Ensure Generator::State is kept on the stack

byroot · byroot · commit 37f8a2ede038 · 2026-02-02T22:15:17.000+01:00
Fix: #929 I don't know how it's possible, but somehow the `self` reference is optimized out of the stack. Perhaps because we inline so aggressively that the compiler end up spilling it on the heap. Repro: ```ruby require 'json' test_data = { "flag" => true, "data" => 10000.times.map { [1.0] }, :flag => false, } 10.times do test_data.to_json end ``` But in practice the cause was just that the issued warning calls Hash#inspect on a big hash, which triggers GC. So it can be triggered even more reliably with: ```ruby require 'json' module JSON module Common def self.on_mixed_keys_hash(...) GC.start end end end test_data = { "flag" => true, "data" => 10000.times.map { [1.0] }, :flag => false, } test_data.to_json ```
diff --git a/CHANGES.md b/CHANGES.md
@@ -2,6 +2,9 @@
 
 ### Unreleased
 
+* Fix a potential crash in very specific circumstance if GC triggers during a call to `to_json`
+  without first invoking a user defined `#to_json` method.
+
 ### 2025-12-11 (2.18.0)
 
 * Add `:allow_control_characters` parser options, to allow JSON strings containing unescaped ASCII control characters (e.g. newlines).
diff --git a/ext/json/ext/generator/generator.c b/ext/json/ext/generator/generator.c
@@ -1540,7 +1540,9 @@ static VALUE cState_partial_generate(VALUE self, VALUE obj, generator_func func,
         .obj = obj,
         .func = func
     };
-    return rb_ensure(generate_json_try, (VALUE)&data, generate_json_ensure, (VALUE)&data);
+    VALUE result = rb_ensure(generate_json_try, (VALUE)&data, generate_json_ensure, (VALUE)&data);
+    RB_GC_GUARD(self);
+    return result;
 }
 
 /* call-seq:
