ZJIT: Untag block handler (ruby#15085)

tekknolagi · web-flow · commit 38d31dc49bb3 · 2025-11-06T20:07:02.000Z
Storing the tagged block handler in profiles is not GC-safe (nice catch, Kokubun). Store the untagged block handler instead. Fix bug in ruby#15051
diff --git a/vm_insnhelper.c b/vm_insnhelper.c
@@ -5497,12 +5497,6 @@ vm_invoke_proc_block(rb_execution_context_t *ec, rb_control_frame_t *reg_cfp,
     return vm_invoke_block(ec, reg_cfp, calling, ci, is_lambda, block_handler);
 }
 
-enum rb_block_handler_type
-rb_vm_block_handler_type(VALUE block_handler)
-{
-    return vm_block_handler_type(block_handler);
-}
-
 static inline VALUE
 vm_invoke_block(rb_execution_context_t *ec, rb_control_frame_t *reg_cfp,
                 struct rb_calling_info *calling, const struct rb_callinfo *ci,
@@ -6065,10 +6059,30 @@ vm_define_method(const rb_execution_context_t *ec, VALUE obj, ID id, VALUE iseqv
     }
 }
 
+// Return the untagged block handler:
+// * If it's an ISEQ or an IFUNC, fetch it from its rb_captured_block
+// * If it's a PROC or SYMBOL, return it as is
+static VALUE
+rb_vm_untag_block_handler(VALUE block_handler)
+{
+    switch (vm_block_handler_type(block_handler)) {
+      case block_handler_type_iseq:
+      case block_handler_type_ifunc: {
+        struct rb_captured_block *captured = VM_TAGGED_PTR_REF(block_handler, 0x03);
+        return captured->code.val;
+      }
+      case block_handler_type_proc:
+      case block_handler_type_symbol:
+        return block_handler;
+      default:
+        rb_bug("rb_vm_untag_block_handler: unreachable");
+    }
+}
+
 VALUE
-rb_vm_get_block_handler(rb_control_frame_t *reg_cfp)
+rb_vm_get_untagged_block_handler(rb_control_frame_t *reg_cfp)
 {
-    return VM_CF_BLOCK_HANDLER(reg_cfp);
+    return rb_vm_untag_block_handler(VM_CF_BLOCK_HANDLER(reg_cfp));
 }
 
 static VALUE
diff --git a/zjit.c b/zjit.c
@@ -302,8 +302,7 @@ rb_zjit_class_has_default_allocator(VALUE klass)
 }
 
 
-VALUE rb_vm_get_block_handler(rb_control_frame_t *reg_cfp);
-enum rb_block_handler_type rb_vm_block_handler_type(VALUE block_handler);
+VALUE rb_vm_get_untagged_block_handler(rb_control_frame_t *reg_cfp);
 
 // Primitives used by zjit.rb. Don't put other functions below, which wouldn't use them.
 VALUE rb_zjit_assert_compiles(rb_execution_context_t *ec, VALUE self);
diff --git a/zjit/bindgen/src/main.rs b/zjit/bindgen/src/main.rs
@@ -399,8 +399,7 @@ fn main() {
         .allowlist_function("rb_yarv_str_eql_internal")
         .allowlist_function("rb_str_neq_internal")
         .allowlist_function("rb_yarv_ary_entry_internal")
-        .allowlist_function("rb_vm_get_block_handler")
-        .allowlist_function("rb_vm_block_handler_type")
+        .allowlist_function("rb_vm_get_untagged_block_handler")
         .allowlist_function("rb_FL_TEST")
         .allowlist_function("rb_FL_TEST_RAW")
         .allowlist_function("rb_RB_TYPE_P")
diff --git a/zjit/src/cruby_bindings.inc.rs b/zjit/src/cruby_bindings.inc.rs
diff --git a/zjit/src/hir.rs b/zjit/src/hir.rs
@@ -4421,10 +4421,9 @@ pub fn iseq_to_hir(iseq: *const rb_iseq_t) -> Result<Function, ParseError> {
                             let summary = TypeDistributionSummary::new(&self_type_distribution);
                             if summary.is_monomorphic() {
                                 let obj = summary.bucket(0).class();
-                                let bh_type = unsafe { rb_vm_block_handler_type(obj) };
-                                if bh_type == block_handler_type_iseq {
+                                if unsafe { rb_IMEMO_TYPE_P(obj, imemo_iseq) == 1 } {
                                     fun.push_insn(block, Insn::IncrCounter(Counter::invokeblock_handler_monomorphic_iseq));
-                                } else if bh_type == block_handler_type_ifunc {
+                                } else if unsafe { rb_IMEMO_TYPE_P(obj, imemo_ifunc) == 1 } {
                                     fun.push_insn(block, Insn::IncrCounter(Counter::invokeblock_handler_monomorphic_ifunc));
                                 } else {
                                     fun.push_insn(block, Insn::IncrCounter(Counter::invokeblock_handler_monomorphic_other));
diff --git a/zjit/src/profile.rs b/zjit/src/profile.rs
@@ -45,7 +45,7 @@ impl Profiler {
     }
 
     fn peek_at_block_handler(&self) -> VALUE {
-        unsafe { rb_vm_get_block_handler(self.cfp) }
+        unsafe { rb_vm_get_untagged_block_handler(self.cfp) }
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -302,8 +302,7 @@ rb_zjit_class_has_default_allocator(VALUE klass)`
`302`	`302`	`}`
`303`	`303`
`304`	`304`
`305`		`-VALUE rb_vm_get_block_handler(rb_control_frame_t *reg_cfp);`
`306`		`-enum rb_block_handler_type rb_vm_block_handler_type(VALUE block_handler);`
	`305`	`+VALUE rb_vm_get_untagged_block_handler(rb_control_frame_t *reg_cfp);`
`307`	`306`
`308`	`307`	`// Primitives used by zjit.rb. Don't put other functions below, which wouldn't use them.`
`309`	`308`	`VALUE rb_zjit_assert_compiles(rb_execution_context_t *ec, VALUE self);`
Original file line number	Diff line number	Diff line change
`@@ -45,7 +45,7 @@ impl Profiler {`
`45`	`45`	`}`
`46`	`46`
`47`	`47`	`fn peek_at_block_handler(&self) -> VALUE {`
`48`		`- unsafe { rb_vm_get_block_handler(self.cfp) }`
	`48`	`+ unsafe { rb_vm_get_untagged_block_handler(self.cfp) }`
`49`	`49`	`}`
`50`	`50`	`}`
`51`	`51`