ZJIT: Use dedicated ArraySplice HIR instruction for splice safety

Replace bare CCall to rb_jit_ary_aset_by_rb_ary_splice with a dedicated
ArraySplice instruction that carries frame state, following the
HashAset/ArrayPop pattern. Codegen uses gen_prepare_non_leaf_call to
save PC/SP and spill locals before the C call, ensuring correct GC and
exception handling.

Also add tests for IndexError (negative length, out-of-bounds index) and
single-value splice (exercises rb_ary_to_ary allocation path).

Author: nmeans

zjit/src/codegen.rs

@@ -480,6 +480,9 @@ fn gen_insn(cb: &mut CodeBlock, jit: &mut JITState, asm: &mut Assembler, functio
         Insn::ArrayAset { array, index, val } => {
             no_output!(gen_array_aset(asm, opnd!(array), opnd!(index), opnd!(val)))
         }
+        Insn::ArraySplice { array, beg, len, val, state } => {
+            no_output!(gen_array_splice(jit, asm, opnd!(array), opnd!(beg), opnd!(len), opnd!(val), &function.frame_state(*state)))
+        }
         Insn::ArrayPop { array, state } => gen_array_pop(asm, opnd!(array), &function.frame_state(*state)),
         Insn::ArrayLength { array } => gen_array_length(asm, opnd!(array)),
         Insn::ObjectAlloc { val, state } => gen_object_alloc(jit, asm, opnd!(val), &function.frame_state(*state)),
@@ -1712,6 +1715,11 @@ fn gen_array_aset(
     asm.store(Opnd::mem(VALUE_BITS, elem_ptr, 0), val);
 }
 
+fn gen_array_splice(jit: &JITState, asm: &mut Assembler, array: Opnd, beg: Opnd, len: Opnd, val: Opnd, state: &FrameState) {
+    gen_prepare_non_leaf_call(jit, asm, state);
+    asm_ccall!(asm, rb_jit_ary_aset_by_rb_ary_splice, array, beg, len, val);
+}
+
 fn gen_array_pop(asm: &mut Assembler, array: Opnd, state: &FrameState) -> lir::Opnd {
     gen_prepare_leaf_call_with_gc(asm, state);
     asm_ccall!(asm, rb_ary_pop, array)

zjit/src/codegen_tests.rs

@@ -2847,6 +2847,49 @@ fn test_array_splice_aset_array_subclass() {
     assert_snapshot!(inspect("arr = MySpliceArray.new([1,2,3]); test(arr, 0, 2, [4,5]); arr.to_a"), @"[4, 5, 3]");
 }
 
+#[test]
+fn test_array_splice_aset_negative_length() {
+    assert_snapshot!(inspect("
+        def test(arr, idx, len, val)
+            arr[idx, len] = val
+        end
+        arr = [1,2,3]
+        test(arr, 0, 2, [4,5])
+        begin
+            test(arr, 0, -1, [4,5])
+        rescue => e
+            e.class
+        end
+    "), @"IndexError");
+}
+
+#[test]
+fn test_array_splice_aset_index_out_of_bounds() {
+    assert_snapshot!(inspect("
+        def test(arr, idx, len, val)
+            arr[idx, len] = val
+        end
+        arr = [1,2,3]
+        test(arr, 0, 2, [4,5])
+        begin
+            test(arr, -100, 2, [4,5])
+        rescue => e
+            e.class
+        end
+    "), @"IndexError");
+}
+
+#[test]
+fn test_array_splice_aset_single_value() {
+    eval("
+        def test(arr, idx, len, val)
+            arr[idx, len] = val
+        end
+        test([1,2,3], 0, 2, 42)
+    ");
+    assert_snapshot!(inspect("arr = [1,2,3]; test(arr, 0, 2, 42); arr"), @"[42, 3]");
+}
+
 #[test]
 fn test_array_aset_non_fixnum_index() {
     assert_snapshot!(inspect(r#"

zjit/src/cruby_methods.rs

@@ -392,13 +392,8 @@ fn inline_array_aset(fun: &mut hir::Function, block: hir::BlockId, recv: hir::In
 
             let index = fun.push_insn(block, hir::Insn::UnboxFixnum { val: index });
             let len = fun.push_insn(block, hir::Insn::UnboxFixnum { val: len });
-            let _ = fun.push_insn(block, hir::Insn::CCall {
-                cfunc: rb_jit_ary_aset_by_rb_ary_splice as _,
-                recv,
-                args: vec![index, len, val],
-                return_type: types::BasicObject,
-                elidable: false,
-                name: ID!(aset),
+            let _ = fun.push_insn(block, hir::Insn::ArraySplice {
+                array: recv, beg: index, len, val, state,
             });
             return Some(val);
         }

