YJIT: Fix missing arity check for splat calls to methods with optionals

Previously, for splat callsites that land in methods with optional parameters, we didn't reject the case where the caller supplies too many arguments. Accepting those calls previously caused YJIT to construct corrupted control frames, which leads to crashes if the callee uses certain stack walking methods such as Kernel#raise and String#gsub (for setting up the frame-local `$~`). Example crash in a debug build: Assertion Failed: ../vm_core.h:1375:VM_ENV_FLAGS:FIXNUM_P(flags) ruby 3.3.0dev (2023-12-06T20:38:22Z master a57186b) +YJIT dev [x86_64-linux] -- Control frame information ----------------------------------------------- c:0005 p:---- s:0021 e:000020 CFUNC :raise Assertion Failed: ../vm_core.h:1375:VM_ENV_FLAGS:FIXNUM_P(flags) ruby 3.3.0dev (2023-12-06T20:38:22Z master a57186b) +YJIT dev [x86_64-linux] Crashed while printing bug report
XrXr · Dec 11, 2023 · 9541ede · 9541ede
1 parent 70650ed
commit 9541ede
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 3 deletions.
diff --git a/bootstraptest/test_yjit.rb b/bootstraptest/test_yjit.rb
@@ -1,3 +1,29 @@
+# regression test for arity check with splat
+assert_equal '[:ae, :ae]', %q{
+  def req_one(a_, b_ = 1) = raise
+
+  def test(args)
+    req_one *args
+  rescue ArgumentError
+    :ae
+  end
+
+  [test(Array.new 5), test([])]
+}
+
+# regression test for arity check with splat and send
+assert_equal '[:ae, :ae]', %q{
+  def two_reqs(a, b_, _ = 1) = a.gsub(a, a)
+
+  def test(name, args)
+    send(name, *args)
+  rescue ArgumentError
+    :ae
+  end
+
+  [test(:two_reqs, ["g", nil, nil, nil]), test(:two_reqs, ["g"])]
+}
+
 # regression test for GC marking stubs in invalidated code
 assert_normal_exit %q{
   garbage = Array.new(10_000) { [] } # create garbage to cause iseq movement

diff --git a/yjit/src/codegen.rs b/yjit/src/codegen.rs
@@ -6116,9 +6116,14 @@ fn gen_send_iseq(
             unsafe { rb_yjit_array_len(array) as u32}
         };
 
-        if opt_num == 0 && required_num != array_length as i32 + argc - 1 && !iseq_has_rest {
-            gen_counter_incr(asm, Counter::send_iseq_splat_arity_error);
-            return None;
+        // Arity check accounting for size of the splat. When callee has rest parameters, we insert
+        // runtime guards later in copy_splat_args_for_rest_callee()
+        if !iseq_has_rest {
+            let supplying = argc - 1 + array_length as i32;
+            if (required_num..=required_num + opt_num).contains(&supplying) == false {
+                gen_counter_incr(asm, Counter::send_iseq_splat_arity_error);
+                return None;
+            }
         }
 
         if iseq_has_rest && opt_num > 0 {