ruby.git/yjit/src/core.rs, branch v3_4_9 The Ruby Programming Language YJIT: Print `Rc` strong and weak count on assert failure 2025-12-16T19:55:31+00:00 Alan Wu XrXr@users.noreply.github.com 2025-12-16T18:33:47+00:00 70a7c551fcead48f5964fbc7a0bd20cc50b635c0 For <https://bugs.ruby-lang.org/issues/21716>, the panic is looking like some sort of third party memory corruption, with YJIT taking the fall. At the point of this assert, the assembler has dropped, so there's nothing in YJIT's code other than JITState that could be holding on to these transient `PendingBranchRef`. The strong count being more than a handful or the weak count is non-zero shows that someone in the process (likely some native extension) corrupted the Rc's counts. 
For <https://bugs.ruby-lang.org/issues/21716>, the panic is looking like
some sort of third party memory corruption, with YJIT taking the fall.
At the point of this assert, the assembler has dropped, so there's
nothing in YJIT's code other than JITState that could be holding on to
these transient `PendingBranchRef`.

The strong count being more than a handful or the weak count is non-zero
shows that someone in the process (likely some native extension)
corrupted the Rc's counts.
YJIT: Prevent making a branch from a dead block to a live block 2025-10-29T23:35:14+00:00 Alan Wu XrXr@users.noreply.github.com 2025-10-02T03:53:48+00:00 0b7ea9c7953803a56622c62139404473a4115565 I'm seeing some memory corruption in the wild on blocks in `IseqPayload::dead_blocks`. While I unfortunately can't recreate the issue, (For all I know, it could be some external code corrupting YJIT's memory.) establishing a link between dead blocks and live blocks seems fishy enough that we ought to prevent it. When it did happen, it might've had bad interacts with Code GC and the optimization to immediately free empty blocks. 
I'm seeing some memory corruption in the wild on blocks in
`IseqPayload::dead_blocks`. While I unfortunately can't recreate the
issue, (For all I know, it could be some external code corrupting YJIT's
memory.) establishing a link between dead blocks and live blocks seems
fishy enough that we ought to prevent it. When it did happen, it might've
had bad interacts with Code GC and the optimization to immediately
free empty blocks.
YJIT: Fix potential infinite loop when OOM (GH-13186) 2025-04-28T16:23:33+00:00 Rian McGuire rian@rian.id.au 2025-04-28T12:50:29+00:00 50b1759be00713535c41f5650feb3967c533450a Avoid generating an infinite loop in the case where: 1. Block `first` is adjacent to block `second`, and the branch from `first` to `second` is a fallthrough, and 2. Block `second` immediately exits to the interpreter, and 3. Block `second` is invalidated and YJIT is OOM While pondering how to fix this, I think I've stumbled on another related edge case: 1. Block `incoming_one` and `incoming_two` both branch to block `second`. Block `incoming_one` has a fallthrough 2. Block `second` immediately exits to the interpreter (so it starts with its exit) 3. When Block `second` is invalidated, the incoming fallthrough branch from `incoming_one` might be rewritten first, which overwrites the start of block `second` with a jump to a new branch stub. 4. YJIT runs of out memory 5. The incoming branch from `incoming_two` is then rewritten, but because we're OOM we can't generate a new stub, so we use `second`'s exit as the branch target. However `second`'s exit was already overwritten with a jump to the branch stub for `incoming_one`, so `incoming_two` will end up jumping to `incoming_one`'s branch stub. Backport [Bug #21257] 
Avoid generating an infinite loop in the case where:
1. Block `first` is adjacent to block `second`, and the branch from `first` to
   `second` is a fallthrough, and
2. Block `second` immediately exits to the interpreter, and
3. Block `second` is invalidated and YJIT is OOM

While pondering how to fix this, I think I've stumbled on another related edge case:
1. Block `incoming_one` and `incoming_two` both branch to block `second`. Block
   `incoming_one` has a fallthrough
2. Block `second` immediately exits to the interpreter (so it starts with its exit)
3. When Block `second` is invalidated, the incoming fallthrough branch from
   `incoming_one` might be rewritten first, which overwrites the start of block
   `second` with a jump to a new branch stub.
4. YJIT runs of out memory
5. The incoming branch from `incoming_two` is then rewritten, but because we're
   OOM we can't generate a new stub, so we use `second`'s exit as the branch
   target. However `second`'s exit was already overwritten with a jump to the
   branch stub for `incoming_one`, so `incoming_two` will end up jumping to
   `incoming_one`'s branch stub.

