From 32dcb81d5851035de6b47ccfd760ee5b78f58d93 Mon Sep 17 00:00:00 2001
From: ko1 <ko1@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Fri, 22 Aug 2014 11:16:56 +0000
Subject: * string.c (rb_fstring, fstr_update_callback): simply delete garbage 
  key first.   Garbage keys can be swept by lazy sweeping invoked by creating
 new   fstring.  So that simply do:   (1) delete garbage key and return
 `fstr_update_callback' immediately   (2) try again `fstr_update_callback()'
 to create a new fstr.   This bug can be cause memory corruption, reported by 
  http://u64.rubyci.org/~chkbuild/ruby-trunk/log/20140821T220302Z.fail.html.gz

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@47252 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog | 13 +++++++++++++
 string.c  | 15 ++++++++++-----
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 4495b2fdf6..b904d8c1b3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,16 @@
+Fri Aug 22 20:07:43 2014  Koichi Sasada  <ko1@atdot.net>
+
+	* string.c (rb_fstring, fstr_update_callback): simply delete garbage
+	  key first.
+
+	  Garbage keys can be swept by lazy sweeping invoked by creating new
+	  fstring.  So that simply do:
+	  (1) delete garbage key and return `fstr_update_callback' immediately
+	  (2) try again `fstr_update_callback()' to create a new fstr.
+
+	  This bug can be cause memory corruption, reported by
+	  http://u64.rubyci.org/~chkbuild/ruby-trunk/log/20140821T220302Z.fail.html.gz
+
 Fri Aug 22 19:30:39 2014  SHIBATA Hiroshi  <shibata.hiroshi@gmail.com>
 
 	* test/ruby/test_complex.rb: removed commented-out code.
diff --git a/string.c b/string.c
index 25305a4a4d..1fcd3ccc85 100644
--- a/string.c
+++ b/string.c
@@ -194,8 +194,8 @@ fstr_update_callback(st_data_t *key, st_data_t *value, st_data_t arg, int existi
 	 * at next time */
 
 	if (rb_objspace_garbage_object_p(str)) {
-	    str = *fstr;
-	    goto create_new_fstr;
+	    *fstr = Qundef;
+	    return ST_DELETE;
 	}
 
 	*fstr = str;
@@ -203,7 +203,6 @@ fstr_update_callback(st_data_t *key, st_data_t *value, st_data_t arg, int existi
     }
     else {
 	if (STR_SHARED_P(str)) { /* str should not be shared */
-	  create_new_fstr:
 	    str = rb_enc_str_new(RSTRING_PTR(str), RSTRING_LEN(str), STR_ENC_GET(str));
 	    OBJ_FREEZE(str);
 	}
@@ -220,6 +219,8 @@ fstr_update_callback(st_data_t *key, st_data_t *value, st_data_t arg, int existi
 VALUE
 rb_fstring(VALUE str)
 {
+    VALUE ret;
+
     Check_Type(str, T_STRING);
 
     if (!frozen_strings)
@@ -228,8 +229,12 @@ rb_fstring(VALUE str)
     if (FL_TEST(str, RSTRING_FSTR))
 	return str;
 
-    st_update(frozen_strings, (st_data_t)str, fstr_update_callback, (st_data_t)&str);
-    return str;
+    do {
+	ret = str;
+	st_update(frozen_strings, (st_data_t)str, fstr_update_callback, (st_data_t)&ret);
+    } while (ret != Qundef);
+
+    return ret;
 }
 
 static VALUE
-- 
cgit v1.2.3