Merge pull request #37 from ruby/katei/fix-wrong-gc

kateinoigakukun · web-flow · commit 81f24cc333c6 · 2022-08-17T16:21:53.000+09:00
Protect JS-wrapped Ruby objects to avoid use after free from JS side
diff --git a/ext/js/js-core.c b/ext/js/js-core.c
@@ -16,6 +16,9 @@ extern VALUE rb_cString;
 extern VALUE rb_cTrueClass;
 extern VALUE rb_cFalseClass;
 
+// from js/js-core.c
+void rb_abi_lend_object(VALUE obj);
+
 static VALUE rb_mJS;
 static VALUE rb_cJS_Object;
 
@@ -312,6 +315,7 @@ static VALUE _rb_js_import_from_js(VALUE obj) {
  *  Returns +obj+ wrapped by JS class RbValue.
  */
 static VALUE _rb_js_obj_wrap(VALUE obj, VALUE wrapping) {
+  rb_abi_lend_object(wrapping);
   return jsvalue_s_new(rb_js_abi_host_rb_object_to_js_rb_value((uint32_t)wrapping));
 }
 
diff --git a/ext/witapi/witapi-core.c b/ext/witapi/witapi-core.c
@@ -90,7 +90,7 @@ static VALUE rb_abi_lend_object_internal(VALUE obj) {
   }
   return Qundef;
 }
-static void rb_abi_lend_object(VALUE obj) {
+void rb_abi_lend_object(VALUE obj) {
   RB_WASM_DEBUG_LOG("rb_abi_lend_object: obj = %p\n", (void *)obj);
   int state;
   RB_WASM_LIB_RT(rb_protect(rb_abi_lend_object_internal, obj, &state));
diff --git a/packages/npm-packages/ruby-wasm-wasi/test/js_from_rb.test.ts b/packages/npm-packages/ruby-wasm-wasi/test/js_from_rb.test.ts
@@ -1,3 +1,4 @@
+import { RbValue } from "../dist/index.umd";
 import { initRubyVM } from "./init";
 
 describe("Manipulation of JS from Ruby", () => {
@@ -208,6 +209,27 @@ describe("Manipulation of JS from Ruby", () => {
     expect(o1.toString()).toEqual(o1Clone.toString());
   });
 
+  test("Wrapped Ruby object should live until wrapper will be released", async () => {
+    const vm = await initRubyVM();
+    const run = vm.eval(`
+      require "js"
+      proc do |imports|
+        imports.call(:mark_js_object_live, JS::Object.wrap(Object.new))
+      end
+    `);
+    const livingObjects = new Set<RbValue>();
+    run.call("call", vm.wrap({
+      mark_js_object_live: (object: RbValue) => {
+        livingObjects.add(object);
+      }
+    }));
+    vm.eval("GC.start");
+    for (const object of livingObjects) {
+      // Ensure that all objects are still alive
+      object.call("itself")
+    }
+  })
+
   test("Guard null", async () => {
     const vm = await initRubyVM();
     const result = vm.eval(`

Original file line number	Diff line number	Diff line change
`@@ -90,7 +90,7 @@ static VALUE rb_abi_lend_object_internal(VALUE obj) {`
`90`	`90`	`}`
`91`	`91`	`return Qundef;`
`92`	`92`	`}`
`93`		`-static void rb_abi_lend_object(VALUE obj) {`
	`93`	`+void rb_abi_lend_object(VALUE obj) {`
`94`	`94`	`RB_WASM_DEBUG_LOG("rb_abi_lend_object: obj = %p\n", (void *)obj);`
`95`	`95`	`int state;`
`96`	`96`	`RB_WASM_LIB_RT(rb_protect(rb_abi_lend_object_internal, obj, &state));`