From 1e6eed0cf5a45a787e01630b10d1f3f87e7a01d3 Mon Sep 17 00:00:00 2001
From: usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 29 Jan 2014 04:33:59 +0000
Subject: [PATCH] merge revision(s) 43685,43690,43705: [Backport #9110]

	* eval_jump.c (rb_exec_end_proc): fix double free or corruption error
	  when reentering by callcc. [ruby-core:58329] [Bug #9110]

	* test/ruby/test_beginendblock.rb: test for above.

	* eval_jump.c (rb_exec_end_proc): unlink and free procs data before
	  calling for each procs.  [Bug #9110]


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_3@44740 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog                       | 12 ++++++++++++
 eval_jump.c                     | 12 +++++++++---
 test/ruby/test_beginendblock.rb | 11 +++++++++++
 version.h                       |  2 +-
 4 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 107897d43c..cdef1e1d9e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+Wed Jan 29 13:32:53 2014  Nobuyoshi Nakada  <nobu@ruby-lang.org>
+
+	* eval_jump.c (rb_exec_end_proc): unlink and free procs data before
+	  calling for each procs.  [Bug #9110]
+
+Wed Jan 29 13:32:53 2014  Masaki Matsushita  <glass.saga@gmail.com>
+
+	* eval_jump.c (rb_exec_end_proc): fix double free or corruption error
+	  when reentering by callcc. [ruby-core:58329] [Bug #9110]
+
+	* test/ruby/test_beginendblock.rb: test for above.
+
 Wed Jan 29 13:25:32 2014  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* lib/resolv.rb (Resolv::Hosts#lazy_initialize): should not
diff --git a/eval_jump.c b/eval_jump.c
index f3a1f78a3f..4f39374a20 100644
--- a/eval_jump.c
+++ b/eval_jump.c
@@ -96,7 +96,8 @@ rb_mark_end_proc(void)
 void
 rb_exec_end_proc(void)
 {
-    struct end_proc_data *volatile link;
+    struct end_proc_data volatile endproc;
+    struct end_proc_data volatile *link;
     int status;
     volatile int safe = rb_safe_level();
     rb_thread_t *th = GET_THREAD();
@@ -105,6 +106,9 @@ rb_exec_end_proc(void)
     while (ephemeral_end_procs) {
 	link = ephemeral_end_procs;
 	ephemeral_end_procs = link->next;
+	endproc = *link;
+	xfree((void *)link);
+	link = &endproc;
 
 	PUSH_TAG();
 	if ((status = EXEC_TAG()) == 0) {
@@ -116,12 +120,14 @@ rb_exec_end_proc(void)
 	    error_handle(status);
 	    if (!NIL_P(th->errinfo)) errinfo = th->errinfo;
 	}
-	xfree(link);
     }
 
     while (end_procs) {
 	link = end_procs;
 	end_procs = link->next;
+	endproc = *link;
+	xfree((void *)link);
+	link = &endproc;
 
 	PUSH_TAG();
 	if ((status = EXEC_TAG()) == 0) {
@@ -133,8 +139,8 @@ rb_exec_end_proc(void)
 	    error_handle(status);
 	    if (!NIL_P(th->errinfo)) errinfo = th->errinfo;
 	}
-	xfree(link);
     }
+
     rb_set_safe_level_force(safe);
     th->errinfo = errinfo;
 }
diff --git a/test/ruby/test_beginendblock.rb b/test/ruby/test_beginendblock.rb
index b590835a2d..121d116c35 100644
--- a/test/ruby/test_beginendblock.rb
+++ b/test/ruby/test_beginendblock.rb
@@ -158,4 +158,15 @@ EOW
       assert_equal(["", "", 42], [out, err, status.exitstatus], "#{bug5218}: #{ex}")
     end
   end
+
+  def test_callcc_at_exit
+    bug9110 = '[ruby-core:58329][Bug #9110]'
+    script = <<EOS
+require "continuation"
+c = nil
+at_exit { c.call }
+at_exit { callcc {|_c| c = _c } }
+EOS
+    assert_normal_exit(script, bug9110)
+  end
 end
diff --git a/version.h b/version.h
index f27b956016..fedc33531b 100644
--- a/version.h
+++ b/version.h
@@ -1,5 +1,5 @@
 #define RUBY_VERSION "1.9.3"
-#define RUBY_PATCHLEVEL 494
+#define RUBY_PATCHLEVEL 495
 
 #define RUBY_RELEASE_DATE "2014-01-29"
 #define RUBY_RELEASE_YEAR 2014