ZJIT: Add NoEPEscape guard after send-with-block

After reload_modified_locals, locals not written by the block retain
stale FrameState values. If eval ran inside the block, these stale
values would be spilled to the frame by gen_spill_locals on the next
non-leaf call, overwriting the correct values set by eval.

Add a NoEPEscape PatchPoint immediately after reload_modified_locals.
If the EP escaped during the block (e.g. via eval), this side-exits
before any stale locals can be spilled. The snapshot uses the
post-send state without locals so the interpreter reads them from
the frame, which has the correct values at that point.

Author: tekknolagi

zjit/src/hir.rs

@@ -6307,20 +6307,41 @@ fn locals_written_in_block(parent_iseq: IseqPtr, blockiseq: IseqPtr, target_dept
   }
 }
 
-/// Reload locals that may have been modified by the blockiseq.
-fn reload_modified_locals(fun: &mut Function, block: BlockId, state: &mut FrameState, iseq: IseqPtr, blockiseq: IseqPtr) {
+/// Reload locals that may have been modified by the blockiseq, and if any were
+/// reloaded, guard against EP escape (e.g. eval writing to locals we can't
+/// detect by scanning bytecode).
+///
+/// `pc` must point to the send instruction and `opcode` must be its decoded opcode.
+/// We build a side-exit snapshot pointing to the *next* instruction so the interpreter
+/// doesn't re-execute the send. We compute next_pc with pointer arithmetic
+/// (`pc + insn_len`) rather than `rb_iseq_pc_at_idx` to avoid a bounds-check assertion.
+fn reload_modified_locals(fun: &mut Function, block: BlockId, state: &mut FrameState, iseq: IseqPtr, blockiseq: IseqPtr, pc: *const VALUE, opcode: u32, insn_idx: u32) {
     // TODO: Avoid reloading locals that are not referenced by the blockiseq
     // or not used after this. Max thinks we could eventually DCE them.
     let mut locals = BitSet::with_capacity(state.locals.len());
     locals_written_in_block(iseq, blockiseq, 1, &mut locals);
+    let mut reloaded = false;
     for local_idx in 0..state.locals.len() {
         if locals.get(local_idx) {
             let ep_offset = local_idx_to_ep_offset(iseq, local_idx) as u32;
             // TODO: We could use `use_sp: true` with PatchPoint
             let val = fun.push_insn(block, Insn::GetLocal { ep_offset, level: 0, use_sp: false, rest_param: false });
             state.setlocal(ep_offset, val);
+            reloaded = true;
         }
     }
+
+    // Only add a NoEPEscape guard when we actually reloaded locals. If we didn't
+    // reload any, the subsequent getlocal PatchPoints (from local_inval) handle it.
+    // The snapshot omits locals so the interpreter reads them from the frame.
+    if reloaded {
+        let len = insn_len(opcode as usize) as usize;
+        let mut pp_state = state.clone();
+        pp_state.pc = unsafe { pc.add(len) };
+        pp_state.insn_idx = insn_idx as usize + len;
+        let pp_exit_id = fun.push_insn(block, Insn::Snapshot { state: pp_state.without_locals() });
+        fun.push_insn(block, Insn::PatchPoint { invariant: Invariant::NoEPEscape(iseq), state: pp_exit_id });
+    }
 }
 
 /// Compile ISEQ into High-level IR
@@ -7281,7 +7302,7 @@ pub fn iseq_to_hir(iseq: *const rb_iseq_t) -> Result<Function, ParseError> {
                     state.stack_push(send);
 
                     if !blockiseq.is_null() {
-                        reload_modified_locals(&mut fun, block, &mut state, iseq, blockiseq);
+                        reload_modified_locals(&mut fun, block, &mut state, iseq, blockiseq, pc, opcode, insn_idx);
                     }
                 }
                 YARVINSN_sendforward => {
@@ -7303,7 +7324,7 @@ pub fn iseq_to_hir(iseq: *const rb_iseq_t) -> Result<Function, ParseError> {
                     state.stack_push(send_forward);
 
                     if !blockiseq.is_null() {
-                        reload_modified_locals(&mut fun, block, &mut state, iseq, blockiseq);
+                        reload_modified_locals(&mut fun, block, &mut state, iseq, blockiseq, pc, opcode, insn_idx);
                     }
                 }
                 YARVINSN_invokesuper => {
@@ -7324,7 +7345,7 @@ pub fn iseq_to_hir(iseq: *const rb_iseq_t) -> Result<Function, ParseError> {
                     state.stack_push(result);
 
                     if !blockiseq.is_null() {
-                        reload_modified_locals(&mut fun, block, &mut state, iseq, blockiseq);
+                        reload_modified_locals(&mut fun, block, &mut state, iseq, blockiseq, pc, opcode, insn_idx);
                     }
                 }
                 YARVINSN_invokesuperforward => {
@@ -7345,7 +7366,7 @@ pub fn iseq_to_hir(iseq: *const rb_iseq_t) -> Result<Function, ParseError> {
                     state.stack_push(result);
 
                     if !blockiseq.is_null() {
-                        reload_modified_locals(&mut fun, block, &mut state, iseq, blockiseq);
+                        reload_modified_locals(&mut fun, block, &mut state, iseq, blockiseq, pc, opcode, insn_idx);
                     }
                 }
                 YARVINSN_invokeblock => {

