Bug #19601: YJIT `try to mark T_NONE object` stemming from object shape transition on `self` - Ruby master - Ruby Issue Tracking System

Bug #19601

Updated by alanwu (Alan Wu) about 1 year ago

We've identified a false collection bug with YJIT. 
 Symptoms can range from `[BUG] try to mark T_NONE object` to SEGVs. 
 Due to the bug requiring specific transient heap state to reproduce, 
 it may be hard to identify by looking at the crash-site stack trace. 

 `ruby --yjit-call-threshold=1` reproducer: 

 ```ruby 
 class RegressionTest 
   def initialize 
     @a = @b = @fourth_ivar_does_shape_transition = nil 
   end 

   def extender 
     @first_extended_ivar = [:ok] 
   end 
 end 

 test = RegressionTest.new 

 # Fill up the transient heap, so rb_ensure_iv_list_size() 
 # listens to GC.stress and yields to the GC. 
 fill = Array.new(0x400000) 
 GC.stress = true 

 
 # Used to crash due to GC run in rb_ensure_iv_list_size() 
 # not marking the newly allocated [:ok]. 
 RegressionTest.new.extender.itself test.extender 
 GC.start 
 ``` 

 Fix: https://github.com/ruby/ruby/pull/7718 I will post a patch shortly.

Back

Project

General

Profile

Ruby » Ruby master

Bug #19601