Bug #19601: YJIT `try to mark T_NONE object` stemming from object shape transition on `self` - Ruby master - Ruby Issue Tracking System

Actions

Copy link

Bug #19601

closed

YJIT `try to mark T_NONE object` stemming from object shape transition on `self`

Added by alanwu (Alan Wu) about 1 year ago. Updated 10 months ago.

Status:

Closed

Assignee:

Target version:

ruby -v:

ruby 3.2.2 (2023-03-30 revision e51014f9c0) +YJIT [arm64-darwin22]

Backport:

3.0: DONTNEED, 3.1: DONTNEED, 3.2: DONE

[ruby-core:113260]

Description

We've identified a false collection bug with YJIT.
Symptoms can range from [BUG] try to mark T_NONE object to SEGVs.
Due to the bug requiring specific transient heap state to reproduce,
it may be hard to identify by looking at the crash-site stack trace.

ruby --yjit-call-threshold=1 reproducer:

class RegressionTest
  def initialize
    @a = @b = @fourth_ivar_does_shape_transition = nil
  end

  def extender
    @first_extended_ivar = [:ok]
  end
end

GC.stress = true

test = RegressionTest.new

# Used to crash due to GC run in rb_ensure_iv_list_size()
# not marking the newly allocated [:ok].
test.extender

GC.start

Fix: https://github.com/ruby/ruby/pull/7718

Actions

Copy link

Also available in: Atom PDF

Like0

Like0Like0Like0Like0

Project

General

Profile

Ruby » Ruby master

Custom queries

Bug #19601

YJIT `try to mark T_NONE object` stemming from object shape transition on `self`

Updated by alanwu (Alan Wu) about 1 year ago

Updated by alanwu (Alan Wu) about 1 year ago

Updated by byroot (Jean Boussier) about 1 year ago

Updated by nagachika (Tomoyuki Chikanaga) 10 months ago