Backport [Bug #21257]
YJIT: Return None if entry block compilation fails (#12445) 2024-12-23T22:12:08+00:00 Takashi Kokubun takashikkbn@gmail.com 2024-12-23T22:12:08+00:00 527cc7328207de06750debf4c6bfce81a897957d 






YJIT: Load registers on JIT entry to reuse blocks (#12355)
2024-12-17T17:32:42+00:00

Takashi Kokubun
takashikkbn@gmail.com

2024-12-17T17:32:42+00:00

6bf7a1765f89561155eb12148ea1985e82ba8600












YJIT: Use the correct size constant
2024-12-11T22:44:43+00:00

Alan Wu
XrXr@users.noreply.github.com

2024-12-11T19:35:31+00:00

6cb75564f9008f64a0166d65099481767c53b643












YJIT: Spill/load argument registers to reuse blocks (#12287)
2024-12-09T18:02:40+00:00

Takashi Kokubun
takashikkbn@gmail.com

2024-12-09T18:02:40+00:00

cff031253f228ed28a00d95935e42c68a85f34ad

* YJIT: Spill/load argument registers to reuse blocks

* Mention the immediate function name

* Explain the context behind spill/load operations




* YJIT: Spill/load argument registers to reuse blocks

* Mention the immediate function name

* Explain the context behind spill/load operations






YJIT: Add inline_block_count stat (#12081)
2024-11-13T21:17:29+00:00

Takashi Kokubun
takashikkbn@gmail.com

2024-11-13T21:17:29+00:00

30e1d6b5a894966ab9144cd50c7ce47020ea86be












YJIT: Always abandon the block when gen_branch() or defer_compilation() fails
2024-11-08T19:09:55+00:00

Alan Wu
XrXr@users.noreply.github.com

2024-11-08T19:09:55+00:00

dccfab0c5348629223080bfd0cfd82be4163c9ad

In [1], we started checking for gen_branch failures, but I made two
crucial mistakes. One, defer_compilation() had the same issue as
gen_branch() but wasn't checked. Two, returning None from a codegen
function does not throw away the block. Checking how gen_single_block()
handles codegen functions, you can see that None terminates the block
with an exit, but does not overall return an Err. This handling is fine
for unimplemented instructions, for example, but incorrect in case
gen_branch() fails. The missing branch essentially corrupts the
block; adding more code after a missing branch doesn't correct the code.

Always abandon the block when defer_compilation() or gen_branch() fails.

[1]: cb661d7d82984cdb54485ea3f4af01ac21960882
Fixup: [1]




In [1], we started checking for gen_branch failures, but I made two
crucial mistakes. One, defer_compilation() had the same issue as
gen_branch() but wasn't checked. Two, returning None from a codegen
function does not throw away the block. Checking how gen_single_block()
handles codegen functions, you can see that None terminates the block
with an exit, but does not overall return an Err. This handling is fine
for unimplemented instructions, for example, but incorrect in case
gen_branch() fails. The missing branch essentially corrupts the
block; adding more code after a missing branch doesn't correct the code.

Always abandon the block when defer_compilation() or gen_branch() fails.

[1]: cb661d7d82984cdb54485ea3f4af01ac21960882
Fixup: [1]






YJIT: Make PendingBranch::set_target `must_use` [ci skip]
2024-10-23T14:20:44+00:00

Alan Wu
alanwu@ruby-lang.org

2024-10-23T14:20:14+00:00

8e509380a25bea9b485e071e161b54da05b19cac