Bug #21565
open
YJIT has panicked in rails
Description
I've got YJIT has panicked crash in rails app locally on my M1 Pro Mac Book pro for 2 times for last 2 weeks
Started GET "/api/admin/environments/13/edit" for ::1 at 2025-09-08 18:32:17 +0200
Processing by Api::Admin::EnvironmentsController#edit as JSON
Parameters: {"id" => "13", "environment" => {}}
ruby: YJIT has panicked. More info to follow...
thread '<unnamed>' panicked at ./yjit/src/codegen.rs:5031:9:
assertion failed: !val_type.is_imm()
stack backtrace:
0: _rust_begin_unwind
1: core::panicking::panic_fmt
2: core::panicking::panic
3: yjit::codegen::jit_guard_known_klass
4: yjit::codegen::gen_equality_specialized
5: yjit::codegen::gen_opt_eq
6: yjit::codegen::gen_single_block
7: yjit::core::gen_block_series
8: yjit::core::branch_stub_hit_body
9: yjit::stats::with_compile_time
10: yjit::cruby::with_vm_lock
11: yjit::core::branch_stub_hit
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
/Users/eiskrenkov/.local/share/mise/installs/ruby/3.4.5/lib/ruby/gems/3.4.0/gems/actionpack-8.0.2.1/lib/action_dispatch/request/session.rb:118: [BUG] YJIT: panicked at ./yjit/src/codegen.rs:5031:9:
assertion failed: !val_type.is_imm()
ruby 3.4.5 (2025-07-16 revision 20cda200d3) +YJIT +PRISM [arm64-darwin24]
It happens randomly, I couldn't find reproduction steps sadly
Files
Updated by k0kubun (Takashi Kokubun) 3 days ago
- Assignee set to jit
Updated by k0kubun (Takashi Kokubun) 3 days ago
- Status changed from Open to Assigned
Updated by k0kubun (Takashi Kokubun) 3 days ago
We've modified the assertion failure message https://github.com/ruby/ruby/pull/14480 to debug this further. I'll release Ruby 3.4.6 early next week with that patch, so it'd be nice to see an updated error report once you encounter that with the new Ruby version.
Updated by eiskrenkov (Egor Iskrenkov) 1 day ago
k0kubun (Takashi Kokubun) wrote in #note-3:
We've modified the assertion failure message https://github.com/ruby/ruby/pull/14480 to debug this further. I'll release Ruby 3.4.6 early next week with that patch, so it'd be nice to see an updated error report once you encounter that with the new Ruby version.
Hello, Takashi! Thank you so much for that commit, I built Ruby from the repo, taking v3.4.5 tag as a base, adding your commit on top and removing fn gen_opt_new function from codegen.rs. I started my rails app again and got more verbose error report this time thanks to your work!
Started GET "/api/admin/app_data" for ::1 at 2025-09-09 18:47:05 +0200
Processing by Api::Admin::AppDataController#show as JSON
Parameters: {"app_datum" => {}}
ruby: YJIT has panicked. More info to follow...
thread '<unnamed>' panicked at ../yjit/src/codegen.rs:5086:9:
StackOpnd(1) should be a heap object, but was ImmSymbol for VALUE(4928731040)
stack backtrace:
0: rust_begin_unwind
at /rustc/4eb161250e340c8f48f66e2b929ef4a5bed7c181/library/std/src/panicking.rs:692:5
1: core::panicking::panic_fmt
at /rustc/4eb161250e340c8f48f66e2b929ef4a5bed7c181/library/core/src/panicking.rs:75:14
2: yjit::codegen::jit_guard_known_klass
at /Users/eiskrenkov/dev/ruby/build/../yjit/src/codegen.rs:5086:9
3: yjit::codegen::gen_equality_specialized
at /Users/eiskrenkov/dev/ruby/build/../yjit/src/codegen.rs:3695:9
4: yjit::codegen::gen_opt_eq
at /Users/eiskrenkov/dev/ruby/build/../yjit/src/codegen.rs:3758:29
5: yjit::codegen::gen_single_block
at /Users/eiskrenkov/dev/ruby/build/../yjit/src/codegen.rs:1387:22
6: yjit::core::gen_block_series_body
at /Users/eiskrenkov/dev/ruby/build/../yjit/src/core.rs:3088:23
7: yjit::core::gen_block_series
