Fix write barriers in rb_hash_add_new_element

jhawthorn · luke-gruber · jhawthorn · commit fcf2c3b4d113 · 2025-06-24T13:08:35.000-07:00
The write barriers must be run after the st_update callback returns,
as the objects are not on the object until then and there may be
allocation when there is a new object inserted.

This is hard to reproduce, and I haven't seen an actual crash due to it,
but it is detected by wbcheck

    RUBY_GC_LIBRARY=wbcheck WBCHECK_VERIFY_AFTER_WB=1 ./miniruby -e '("a".."zz").uniq.to_a'
    WBCHECK ERROR: Missed write barrier detected!
      Parent object: 0x720db01f99c0 (wb_protected: true)
        rb_obj_info_dump: 0x0000720db01f99c0 T_HASH/[S] 18
      Reference counts - snapshot: 32, writebarrier: 2, current: 36, missed: 2
      Missing reference to: 0x716db02e3450
        rb_obj_info_dump: 0x0000716db02e3450 T_STRING/String  len: 1, capa: 15 "q"
      Missing reference to: 0x716db02e3450
        rb_obj_info_dump: 0x0000716db02e3450 T_STRING/String  len: 1, capa: 15 "q"

A part of why this is hard to reproduce and it's unlikely to crash is
that the insertion only rarely allocates.

Co-authored-by: Luke Gruber &lt;luke.gruber@shopify.com&gt;
diff --git a/hash.c b/hash.c
@@ -5073,10 +5073,8 @@ rb_hash_deconstruct_keys(VALUE hash, VALUE keys)
 static int
 add_new_i(st_data_t *key, st_data_t *val, st_data_t arg, int existing)
 {
-    VALUE *args = (VALUE *)arg;
     if (existing) return ST_STOP;
-    RB_OBJ_WRITTEN(args[0], Qundef, (VALUE)*key);
-    RB_OBJ_WRITE(args[0], (VALUE *)val, args[1]);
+    *val = arg;
     return ST_CONTINUE;
 }
 
@@ -5088,22 +5086,25 @@ int
 rb_hash_add_new_element(VALUE hash, VALUE key, VALUE val)
 {
     st_table *tbl;
-    int ret = 0;
-    VALUE args[2];
-    args[0] = hash;
-    args[1] = val;
+    int ret = -1;
 
     if (RHASH_AR_TABLE_P(hash)) {
-        ret = ar_update(hash, (st_data_t)key, add_new_i, (st_data_t)args);
-        if (ret != -1) {
-            return ret;
+        ret = ar_update(hash, (st_data_t)key, add_new_i, (st_data_t)val);
+        if (ret == -1) {
+            ar_force_convert_table(hash, __FILE__, __LINE__);
         }
-        ar_force_convert_table(hash, __FILE__, __LINE__);
     }
 
-    tbl = RHASH_TBL_RAW(hash);
-    return st_update(tbl, (st_data_t)key, add_new_i, (st_data_t)args);
-
+    if (ret == -1) {
+        tbl = RHASH_TBL_RAW(hash);
+        ret = st_update(tbl, (st_data_t)key, add_new_i, (st_data_t)val);
+    }
+    if (!ret) {
+        // Newly inserted
+        RB_OBJ_WRITTEN(hash, Qundef, key);
+        RB_OBJ_WRITTEN(hash, Qundef, val);
+    }
+    return ret;
 }
 
 static st_data_t
