From: "alanwu (Alan Wu) via ruby-core" Date: 2023-04-14T19:35:08+00:00 Subject: [ruby-core:113260] [Ruby master Bug#19601] YJIT `try to mark T_NONE object` stemming from object shape transition on `self` Issue #19601 has been reported by alanwu (Alan Wu). ---------------------------------------- Bug #19601: YJIT `try to mark T_NONE object` stemming from object shape transition on `self` https://bugs.ruby-lang.org/issues/19601 * Author: alanwu (Alan Wu) * Status: Closed * Priority: Normal * ruby -v: ruby 3.2.2 (2023-03-30 revision e51014f9c0) +YJIT [arm64-darwin22] * Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED ---------------------------------------- We've identified a false collection bug with YJIT. Symptoms can range from `[BUG] try to mark T_NONE object` to SEGVs. Due to the bug requiring specific transient heap state to reproduce, it may be hard to identify by looking at the crash-site stack trace. `ruby --yjit-call-threshold=1` reproducer: ```ruby class RegressionTest def initialize @a = @b = @fourth_ivar_does_shape_transition = nil end def extender @first_extended_ivar = [:ok] end end test = RegressionTest.new # Fill up the transient heap, so rb_ensure_iv_list_size() # listens to GC.stress and yields to the GC. fill = Array.new(0x400000) GC.stress = true # Used to crash due to GC run in rb_ensure_iv_list_size() # not marking the newly allocated [:ok]. test.extender GC.start ``` I will post a patch shortly. -- https://bugs.ruby-lang.org/ ______________________________________________ ruby-core mailing list -- ruby-core@ml.ruby-lang.org To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/