at /Users/eiskrenkov/dev/ruby/build/../yjit/src/core.rs:3066:18
8: yjit::core::branch_stub_hit_body
at /Users/eiskrenkov/dev/ruby/build/../yjit/src/core.rs:3604:17
9: yjit::core::branch_stub_hit::{{closure}}::{{closure}}
at /Users/eiskrenkov/dev/ruby/build/../yjit/src/core.rs:3493:36
10: yjit::stats::with_compile_time
at /Users/eiskrenkov/dev/ruby/build/../yjit/src/stats.rs:1084:15
11: yjit::core::branch_stub_hit::{{closure}}
at /Users/eiskrenkov/dev/ruby/build/../yjit/src/core.rs:3493:13
12: std::panicking::try::do_call
at /Users/eiskrenkov/.rustup/toolchains/1.85.1-aarch64-apple-darwin/lib/rustlib/src/rust/library/std/src/panicking.rs:584:40
13: std::panicking::try
at /Users/eiskrenkov/.rustup/toolchains/1.85.1-aarch64-apple-darwin/lib/rustlib/src/rust/library/std/src/panicking.rs:547:19
14: std::panic::catch_unwind
at /Users/eiskrenkov/.rustup/toolchains/1.85.1-aarch64-apple-darwin/lib/rustlib/src/rust/library/std/src/panic.rs:358:14
15: yjit::cruby::with_vm_lock
at /Users/eiskrenkov/dev/ruby/build/../yjit/src/cruby.rs:688:21
16: yjit::core::branch_stub_hit
at /Users/eiskrenkov/dev/ruby/build/../yjit/src/core.rs:3492:9
note: Some details are omitted, run with `RUST_BACKTRACE=full` for a verbose backtrace.
/Users/eiskrenkov/.rubies/ruby-master/lib/ruby/gems/3.4.0/gems/actionpack-8.0.2.1/lib/action_dispatch/request/session.rb:118: [BUG] YJIT: panicked at ../yjit/src/codegen.rs:5086:9:
StackOpnd(1) should be a heap object, but was ImmSymbol for VALUE(4928731040)
ruby 3.4.5 (2025-09-09 revision cd7c672545) +YJIT +PRISM [arm64-darwin24]
Please, let me know if I can provide any more information necessary for debugging or I can be of any more help. Thank you so much!
Updated by alanwu (Alan Wu) 1 day ago
ยท Edited
Thanks for trying the patch and for helping us debug! Unfortunately, we still need more information to understand the crash. The following are steps to gather more information, if you're so inclined to help us further.
Apply the following on top of 3.4.5:
diff --git a/yjit/src/codegen.rs b/yjit/src/codegen.rs
index a74480a204..a5a3598c04 100644
--- a/yjit/src/codegen.rs
+++ b/yjit/src/codegen.rs
@@ -1296,7 +1296,6 @@ pub fn gen_single_block(
let mut asm = Assembler::new(jit.num_locals());
asm.ctx = ctx;
- #[cfg(feature = "disasm")]
if get_option_ref!(dump_disasm).is_some() {
let blockid_idx = blockid.idx;
let chain_depth = if asm.ctx.get_chain_depth() > 0 { format!("(chain_depth: {})", asm.ctx.get_chain_depth()) } else { "".to_string() };
@@ -9048,7 +9047,6 @@ fn gen_send_general(
let recv_opnd: YARVOpnd = recv.into();
// Log the name of the method we're calling to
- #[cfg(feature = "disasm")]
asm_comment!(asm, "call to {}", get_method_name(Some(comptime_recv_klass), mid));
// Gather some statistics about sends
Run your app with --yjit-dump-disasm=/tmp. Use RUBYOPT if necessary to make sure the crashing process gets the option.
Once it crashes, find the yjit_*.log file in /tmp based on PID. It will contain the machine code YJIT generated, along with comments. Dumps are separated by a header comment that looks like Block: method_name@file/path/code.rb. I would like to see all chunks of the dump for actionpack-8.0.2.1/lib/action_dispatch/request/session.rb, or minimally, just for all [] methods in that file.
If it doesn't crash anymore, the dumps might still contain hints about what could be happening.
By the way, it looks like you have a to_s method in your app that returns a symbol, and an instance of it passed to ActionDispatch::Request::Session#[]. Fixing that to_s method could be a workaround for this YJIT bug, though that won't help us fix the underlying issue.