diff options
author | Alan Wu <XrXr@users.noreply.github.com> | 2023-12-11 17:41:27 -0500 |
---|---|---|
committer | Alan Wu <XrXr@users.noreply.github.com> | 2023-12-11 19:21:08 -0500 |
commit | 9cb0ad863c0781062388fe1bb2a5d279dc29e734 (patch) | |
tree | 9b192192170a50e85f502c438d5fb8c17d5a68c3 /yjit/src | |
parent | 47553094740ee17f2490fcb29893cac653c0b5dd (diff) | |
download | ruby-9cb0ad863c0781062388fe1bb2a5d279dc29e734.tar.gz |
YJIT: Fix missing arity check for splat calls to methods with optionals
Previously, for splat callsites that land in methods with optional
parameters, we didn't reject the case where the caller supplies too many
arguments. Accepting those calls previously caused YJIT to construct
corrupted control frames, which leads to crashes if the callee uses
certain stack walking methods such as Kernel#raise and String#gsub (for
setting up the frame-local `$~`).
Example crash in a debug build:
Assertion Failed: ../vm_core.h:1375:VM_ENV_FLAGS:FIXNUM_P(flags)
Diffstat (limited to 'yjit/src')
-rw-r--r-- | yjit/src/codegen.rs | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/yjit/src/codegen.rs b/yjit/src/codegen.rs index a3bbb95cd8..a50bed3bc3 100644 --- a/yjit/src/codegen.rs +++ b/yjit/src/codegen.rs @@ -6116,9 +6116,14 @@ fn gen_send_iseq( unsafe { rb_yjit_array_len(array) as u32} }; - if opt_num == 0 && required_num != array_length as i32 + argc - 1 && !iseq_has_rest { - gen_counter_incr(asm, Counter::send_iseq_splat_arity_error); - return None; + // Arity check accounting for size of the splat. When callee has rest parameters, we insert + // runtime guards later in copy_splat_args_for_rest_callee() + if !iseq_has_rest { + let supplying = argc - 1 + array_length as i32; + if (required_num..=required_num + opt_num).contains(&supplying) == false { + gen_counter_incr(asm, Counter::send_iseq_splat_arity_error); + return None; + } } if iseq_has_rest && opt_num > 0 { |