
-    gc_mark_internal((VALUE)entry->cref);
-
-    return ID_TABLE_CONTINUE;
-}
-
-static void
-mark_cvc_tbl(rb_objspace_t *objspace, struct rb_id_table *tbl)
-{
-    if (!tbl) return;
-    rb_id_table_foreach_values(tbl, mark_cvc_tbl_i, objspace);
-}
-
 #if STACK_GROW_DIRECTION < 0
 #define GET_STACK_BOUNDS(start, end, appendix) ((start) = STACK_END, (end) = STACK_START)
 #elif STACK_GROW_DIRECTION > 0
@@ -3310,14 +3288,14 @@ gc_mark_classext_module(rb_classext_t *ext, bool prime, VALUE box_value, void *a
     if (!rb_gc_checking_shareable()) {
         // unshareable
         gc_mark_internal(RCLASSEXT_FIELDS_OBJ(ext));
+        gc_mark_internal(RCLASSEXT_CVC_TBL(ext));
     }
 
     if (!RCLASSEXT_SHARED_CONST_TBL(ext) && RCLASSEXT_CONST_TBL(ext)) {
         mark_const_tbl(objspace, RCLASSEXT_CONST_TBL(ext));
     }
     mark_m_tbl(objspace, RCLASSEXT_CALLABLE_M_TBL(ext));
     gc_mark_internal(RCLASSEXT_CC_TBL(ext));
-    mark_cvc_tbl(objspace, RCLASSEXT_CVC_TBL(ext));
     gc_mark_internal(RCLASSEXT_CLASSPATH(ext));
 }
 
@@ -3961,29 +3939,6 @@ update_m_tbl(void *objspace, struct rb_id_table *tbl)
     }
 }
 
-static enum rb_id_table_iterator_result
-update_cvc_tbl_i(VALUE cvc_entry, void *objspace)
-{
-    struct rb_cvar_class_tbl_entry *entry;
-
-    entry = (struct rb_cvar_class_tbl_entry *)cvc_entry;
-
-    if (entry->cref) {
-        TYPED_UPDATE_IF_MOVED(objspace, rb_cref_t *, entry->cref);
-    }
-
-    entry->class_value = gc_location_internal(objspace, entry->class_value);
-
-    return ID_TABLE_CONTINUE;
-}
-
-static void
-update_cvc_tbl(void *objspace, struct rb_id_table *tbl)
-{
-    if (!tbl) return;
-    rb_id_table_foreach_values(tbl, update_cvc_tbl_i, objspace);
-}
-
 static enum rb_id_table_iterator_result
 update_const_tbl_i(VALUE value, void *objspace)
 {
@@ -4058,7 +4013,7 @@ update_classext(rb_classext_t *ext, bool is_prime, VALUE box_value, void *arg)
         update_const_tbl(objspace, RCLASSEXT_CONST_TBL(ext));
     }
     UPDATE_IF_MOVED(objspace, RCLASSEXT_CC_TBL(ext));
-    update_cvc_tbl(objspace, RCLASSEXT_CVC_TBL(ext));
+    UPDATE_IF_MOVED(objspace, RCLASSEXT_CVC_TBL(ext));
     update_superclasses(objspace, ext);
     update_subclasses(objspace, ext);
 
@@ -4077,6 +4032,7 @@ update_iclass_classext(rb_classext_t *ext, bool is_prime, VALUE box_value, void
     update_m_tbl(objspace, RCLASSEXT_M_TBL(ext));
     update_m_tbl(objspace, RCLASSEXT_CALLABLE_M_TBL(ext));
     UPDATE_IF_MOVED(objspace, RCLASSEXT_CC_TBL(ext));
+    UPDATE_IF_MOVED(objspace, RCLASSEXT_CVC_TBL(ext));
     update_subclasses(objspace, ext);
 
     update_classext_values(objspace, ext, true);

