From: Eric Wong <normalperson@...>
Date: 2014-09-08T08:37:50+00:00
Subject: [ruby-core:64847] Re: [ruby-trunk - Bug #10206] garbage symbols crash symbol GC

ko1@atdot.net wrote:
> At first, Symbol is VALUE and it should be marked.
> 
> So that the following code should not be allowed.
> 
> ```
> id = SYM2ID(garbage_sym);
> ```
> 
> In this case, afeter sweeping, garbage_sym becomes freed VALUE.
> 
> What happen on it?

Looking at this more, we may run dsymbol_check too late in
dsymbol_pindown.  I think we must run dsymbol_check immediately after
looking up dynamic syms from global_symbol.str_id, and not later.

I think this may be a fix (still testing):

--- a/symbol.c
+++ b/symbol.c
@@ -458,7 +458,10 @@ dsymbol_pindown(VALUE sym)
 
     if (UNLIKELY(SYMBOL_PINNED_P(sym) == 0)) {
 	VALUE fstr = RSYMBOL(sym)->fstr;
-	sym = dsymbol_check(sym);
+
+	if (UNLIKELY(rb_objspace_garbage_object_p(sym))) {
+	    rb_bug("attempted to pindown garbage sym");
+	}
 	FL_SET(sym, SYMBOL_PINNED);
 
 	/* make it permanent object */
@@ -525,6 +528,9 @@ rb_intern_cstr_without_pindown(const char *name, long len, rb_encoding *enc)
     OBJ_FREEZE(str);
 
     if (st_lookup(global_symbols.str_id, str, &id)) {
+	if (ID_DYNAMIC_SYM_P((ID)id)) {
+	    return (ID)dsymbol_check((VALUE)id);
+	}
 	return (ID)id;
     }