Project

General

Profile

Actions
Copy link

Bug #19601

closed

YJIT `try to mark T_NONE object` stemming from object shape transition on `self`

Added by alanwu (Alan Wu) about 1 year ago. Updated 10 months ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 3.2.2 (2023-03-30 revision e51014f9c0) +YJIT [arm64-darwin22]
Backport:
3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONE
[ruby-core:113260]

Description

We've identified a false collection bug with YJIT.
Symptoms can range from [BUG] try to mark T_NONE object to SEGVs.
Due to the bug requiring specific transient heap state to reproduce,
it may be hard to identify by looking at the crash-site stack trace.

ruby --yjit-call-threshold=1 reproducer:

class RegressionTest
  def initialize
    @a = @b = @fourth_ivar_does_shape_transition = nil
  end

  def extender
    @first_extended_ivar = [:ok]
  end
end

GC.stress = true

test = RegressionTest.new

# Used to crash due to GC run in rb_ensure_iv_list_size()
# not marking the newly allocated [:ok].
test.extender

GC.start

Fix: https://github.com/ruby/ruby/pull/7718

Actions
Copy link
 #1

Updated by alanwu (Alan Wu) about 1 year ago

  • Description updated (diff)
Actions
Copy link
 #2

Updated by alanwu (Alan Wu) about 1 year ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by byroot (Jean Boussier) about 1 year ago

  • Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED to 3.0: DONTNEED, 3.1: DONTNEED, 3.2: REQUIRED
Actions
Copy link
 #4 [ruby-core:114215]

Updated by nagachika (Tomoyuki Chikanaga) 10 months ago

  • Backport changed from 3.0: DONTNEED, 3.1: DONTNEED, 3.2: REQUIRED to 3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONE

ruby_3_2 5fbd72764e020c6b165604e9cdcc932a1c5d2a93 merged revision(s) 31e67a476f2262e01a0829e8ab5e6d8a97e0724e,0b95cbcbde8875effdbcbb676cb0a7f751a1d4c1.

Actions
Copy link

Also available in: Atom PDF

Like0
Like0Like0Like0Like0