id_table.c

@@ -431,3 +431,82 @@ rb_managed_id_table_delete(VALUE table, ID id)
 {
     return rb_id_table_delete(managed_id_table_ptr(table), id);
 }
+
+static enum rb_id_table_iterator_result
+marked_id_table_mark_i(VALUE val, void *data)
+{
+    rb_gc_mark_movable(val);
+    return ID_TABLE_CONTINUE;
+}
+
+static void
+marked_id_table_mark(void *ptr)
+{
+    struct rb_id_table *tbl = (struct rb_id_table *)ptr;
+    rb_id_table_foreach_values(tbl, marked_id_table_mark_i, NULL);
+}
+
+static enum rb_id_table_iterator_result
+marked_id_table_compact_check_i(VALUE value, void *data)
+{
+    if (rb_gc_location(value) != value) {
+        return ID_TABLE_REPLACE;
+    }
+    return ID_TABLE_CONTINUE;
+}
+
+static enum rb_id_table_iterator_result
+marked_id_table_compact_replace_i(VALUE *value, void *data, int existing)
+{
+    *value = rb_gc_location(*value);
+    return ID_TABLE_CONTINUE;
+}
+
+static void
+marked_id_table_compact(void *ptr)
+{
+    struct rb_id_table *tbl = (struct rb_id_table *)ptr;
+    rb_id_table_foreach_values_with_replace(tbl, marked_id_table_compact_check_i, marked_id_table_compact_replace_i, NULL);
+}
+
+const rb_data_type_t rb_marked_id_table_type = {
+    .wrap_struct_name = "VM/marked_id_table",
+    .function = {
+        .dmark = marked_id_table_mark,
+        .dfree = managed_id_table_free,
+        .dsize = managed_id_table_memsize,
+        .dcompact = marked_id_table_compact,
+    },
+    .parent = &rb_managed_id_table_type,
+    .flags = RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED | RUBY_TYPED_EMBEDDABLE,
+};
+
+VALUE
+rb_marked_id_table_new(size_t capa)
+{
+    return rb_managed_id_table_create(&rb_marked_id_table_type, capa);
+}
+
+int
+rb_marked_id_table_insert(VALUE table, ID id, VALUE val)
+{
+    int result = rb_managed_id_table_insert(table, id, val);
+    RB_OBJ_WRITTEN(table, Qundef, val);
+    return result;
+}
+
+static enum rb_id_table_iterator_result
+marked_id_table_dup_i(VALUE val, void *data)
+{
+    VALUE new_table = (VALUE)data;
+    RB_OBJ_WRITTEN(new_table, Qundef, val);
+    return ID_TABLE_CONTINUE;
+}
+
+VALUE
+rb_marked_id_table_dup(VALUE old_table)
+{
+    VALUE new_table = rb_managed_id_table_dup(old_table);
+    rb_managed_id_table_foreach_values(new_table, marked_id_table_dup_i, (void *)new_table);
+    return new_table;
+}

id_table.h

@@ -54,6 +54,16 @@ int rb_managed_id_table_delete(VALUE table, ID id);
 
 extern const rb_data_type_t rb_managed_id_table_type;
 
+VALUE rb_marked_id_table_new(size_t capa);
+int rb_marked_id_table_insert(VALUE table, ID id, VALUE val);
+VALUE rb_marked_id_table_dup(VALUE table);
+
+// alisases
+#define rb_marked_id_table_size             rb_managed_id_table_size
+#define rb_marked_id_table_lookup           rb_managed_id_table_lookup
+#define rb_marked_id_table_foreach          rb_managed_id_table_foreach
+#define rb_marked_id_table_foreach_values   rb_managed_id_table_foreach_values
+
 RUBY_SYMBOL_EXPORT_BEGIN
 size_t rb_id_table_size(const struct rb_id_table *tbl);
 RUBY_SYMBOL_EXPORT_END

imemo.c

@@ -29,6 +29,7 @@ rb_imemo_name(enum imemo_type type)
         IMEMO_NAME(svar);
         IMEMO_NAME(throw_data);
         IMEMO_NAME(tmpbuf);
+        IMEMO_NAME(cvar_entry);
         IMEMO_NAME(fields);
 #undef IMEMO_NAME
     }
@@ -262,6 +263,8 @@ rb_imemo_memsize(VALUE obj)
       case imemo_tmpbuf:
         size += ((rb_imemo_tmpbuf_t *)obj)->size;
 
+        break;
+      case imemo_cvar_entry:
         break;
       case imemo_fields:
         if (FL_TEST_RAW(obj, OBJ_FIELD_HEAP)) {
@@ -510,6 +513,12 @@ rb_imemo_mark_and_move(VALUE obj, bool reference_updating)
 
         break;
       }
+      case imemo_cvar_entry: {
+          struct rb_cvar_class_tbl_entry *ent = (struct rb_cvar_class_tbl_entry *)obj;
+          rb_gc_mark_and_move(&ent->class_value);
+          rb_gc_mark_and_move((VALUE *)&ent->cref);
+          break;
+      }
       case imemo_fields: {
         rb_gc_mark_and_move((VALUE *)&RBASIC(obj)->klass);
 
@@ -641,6 +650,10 @@ rb_imemo_free(VALUE obj)
         ruby_xfree_sized(((rb_imemo_tmpbuf_t *)obj)->ptr, ((rb_imemo_tmpbuf_t *)obj)->size);
         RB_DEBUG_COUNTER_INC(obj_imemo_tmpbuf);
 
+        break;
+      case imemo_cvar_entry:
+        RB_DEBUG_COUNTER_INC(obj_imemo_cvar_entry);
+
         break;
       case imemo_fields:
         imemo_fields_free(IMEMO_OBJ_FIELDS(obj));