From cbecf9c7ba71ef0e844c72c97f85ce4fffb46aa6 Mon Sep 17 00:00:00 2001
From: Alan Wu <XrXr@users.noreply.github.com>
Date: Thu, 29 Jul 2021 12:04:36 -0400
Subject: [PATCH] Fix use-after-free on -DUSE_EMBED_CI=0

On -DUSE_EMBED_CI=0, there are more GC allocations and the old code
didn't keep old_operands[0] reachable while allocating. On a Debian
based system, I get a crash requiring erb under GC stress mode. On
macOS, tool/transcode-tblgen.rb runs incorrectly if I put GC.stress=true
as the first line.
---
 compile.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/compile.c b/compile.c
index 38a96f165e..6695a0293b 100644
--- a/compile.c
+++ b/compile.c
@@ -3443,11 +3443,11 @@ insn_set_specialized_instruction(rb_iseq_t *iseq, INSN *iobj, int insn_id)
     iobj->operand_size = insn_len(insn_id) - 1;
 
     if (insn_id == BIN(opt_neq)) {
-	VALUE *old_operands = iobj->operands;
+        VALUE original_ci = iobj->operands[0];
         iobj->operand_size = 2;
         iobj->operands = compile_data_calloc2(iseq, iobj->operand_size, sizeof(VALUE));
         iobj->operands[0] = (VALUE)new_callinfo(iseq, idEq, 1, 0, NULL, FALSE);
-        iobj->operands[1] = old_operands[0];
+        iobj->operands[1] = original_ci;
     }
 
     return COMPILE_OK;