Ruby Issue Tracking System

05/19/2026

09:57 PM Ruby Revision 3373fcc2 (git): Fix UAF in IO::Buffer#~ when self is an invalidated slice

`io_buffer_not` accessed `buffer->base` directly without validating that the buffer was still live. A slice whose parent had been freed retained its stale base pointer, so calling `~` on it caused a UAF.
Use `io_buffer_get_bytes_for_rea... himura467 (Akito Shitara)

01:08 AM Ruby Revision 90ed85f9 (git): Fix UAF in IO::Buffer#^ when self or mask is an invalidated slice

`io_buffer_xor` accessed `buffer->base` and `mask_buffer->base` directly without validating that the buffers were still live. A slice whose parent had been freed retained its stale base pointer, so calling `^` on it caused a UAF.
Use `i... himura467 (Akito Shitara)

05/18/2026

01:31 AM Ruby Revision 95626e3a (git): Fix UAF in IO::Buffer#| when self or mask is an invalidated slice

`io_buffer_or` accessed `buffer->base` and `mask_buffer->base` directly without validating that the buffers were still live. A slice whose parent had been freed retained its stale base pointer, so calling `|` on it caused a UAF.
Use `io... himura467 (Akito Shitara)

05/15/2026

12:58 AM Ruby Revision 2552db04 (git): Fix UAF in IO::Buffer#& when self or mask is an invalidated slice

himura467 (Akito Shitara)

05/07/2026

06:21 PM Ruby Misc #21956: DevMeeting-2026-05-13

* [Feature #22056] Add zero-copy String constructor backed by an arbitrary Ruby object
* Propose adding `rb_enc_str_new_external` (and variants, names tentative): creates a String referencing existing memory without copying, with the G... himura467 (Akito Shitara)

05:48 PM Ruby Feature #22056: Add zero-copy String constructor backed by an arbitrary Ruby object

Thank you @Eregon
> What do you mean by "undocumented GC behavior"?
Isn't it only relying on an object keeping its ivar values alive? That's well documented.
Agreed, "undocumented" was imprecise. What I meant is that the relations... himura467 (Akito Shitara)

04:44 PM Ruby Feature #22056: Add zero-copy String constructor backed by an arbitrary Ruby object

Thank you @jhawthorn
> For what it's worth, I'm unconvinced this existing optimization is paying off (and I intend to remove it from the fstring case, where it definitely isn't). At least in CRuby itself at boot we create ~500 strings... himura467 (Akito Shitara)

05/06/2026

04:43 PM Ruby Feature #22056: Add zero-copy String constructor backed by an arbitrary Ruby object

Thank you for raising this, it's a good point worth keeping in mind.
The zero-copy path only applies to READONLY buffers, and `T_STRING` stored in `buffer->source` is guaranteed to be frozen by the design of `IO::Buffer.for`. Since th... himura467 (Akito Shitara)

04:04 PM Ruby Feature #22056: Add zero-copy String constructor backed by an arbitrary Ruby object

> I see. So it's mutable, but Copy-on-Write. If you mutate the string, all the content is copied in a buffer managed by Ruby.
Yes, that's correct. himura467 (Akito Shitara)

03:45 PM Ruby Feature #22056: Add zero-copy String constructor backed by an arbitrary Ruby object

Thank you @byroot, for pointing out the concern.
We are designing this new "external" string to be mutable.
Regarding the complexity concern, the mechanism for handling cases where the zero-copy returned string is modified can be imp... himura467 (Akito Shitara)