ruby.git/yjit/src/core.rs, branch v4.0.2 The Ruby Programming Language YJIT: Print `Rc` strong and weak count on assert failure 2025-12-16T19:56:40+00:00 Alan Wu XrXr@users.noreply.github.com 2025-12-16T18:33:47+00:00 eaa952b536c48658a5a2e3f128e3afdef03a01b6 For <https://bugs.ruby-lang.org/issues/21716>, the panic is looking like some sort of third party memory corruption, with YJIT taking the fall. At the point of this assert, the assembler has dropped, so there's nothing in YJIT's code other than JITState that could be holding on to these transient `PendingBranchRef`. The strong count being more than a handful or the weak count is non-zero shows that someone in the process (likely some native extension) corrupted the Rc's counts. 
For <https://bugs.ruby-lang.org/issues/21716>, the panic is looking like
some sort of third party memory corruption, with YJIT taking the fall.
At the point of this assert, the assembler has dropped, so there's
nothing in YJIT's code other than JITState that could be holding on to
these transient `PendingBranchRef`.

The strong count being more than a handful or the weak count is non-zero
shows that someone in the process (likely some native extension)
corrupted the Rc's counts.
[DOC] Fix minor typos in YJIT comments (#14829) 2025-10-14T11:05:18+00:00 Vincent Lin bugtender@users.noreply.github.com 2025-10-14T11:05:18+00:00 34ee5cbf13d42d2fc48f48cbf787571d0c6e5729 [DOC] Fix typos in YJIT core 
[DOC] Fix typos in YJIT core
 YJIT: Prevent making a branch from a dead block to a live block 2025-10-02T16:09:40+00:00 Alan Wu XrXr@users.noreply.github.com 2025-10-02T03:53:48+00:00 20fc91df395b834ecaee0bdb29df8da224fdf89a I'm seeing some memory corruption in the wild on blocks in `IseqPayload::dead_blocks`. While I unfortunately can't recreate the issue, (For all I know, it could be some external code corrupting YJIT's memory.) establishing a link between dead blocks and live blocks seems fishy enough that we ought to prevent it. When it did happen, it might've had bad interacts with Code GC and the optimization to immediately free empty blocks. 
I'm seeing some memory corruption in the wild on blocks in
`IseqPayload::dead_blocks`. While I unfortunately can't recreate the
issue, (For all I know, it could be some external code corrupting YJIT's
memory.) establishing a link between dead blocks and live blocks seems
fishy enough that we ought to prevent it. When it did happen, it might've
had bad interacts with Code GC and the optimization to immediately
free empty blocks.
YJIT: Tiny refactors (#14505) 2025-09-10T20:37:17+00:00 Stan Lo stan.lo@shopify.com 2025-09-10T20:37:17+00:00 23c60e185ea7e74f0eebc27119184fb1ed844856 Addressed some suggestions from clippy that made sense to me. 
Addressed some suggestions from clippy that made sense to me.
 ZJIT: Clear jit entry from iseqs after TracePoint activation (#14407) 2025-09-02T19:20:08+00:00 Stan Lo stan.lo@shopify.com 2025-09-02T19:20:08+00:00 77a421fb057c16cd82adbe6e07efe0db01bf93a5 ZJIT: Remove JITed code after TracePoint is enabled 
ZJIT: Remove JITed code after TracePoint is enabled
 YJIT: Use raw memory write to update pointers in code 2025-07-24T15:37:44+00:00 Kunshan Wang wks1986@gmail.com 2025-07-19T08:22:46+00:00 5ef20b3a274e855b802edd03cd432464d2a49b35 Because we have set all code memory to writable before the reference updating phase, we can use raw memory writes directly. 
Because we have set all code memory to writable before the reference
updating phase, we can use raw memory writes directly.
YJIT: Set code mem permissions in bulk 2025-07-14T20:21:55+00:00 Kunshan Wang wks1986@gmail.com 2025-06-30T06:21:30+00:00 51a3ea5adeb452e51c119a395acfd5c87cc63735 Some GC modules, notably MMTk, support parallel GC, i.e. multiple GC threads work in parallel during a GC. Currently, when two GC threads scan two iseq objects simultaneously when YJIT is enabled, both threads will attempt to borrow `CodeBlock::mem_block`, which will result in panic. This commit makes one part of the change. We now set the YJIT code memory to writable in bulk before the reference-updating phase, and reset it to executable in bulk after the reference-updating phase. Previously, YJIT lazily sets memory pages writable while updating object references embedded in JIT-compiled machine code, and sets the memory back to executable by calling `mark_all_executable`. This approach is inherently unfriendly to parallel GC because (1) it borrows `CodeBlock::mem_block`, and (2) it sets the whole `CodeBlock` as executable which races with other GC threads that are updating other iseq objects. It also has performance overhead due to the frequent invocation of system calls. We now set the permission of all the code memory in bulk before and after the reference updating phase. Multiple GC threads can now perform raw memory writes in parallel. We should also see performance improvement during moving GC because of the reduced number of `mprotect` system calls. 
Some GC modules, notably MMTk, support parallel GC, i.e. multiple GC
threads work in parallel during a GC.  Currently, when two GC threads
scan two iseq objects simultaneously when YJIT is enabled, both threads
will attempt to borrow `CodeBlock::mem_block`, which will result in
panic.

