Fix segfault when moving nested objects between ractors during GC

joshuay03 · nobu · commit 52ea222027c7 · 2025-10-27T07:59:43.000+09:00
Fixes a segmentation fault when moving nested objects between ractors with GC stress enabled and YJIT.

The issue is a timing problem: `move_enter` allocates new object shells but leaves their contents uninitialized until `move_leave` copies the actual data. If GC runs between these steps (which GC stress makes likely), it tries to follow what appear to be object pointers but are actually uninitialized memory, encountering null or invalid addresses.

The fix zero-initializes the object contents immediately after allocation in `move_enter`, ensuring the GC finds safe null pointers instead of garbage data.

The crash reproduced most consistently with nested hashes and YJIT, likely because nested structures create multiple uninitialized objects simultaneously while YJIT's memory usage increases the probability of GC triggering during moves.
diff --git a/ractor.c b/ractor.c
@@ -1940,8 +1940,10 @@ move_enter(VALUE obj, struct obj_traverse_replace_data *data)
     }
     else {
         VALUE type = RB_BUILTIN_TYPE(obj);
+        size_t slot_size = rb_gc_obj_slot_size(obj);
         type |= wb_protected_types[type] ? FL_WB_PROTECTED : 0;
-        NEWOBJ_OF(moved, struct RBasic, 0, type, rb_gc_obj_slot_size(obj), 0);
+        NEWOBJ_OF(moved, struct RBasic, 0, type, slot_size, 0);
+        MEMZERO(&moved[1], char, slot_size - sizeof(*moved));
         data->replacement = (VALUE)moved;
         return traverse_cont;
     }
diff --git a/test/ruby/test_ractor.rb b/test/ruby/test_ractor.rb
@@ -99,6 +99,19 @@ def initialize(*)
     RUBY
   end
 
+  def test_move_nested_hash_during_gc_with_yjit
+    original_gc_stress = GC.stress
+    assert_ractor(<<~'RUBY', args: [{ "RUBY_YJIT_ENABLE" => "1" }])
+      GC.stress = true
+      hash = { foo: { bar: "hello" }, baz: { qux: "there" } }
+      result = Ractor.new { Ractor.receive }.send(hash, move: true).value
+      assert_equal "hello", result[:foo][:bar]
+      assert_equal "there", result[:baz][:qux]
+    RUBY
+  ensure
+    GC.stress = original_gc_stress
+  end
+
   def test_fork_raise_isolation_error
     assert_ractor(<<~'RUBY')
       ractor = Ractor.new do

Original file line number	Diff line number	Diff line change
`@@ -1940,8 +1940,10 @@ move_enter(VALUE obj, struct obj_traverse_replace_data *data)`
`1940`	`1940`	`}`
`1941`	`1941`	`else {`
`1942`	`1942`	`VALUE type = RB_BUILTIN_TYPE(obj);`
	`1943`	`+ size_t slot_size = rb_gc_obj_slot_size(obj);`
`1943`	`1944`	`type \|= wb_protected_types[type] ? FL_WB_PROTECTED : 0;`
`1944`		`- NEWOBJ_OF(moved, struct RBasic, 0, type, rb_gc_obj_slot_size(obj), 0);`
	`1945`	`+ NEWOBJ_OF(moved, struct RBasic, 0, type, slot_size, 0);`
	`1946`	`+ MEMZERO(&moved[1], char, slot_size - sizeof(*moved));`
`1945`	`1947`	`data->replacement = (VALUE)moved;`
`1946`	`1948`	`return traverse_cont;`
`1947`	`1949`	`}`