merge revision(s) 86d061294d3cc1656e18d0e1fd4b4f290da16944: [Backport #18928]

	[Bug #18928] Fix crash in WeakMap

	In wmap_live_p, if is_pointer_to_heap returns false, then the page is
	either in the tomb or has already been freed, so the object is dead. In
	this case, wmap_live_p should return false.
	---
	 gc.c | 21 +++++++++++----------
	 1 file changed, 11 insertions(+), 10 deletions(-)

1 files changed, 11 insertions, 10 deletions

diff --git a/gc.c b/gc.c
index 7863f9590a..030a4627bd 100644
--- a/gc.c
+++ b/gc.c
@@ -12035,20 +12035,21 @@ static int
 wmap_live_p(rb_objspace_t *objspace, VALUE obj)
 {
     if (SPECIAL_CONST_P(obj)) return TRUE;
-    if (is_pointer_to_heap(objspace, (void *)obj)) {
-        void *poisoned = asan_unpoison_object_temporary(obj);
+    /* If is_pointer_to_heap returns false, the page could be in the tomb heap
+     * or have already been freed. */
+    if (!is_pointer_to_heap(objspace, (void *)obj)) return FALSE;
 
-        enum ruby_value_type t = BUILTIN_TYPE(obj);
-        int ret = (!(t == T_NONE || t >= T_FIXNUM || t == T_ICLASS) &&
-                   is_live_object(objspace, obj));
+    void *poisoned = asan_unpoison_object_temporary(obj);
 
-        if (poisoned) {
-            asan_poison_object(obj);
-        }
+    enum ruby_value_type t = BUILTIN_TYPE(obj);
+    int ret = (!(t == T_NONE || t >= T_FIXNUM || t == T_ICLASS) &&
+                is_live_object(objspace, obj));
 
-        return ret;
+    if (poisoned) {
+        asan_poison_object(obj);
     }
-    return TRUE;
+
+    return ret;
 }
 
 static int