ruby.git/yjit/src, branch v3_4_9 The Ruby Programming Language merge revision(s) 9168cad4d63a5d281d443bde4edea6be213b0b25: [Backport #21266] 2025-12-16T23:53:40+00:00 Takashi Kokubun takashikkbn@gmail.com 2025-12-16T23:53:40+00:00 d8f087b581735ec250b8671c3574fa4d5b16ae54 [PATCH] YJIT: Bail out if proc would be stored above stack top Fixes [Bug #21266]. 
	[PATCH] YJIT: Bail out if proc would be stored above stack top

	Fixes [Bug #21266].
YJIT: Print `Rc` strong and weak count on assert failure 2025-12-16T19:55:31+00:00 Alan Wu XrXr@users.noreply.github.com 2025-12-16T18:33:47+00:00 70a7c551fcead48f5964fbc7a0bd20cc50b635c0 For <https://bugs.ruby-lang.org/issues/21716>, the panic is looking like some sort of third party memory corruption, with YJIT taking the fall. At the point of this assert, the assembler has dropped, so there's nothing in YJIT's code other than JITState that could be holding on to these transient `PendingBranchRef`. The strong count being more than a handful or the weak count is non-zero shows that someone in the process (likely some native extension) corrupted the Rc's counts. 
For <https://bugs.ruby-lang.org/issues/21716>, the panic is looking like
some sort of third party memory corruption, with YJIT taking the fall.
At the point of this assert, the assembler has dropped, so there's
nothing in YJIT's code other than JITState that could be holding on to
these transient `PendingBranchRef`.

The strong count being more than a handful or the weak count is non-zero
shows that someone in the process (likely some native extension)
corrupted the Rc's counts.
YJIT: Fix panic from overly loose filtering in identity method inlining 2025-12-12T23:43:41+00:00 Alan Wu XrXr@users.noreply.github.com 2025-12-12T23:00:18+00:00 f19e9c6699150d56853ba1a33f6149d7588c8478 Credits to @rwstauner for noticing this issue in GH-15533. 
Credits to @rwstauner for noticing this issue in GH-15533.
YJIT: Add missing local variable type update for fallback setlocal blocks 2025-12-12T23:43:41+00:00 Alan Wu XrXr@users.noreply.github.com 2025-12-12T18:42:00+00:00 628a94104768b294ae8068c7bb39ab9e495fdd94 Previously, the chain_depth>0 version of setlocal blocks did not update the type of the local variable in the context. This can leave the context with stale type information and trigger or lead to miscompilation. To trigger the issue, YJIT needs to see the same ISEQ before and after environment escape and have tracked type info before the escape. To trigger in ISEQs that do not send with a block, it probably requires Kernel#binding or the use of include/ruby/debug.h APIs. [Backport #21772] 
Previously, the chain_depth>0 version of setlocal blocks did not
update the type of the local variable in the context. This can leave
the context with stale type information and trigger or lead to miscompilation.

To trigger the issue, YJIT needs to see the same ISEQ before and after
environment escape and have tracked type info before the escape. To
trigger in ISEQs that do not send with a block, it probably requires
Kernel#binding or the use of include/ruby/debug.h APIs.

[Backport #21772]
YJIT: Abort expandarray optimization if method_missing is defined 2025-12-01T17:45:35+00:00 Randy Stauner randy@r4s6.net 2025-11-26T02:29:02+00:00 28b2e2ede97b569c2f6121e7808975fbd5c6f298 Fixes: [Bug #21707] [AW: rewrote comments] Co-authored-by: Alan Wu <alanwu@ruby-lang.org> 
Fixes: [Bug #21707]
[AW: rewrote comments]
Co-authored-by: Alan Wu <alanwu@ruby-lang.org>
YJIT: Fix stack handling in rb_str_dup 2025-11-14T18:07:34+00:00 John Hawthorn john@hawthorn.email 2025-11-13T20:01:55+00:00 0b559eab0447905a784092824e5ea0999018cd01 Previously because we did a stack_push before ccall, in some cases we could end up pushing an uninitialized value to the VM stack when spilling regs as part of the ccall. Co-authored-by: Luke Gruber <luke.gru@gmail.com> 
Previously because we did a stack_push before ccall, in some cases we
could end up pushing an uninitialized value to the VM stack when
spilling regs as part of the ccall.

