From 2cc7a56ec7830fd5efaf2bc449637fd831743714 Mon Sep 17 00:00:00 2001 From: Alan Wu Date: Wed, 24 Jan 2024 18:06:58 -0500 Subject: [PATCH] YJIT: Avoid leaks by skipping objects with a singleton class For receiver with a singleton class, there are multiple vectors YJIT can end up retaining the object. There is a path in jit_guard_known_klass() that bakes the receiver into the code, and the object could also be kept alive indirectly through a path starting at the CME object baked into the code. To avoid these leaks, avoid compiling calls on objects with a singleton class. See: https://github.com/Shopify/ruby/issues/552 [Bug #20209] --- yjit/bindgen/src/main.rs | 1 + yjit/src/codegen.rs | 17 +++++++++++++++++ yjit/src/cruby_bindings.inc.rs | 1 + yjit/src/stats.rs | 2 ++ 4 files changed, 21 insertions(+) diff --git a/yjit/bindgen/src/main.rs b/yjit/bindgen/src/main.rs index 742885de3b..45874f28a1 100644 --- a/yjit/bindgen/src/main.rs +++ b/yjit/bindgen/src/main.rs @@ -447,6 +447,7 @@ fn main() { .allowlist_function("rb_obj_is_proc") .allowlist_function("rb_vm_base_ptr") .allowlist_function("rb_ec_stack_check") + .allowlist_function("rb_vm_top_self") // We define VALUE manually, don't import it .blocklist_type("VALUE") diff --git a/yjit/src/codegen.rs b/yjit/src/codegen.rs index 576a988879..33298eed5c 100644 --- a/yjit/src/codegen.rs +++ b/yjit/src/codegen.rs @@ -7258,6 +7258,17 @@ fn gen_send_general( assert_eq!(RUBY_T_CLASS, comptime_recv_klass.builtin_type(), "objects visible to ruby code should have a T_CLASS in their klass field"); + // Don't compile calls through singleton classes to avoid retaining the receiver. + // Make an exception for class methods since classes tend to be retained anyways. + // Also compile calls on top_self to help tests. + if VALUE(0) != unsafe { FL_TEST(comptime_recv_klass, VALUE(RUBY_FL_SINGLETON as usize)) } + && comptime_recv != unsafe { rb_vm_top_self() } + && !unsafe { RB_TYPE_P(comptime_recv, RUBY_T_CLASS) } + && !unsafe { RB_TYPE_P(comptime_recv, RUBY_T_MODULE) } { + gen_counter_incr(asm, Counter::send_singleton_class); + return None; + } + // Points to the receiver operand on the stack let recv = asm.stack_opnd(recv_idx); let recv_opnd: YARVOpnd = recv.into(); @@ -8038,6 +8049,12 @@ fn gen_invokesuper_specialized( return None; } + // Don't compile `super` on objects with singleton class to avoid retaining the receiver. + if VALUE(0) != unsafe { FL_TEST(comptime_recv.class_of(), VALUE(RUBY_FL_SINGLETON as usize)) } { + gen_counter_incr(asm, Counter::invokesuper_singleton_class); + return None; + } + // Do method lookup let cme = unsafe { rb_callable_method_entry(comptime_superclass, mid) }; if cme.is_null() { diff --git a/yjit/src/cruby_bindings.inc.rs b/yjit/src/cruby_bindings.inc.rs index 7b0f567897..944fbcd55e 100644 --- a/yjit/src/cruby_bindings.inc.rs +++ b/yjit/src/cruby_bindings.inc.rs @@ -975,6 +975,7 @@ extern "C" { n: ::std::os::raw::c_long, elts: *const VALUE, ) -> VALUE; + pub fn rb_vm_top_self() -> VALUE; pub static mut rb_vm_insns_count: u64; pub fn rb_method_entry_at(obj: VALUE, id: ID) -> *const rb_method_entry_t; pub fn rb_callable_method_entry(klass: VALUE, id: ID) -> *const rb_callable_method_entry_t; diff --git a/yjit/src/stats.rs b/yjit/src/stats.rs index 98e33f2375..b6add639c1 100644 --- a/yjit/src/stats.rs +++ b/yjit/src/stats.rs @@ -319,6 +319,7 @@ make_counters! { // Method calls that fallback to dynamic dispatch send_keywords, send_kw_splat, + send_singleton_class, send_args_splat_super, send_iseq_zsuper, send_block_arg, @@ -405,6 +406,7 @@ make_counters! { invokesuper_no_me, invokesuper_not_iseq_or_cfunc, invokesuper_refinement, + invokesuper_singleton_class, invokeblock_megamorphic, invokeblock_none,