This commit makes one part of the change.

We now set the YJIT code memory to writable in bulk before the
reference-updating phase, and reset it to executable in bulk after the
reference-updating phase.  Previously, YJIT lazily sets memory pages
writable while updating object references embedded in JIT-compiled
machine code, and sets the memory back to executable by calling
`mark_all_executable`.  This approach is inherently unfriendly to
parallel GC because (1) it borrows `CodeBlock::mem_block`, and (2) it
sets the whole `CodeBlock` as executable which races with other GC
threads that are updating other iseq objects.  It also has performance
overhead due to the frequent invocation of system calls.  We now set the
permission of all the code memory in bulk before and after the reference
updating phase.  Multiple GC threads can now perform raw memory writes
in parallel.  We should also see performance improvement during moving
GC because of the reduced number of `mprotect` system calls.
ZJIT: Mark profiled objects when marking ISEQ (#13784) 2025-07-09T23:03:23+00:00 Takashi Kokubun takashi.kokubun@shopify.com 2025-07-09T23:03:23+00:00 f5085c70f25fb1b435ac7d6604fc95492fe9537d 






YJIT: Fix potential infinite loop when OOM (GH-13186)
2025-04-28T12:50:29+00:00

Rian McGuire
rian@rian.id.au

2025-04-28T12:50:29+00:00

80a1a1bb8ae8435b916ae4f66a483e91ad31356a

Avoid generating an infinite loop in the case where:
1. Block `first` is adjacent to block `second`, and the branch from `first` to
   `second` is a fallthrough, and
2. Block `second` immediately exits to the interpreter, and
3. Block `second` is invalidated and YJIT is OOM

While pondering how to fix this, I think I've stumbled on another related edge case:
1. Block `incoming_one` and `incoming_two` both branch to block `second`. Block
   `incoming_one` has a fallthrough
2. Block `second` immediately exits to the interpreter (so it starts with its exit)
3. When Block `second` is invalidated, the incoming fallthrough branch from
   `incoming_one` might be rewritten first, which overwrites the start of block
   `second` with a jump to a new branch stub.
4. YJIT runs of out memory
5. The incoming branch from `incoming_two` is then rewritten, but because we're
   OOM we can't generate a new stub, so we use `second`'s exit as the branch
   target. However `second`'s exit was already overwritten with a jump to the
   branch stub for `incoming_one`, so `incoming_two` will end up jumping to
   `incoming_one`'s branch stub.

Fixes [Bug #21257]




Avoid generating an infinite loop in the case where:
1. Block `first` is adjacent to block `second`, and the branch from `first` to
   `second` is a fallthrough, and
2. Block `second` immediately exits to the interpreter, and
3. Block `second` is invalidated and YJIT is OOM

While pondering how to fix this, I think I've stumbled on another related edge case:
1. Block `incoming_one` and `incoming_two` both branch to block `second`. Block
   `incoming_one` has a fallthrough
2. Block `second` immediately exits to the interpreter (so it starts with its exit)
3. When Block `second` is invalidated, the incoming fallthrough branch from
   `incoming_one` might be rewritten first, which overwrites the start of block
   `second` with a jump to a new branch stub.
4. YJIT runs of out memory
5. The incoming branch from `incoming_two` is then rewritten, but because we're
   OOM we can't generate a new stub, so we use `second`'s exit as the branch
   target. However `second`'s exit was already overwritten with a jump to the
   branch stub for `incoming_one`, so `incoming_two` will end up jumping to
   `incoming_one`'s branch stub.

Fixes [Bug #21257]






YJIT: Rename get_temp_regs2() back to get_temp_regs() (#12866)
2025-03-06T15:52:49+00:00

Takashi Kokubun
takashikkbn@gmail.com

2025-03-06T15:52:49+00:00

bb91c303bad5fcdd59b73ca1a1923f71c7efdbfd