zjit/src/hir/opt_tests.rs

@@ -2997,16 +2997,17 @@ mod hir_opt_tests {
           v20:Fixnum[2] = Const Value(2)
           PatchPoint NoSingletonClass(Object@0x1000)
           PatchPoint MethodRedefined(Object@0x1000, tap@0x1008, cme:0x1010)
-          v42:HeapObject[class_exact*:Object@VALUE(0x1000)] = GuardType v10, HeapObject[class_exact*:Object@VALUE(0x1000)]
-          v43:BasicObject = SendDirect v42, 0x1038, :tap (0x1048)
+          v44:HeapObject[class_exact*:Object@VALUE(0x1000)] = GuardType v10, HeapObject[class_exact*:Object@VALUE(0x1000)]
+          v45:BasicObject = SendDirect v44, 0x1038, :tap (0x1048)
           v26:BasicObject = GetLocal :b, l0, EP@3
           PatchPoint NoEPEscape(test)
+          PatchPoint NoEPEscape(test)
           PatchPoint MethodRedefined(Integer@0x1050, +@0x1058, cme:0x1060)
-          v46:Fixnum = GuardType v26, Fixnum
-          v47:Fixnum = FixnumAdd v16, v46
+          v48:Fixnum = GuardType v26, Fixnum
+          v49:Fixnum = FixnumAdd v16, v48
           IncrCounter inline_cfunc_optimized_send_count
           CheckInterrupts
-          Return v47
+          Return v49
         ");
     }
 

zjit/src/hir/tests.rs

@@ -4216,9 +4216,10 @@ pub mod hir_build_tests {
           v25:BasicObject = Send v10, 0x1000, :tap # SendFallbackReason: Uncategorized(send)
           v26:BasicObject = GetLocal :b, l0, EP@3
           PatchPoint NoEPEscape(test)
-          v35:BasicObject = SendWithoutBlock v16, :+, v26 # SendFallbackReason: Uncategorized(opt_plus)
+          PatchPoint NoEPEscape(test)
+          v37:BasicObject = SendWithoutBlock v16, :+, v26 # SendFallbackReason: Uncategorized(opt_plus)
           CheckInterrupts
-          Return v35
+          Return v37
         ");
     }
 
@@ -4252,9 +4253,10 @@ pub mod hir_build_tests {
           v25:BasicObject = Send v10, 0x1000, :tap # SendFallbackReason: Uncategorized(send)
           v26:BasicObject = GetLocal :b, l0, EP@3
           PatchPoint NoEPEscape(test)
-          v35:BasicObject = SendWithoutBlock v16, :+, v26 # SendFallbackReason: Uncategorized(opt_plus)
+          PatchPoint NoEPEscape(test)
+          v37:BasicObject = SendWithoutBlock v16, :+, v26 # SendFallbackReason: Uncategorized(opt_plus)
           CheckInterrupts
-          Return v35
+          Return v37
         ");
     }
 
@@ -4294,9 +4296,10 @@ pub mod hir_build_tests {
           v25:BasicObject = Send v10, 0x1000, :tap # SendFallbackReason: Uncategorized(send)
           v26:BasicObject = GetLocal :b, l0, EP@3
           PatchPoint NoEPEscape(test)
-          v35:BasicObject = SendWithoutBlock v16, :+, v26 # SendFallbackReason: Uncategorized(opt_plus)
+          PatchPoint NoEPEscape(test)
+          v37:BasicObject = SendWithoutBlock v16, :+, v26 # SendFallbackReason: Uncategorized(opt_plus)
           CheckInterrupts
-          Return v35
+          Return v37
         ");
     }
 
@@ -4366,18 +4369,19 @@ pub mod hir_build_tests {
         bb2(v8:BasicObject, v9:BasicObject):
           v14:BasicObject = Send v8, 0x1000, :tap # SendFallbackReason: Uncategorized(send)
           v15:BasicObject = GetLocal :block, l0, EP@3
-          v19:CBool = IsBlockParamModified l0
-          IfTrue v19, bb3(v8, v15)
+          PatchPoint NoEPEscape(test)
+          v21:CBool = IsBlockParamModified l0
+          IfTrue v21, bb3(v8, v15)
           Jump bb4(v8, v15)
-        bb3(v20:BasicObject, v21:BasicObject):
-          v28:BasicObject = GetLocal :block, l0, EP@3
-          Jump bb5(v20, v28, v28)
-        bb4(v23:BasicObject, v24:BasicObject):
-          v30:BasicObject = GetBlockParam :block, l0, EP@3
-          Jump bb5(v23, v30, v30)
-        bb5(v32:BasicObject, v33:BasicObject, v34:BasicObject):
-          CheckInterrupts
-          Return v34
+        bb3(v22:BasicObject, v23:BasicObject):
+          v30:BasicObject = GetLocal :block, l0, EP@3
+          Jump bb5(v22, v30, v30)
+        bb4(v25:BasicObject, v26:BasicObject):
+          v32:BasicObject = GetBlockParam :block, l0, EP@3
+          Jump bb5(v25, v32, v32)
+        bb5(v34:BasicObject, v35:BasicObject, v36:BasicObject):
+          CheckInterrupts
+          Return v36
         ");
     }
  }