Co-authored-by: Luke Gruber <luke.gru@gmail.com>
YJIT: Prevent making a branch from a dead block to a live block 2025-10-29T23:35:14+00:00 Alan Wu XrXr@users.noreply.github.com 2025-10-02T03:53:48+00:00 0b7ea9c7953803a56622c62139404473a4115565 I'm seeing some memory corruption in the wild on blocks in `IseqPayload::dead_blocks`. While I unfortunately can't recreate the issue, (For all I know, it could be some external code corrupting YJIT's memory.) establishing a link between dead blocks and live blocks seems fishy enough that we ought to prevent it. When it did happen, it might've had bad interacts with Code GC and the optimization to immediately free empty blocks. 
I'm seeing some memory corruption in the wild on blocks in
`IseqPayload::dead_blocks`. While I unfortunately can't recreate the
issue, (For all I know, it could be some external code corrupting YJIT's
memory.) establishing a link between dead blocks and live blocks seems
fishy enough that we ought to prevent it. When it did happen, it might've
had bad interacts with Code GC and the optimization to immediately
free empty blocks.
YJIT: Fix `defined?(yield)` and `block_given?` at top level 2025-10-22T20:53:20+00:00 Alan Wu XrXr@users.noreply.github.com 2025-08-13T16:39:06+00:00 3afa38d0ee34a453d7c53d4512a8f14d25d23f57 Previously, YJIT returned truthy for the block given query at the top level. That's incorrect because the top level script never receives a block, and `yield` is a syntax error there. Inside methods, the number of hops to get from `iseq` to `iseq->body->local_iseq` is the same as the number of `VM_ENV_PREV_EP(ep)` hops to get to an environment with `VM_ENV_FLAG_LOCAL`. YJIT and the interpreter both rely on this as can be seen in get_lvar_level(). However, this identity does not hold for the top level frame because of `vm_set_eval_stack()`, which sets up `TOPLEVEL_BINDING`. Since only methods can take a block that `yield` goes to, have ISEQs that are the child of a non-method ISEQ return falsy for the block given query. This fixes the issue for the top level script and is an optimization for non-method contexts such as inside `ISEQ_TYPE_CLASS`. 
Previously, YJIT returned truthy for the block given query at the top
level. That's incorrect because the top level script never receives a
block, and `yield` is a syntax error there.

Inside methods, the number of hops to get from `iseq` to
`iseq->body->local_iseq` is the same as the number of
`VM_ENV_PREV_EP(ep)` hops to get to an environment with
`VM_ENV_FLAG_LOCAL`. YJIT and the interpreter both rely on this as can
be seen in get_lvar_level(). However, this identity does not hold for
the top level frame because of `vm_set_eval_stack()`, which sets up
`TOPLEVEL_BINDING`.

Since only methods can take a block that `yield` goes to, have ISEQs
that are the child of a non-method ISEQ return falsy for the block given
query. This fixes the issue for the top level script and is an
optimization for non-method contexts such as inside `ISEQ_TYPE_CLASS`.
YJIT: Print more disassembly in release builds 2025-09-10T22:35:06+00:00 Alan Wu XrXr@users.noreply.github.com 2025-09-10T21:02:21+00:00 9cd1ac404e72587952d019df167e7793924699d6 These `#[cfg(feature = "disasm")]` were unnecessary and we can provide the information like ruby source location regardless of the availability of capstone. 
These `#[cfg(feature = "disasm")]` were unnecessary and we can provide
the information like ruby source location regardless of the availability
of capstone.
YJIT: Remove dead code: `asm_comment!` checks `--yjit-dump-disasm` 2025-09-10T22:35:06+00:00 Alan Wu XrXr@users.noreply.github.com 2025-09-10T21:04:11+00:00 c866b9027b7429b402ed272ebaebb6c7831e3cb5