zjit/src/hir.rs

@@ -777,6 +777,8 @@ pub enum Insn {
     ArrayPush { array: InsnId, val: InsnId, state: InsnId },
     ArrayAref { array: InsnId, index: InsnId },
     ArrayAset { array: InsnId, index: InsnId, val: InsnId },
+    /// Splice val into array at [beg, len]. Can allocate and raise IndexError.
+    ArraySplice { array: InsnId, beg: InsnId, len: InsnId, val: InsnId, state: InsnId },
     ArrayPop { array: InsnId, state: InsnId },
     /// Return the length of the array as a C `long` ([`types::CInt64`])
     ArrayLength { array: InsnId },
@@ -1070,7 +1072,7 @@ impl Insn {
             | Insn::SetLocal { .. } | Insn::Throw { .. } | Insn::IncrCounter(_) | Insn::IncrCounterPtr { .. }
             | Insn::CheckInterrupts { .. }
             | Insn::StoreField { .. } | Insn::WriteBarrier { .. } | Insn::HashAset { .. }
-            | Insn::ArrayAset { .. } => false,
+            | Insn::ArrayAset { .. } | Insn::ArraySplice { .. } => false,
             _ => true,
         }
     }
@@ -1137,6 +1139,7 @@ impl Insn {
             Insn::ArrayPush { .. } => effects::Any,
             Insn::ArrayAref { ..  } => effects::Any,
             Insn::ArrayAset { .. } => effects::Any,
+            Insn::ArraySplice { .. } => effects::Any,
             Insn::ArrayPop { ..  } => effects::Any,
             Insn::ArrayLength { .. } => Effect::write(abstract_heaps::Empty),
             Insn::HashAref { .. } => effects::Any,
@@ -1347,6 +1350,9 @@ impl<'a> std::fmt::Display for InsnPrinter<'a> {
             Insn::ArrayAset { array, index, val, ..} => {
                 write!(f, "ArrayAset {array}, {index}, {val}")
             }
+            Insn::ArraySplice { array, beg, len, val, .. } => {
+                write!(f, "ArraySplice {array}, {beg}, {len}, {val}")
+            }
             Insn::ArrayPop { array, .. } => {
                 write!(f, "ArrayPop {array}")
             }
@@ -2386,6 +2392,7 @@ impl Function {
             &NewRangeFixnum { low, high, flag, state } => NewRangeFixnum { low: find!(low), high: find!(high), flag, state: find!(state) },
             &ArrayAref { array, index } => ArrayAref { array: find!(array), index: find!(index) },
             &ArrayAset { array, index, val } => ArrayAset { array: find!(array), index: find!(index), val: find!(val) },
+            &ArraySplice { array, beg, len, val, state } => ArraySplice { array: find!(array), beg: find!(beg), len: find!(len), val: find!(val), state },
             &ArrayPop { array, state } => ArrayPop { array: find!(array), state: find!(state) },
             &ArrayLength { array } => ArrayLength { array: find!(array) },
             &ArrayMax { ref elements, state } => ArrayMax { elements: find_vec!(elements), state: find!(state) },
@@ -2460,7 +2467,8 @@ impl Function {
             | Insn::ArrayPush { .. } | Insn::SideExit { .. } | Insn::SetLocal { .. }
             | Insn::IncrCounter(_) | Insn::IncrCounterPtr { .. }
             | Insn::CheckInterrupts { .. }
-            | Insn::StoreField { .. } | Insn::WriteBarrier { .. } | Insn::HashAset { .. } | Insn::ArrayAset { .. } =>
+            | Insn::StoreField { .. } | Insn::WriteBarrier { .. } | Insn::HashAset { .. } | Insn::ArrayAset { .. }
+            | Insn::ArraySplice { .. } =>
                 panic!("Cannot infer type of instruction with no output: {}. See Insn::has_output().", self.insns[insn.0]),
             Insn::Const { val: Const::Value(val) } => Type::from_value(*val),
             Insn::Const { val: Const::CBool(val) } => Type::from_cbool(*val),
@@ -4802,6 +4810,13 @@ impl Function {
                 worklist.push_back(index);
                 worklist.push_back(val);
             }
+            &Insn::ArraySplice { array, beg, len, val, state } => {
+                worklist.push_back(array);
+                worklist.push_back(beg);
+                worklist.push_back(len);
+                worklist.push_back(val);
+                worklist.push_back(state);
+            }
             &Insn::ArrayPop { array, state } => {
                 worklist.push_back(array);
                 worklist.push_back(state);
@@ -5619,6 +5634,12 @@ impl Function {
                 self.assert_subtype(insn_id, array, types::ArrayExact)?;
                 self.assert_subtype(insn_id, index, types::CInt64)
             }
+            Insn::ArraySplice { array, beg, len, val, .. } => {
+                self.assert_subtype(insn_id, array, types::ArrayExact)?;
+                self.assert_subtype(insn_id, beg, types::CInt64)?;
+                self.assert_subtype(insn_id, len, types::CInt64)?;
+                self.assert_subtype(insn_id, val, types::BasicObject)
+            }
             // Instructions with Hash operands
             Insn::HashAref { hash, .. }
             | Insn::HashAset { hash, .. } => self.assert_subtype(insn_id, hash, types::HashExact),

zjit/src/hir/opt_tests.rs

@@ -8421,7 +8421,7 @@ mod hir_opt_tests {
           v45:CUInt64 = GuardNoBitsSet v44, RUBY_ELTS_SHARED=CUInt64(4096)
           v46:CInt64 = UnboxFixnum v40
           v47:CInt64 = UnboxFixnum v41
-          v48:BasicObject = CCall v39, :[]=@0x1040, v46, v47, v18
+          ArraySplice v39, v46, v47, v18
           IncrCounter inline_cfunc_optimized_send_count
           CheckInterrupts
           Return v18