From 4c9f3ce7b1a35ac891550ccd7b3de1be7475f2d4 Mon Sep 17 00:00:00 2001
From: ko1 <ko1@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sun, 23 Dec 2018 14:58:41 +0000
Subject: fix marking T_NONE object bug.

* array.c (rb_ary_splice): do not use RARRAY_PTR() here because it can cause
  GC because of rb_ary_detransient(). Here ary can contain T_NONE object
  because of increasing capacity and not initialized yet.

  error log: http://ci.rvm.jp/results/trunk-test@ruby-sky1/1557174


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@66513 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 array.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/array.c b/array.c
index 990bc076b1..5fef843455 100644
--- a/array.c
+++ b/array.c
@@ -1868,7 +1868,13 @@ rb_ary_splice(VALUE ary, long beg, long len, const VALUE *rptr, long rlen)
 	if (rlen > 0) {
             if (rofs != -1) rptr = RARRAY_CONST_PTR_TRANSIENT(ary) + rofs;
             /* give up wb-protected ary */
-	    MEMMOVE(RARRAY_PTR(ary) + beg, rptr, VALUE, rlen);
+            RB_OBJ_WB_UNPROTECT_FOR(ARRAY, ary);
+
+            /* do not use RARRAY_PTR() because it can causes GC.
+             * ary can contain T_NONE object because it is not cleared.
+             */
+            RARRAY_PTR_USE_TRANSIENT(ary, ptr,
+                                     MEMMOVE(ptr + beg, rptr, VALUE, rlen));
 	}
     }
 }
-- 
cgit v1.2.3