From ff428b4dd0c5f0a07abbd8f8520d8d1e4bff8d66 Mon Sep 17 00:00:00 2001
From: Alan Wu <XrXr@users.noreply.github.com>
Date: Fri, 25 Jul 2025 22:09:51 -0400
Subject: [PATCH 1/9] ZJIT: Keep a frame pointer and use it for memory params

Previously, ZJIT miscompiled the following because of native SP
interference.

    def a(n1,n2,n3,n4,n5,n6,n7,n8) = [n8]
    a(0,0,0,0,0,0,0, :ok)

Commented problematic disassembly:

    ; call rb_ary_new_capa
    mov x0, #1
    mov x16, #0x1278
    movk x16, #0x4bc, lsl #16
    movk x16, #1, lsl #32
    blr x16
    ; call rb_ary_push
    mov x1, x0
    str x1, [sp, #-0x10]! ; c_push() from alloc_regs()
    mov x0, x1            ; arg0, the array
    ldur x1, [sp]         ; meant to be arg1=n8, but sp just moved!
    mov x16, #0x3968
    movk x16, #0x4bc, lsl #16
    movk x16, #1, lsl #32
    blr x16

Since the frame pointer stays constant in the body of the function,
static offsets based on it don't run the risk of being invalidated by SP
movements.

Pass the registers to preserve through Insn::FrameSetup. This allows ARM
to use STP and waste no gaps between EC, SP, and CFP.

x86 now preserves and restores RBP since we use it as the frame pointer.
Since all arches now have a frame pointer, remove offset based SP
movement in the epilogue and restore registers using the frame pointer.
---
 test/ruby/test_zjit.rb         |   7 ++
 zjit/src/asm/arm64/opnd.rs     |   3 +
 zjit/src/backend/arm64/mod.rs  | 117 ++++++++++++++++++++++++++++++---
 zjit/src/backend/lir.rs        |  41 ++++++------
 zjit/src/backend/x86_64/mod.rs |  76 ++++++++++++++++-----
 zjit/src/codegen.rs            |  87 +++++++-----------------
 6 files changed, 220 insertions(+), 111 deletions(-)

diff --git a/test/ruby/test_zjit.rb b/test/ruby/test_zjit.rb
index 0dcdb8e4cb8275..fc085d2e93c9a4 100644
--- a/test/ruby/test_zjit.rb
+++ b/test/ruby/test_zjit.rb
@@ -819,6 +819,13 @@ def a(n1,n2,n3,n4,n5,n6,n7,n8) = self
     }
   end
 
+  def test_spilled_param_new_arary
+    assert_compiles '[:ok]', %q{
+      def a(n1,n2,n3,n4,n5,n6,n7,n8) = [n8]
+      a(0,0,0,0,0,0,0, :ok)
+    }
+  end
+
   def test_opt_aref_with
     assert_compiles ':ok', %q{
       def aref_with(hash) = hash["key"]
diff --git a/zjit/src/asm/arm64/opnd.rs b/zjit/src/asm/arm64/opnd.rs
index 28422b747652d8..a77958f7e6eeec 100644
--- a/zjit/src/asm/arm64/opnd.rs
+++ b/zjit/src/asm/arm64/opnd.rs
@@ -119,6 +119,9 @@ pub const X20_REG: A64Reg = A64Reg { num_bits: 64, reg_no: 20 };
 pub const X21_REG: A64Reg = A64Reg { num_bits: 64, reg_no: 21 };
 pub const X22_REG: A64Reg = A64Reg { num_bits: 64, reg_no: 22 };
 
+// frame pointer (base pointer)
+pub const X29_REG: A64Reg = A64Reg { num_bits: 64, reg_no: 29 };
+
 // link register
 pub const X30_REG: A64Reg = A64Reg { num_bits: 64, reg_no: 30 };
 
diff --git a/zjit/src/backend/arm64/mod.rs b/zjit/src/backend/arm64/mod.rs
index 88ccad8e091ed1..42dc31c90fd5cc 100644
--- a/zjit/src/backend/arm64/mod.rs
+++ b/zjit/src/backend/arm64/mod.rs
@@ -29,6 +29,7 @@ pub const C_ARG_OPNDS: [Opnd; 6] = [
 pub const C_RET_REG: Reg = X0_REG;
 pub const C_RET_OPND: Opnd = Opnd::Reg(X0_REG);
 pub const NATIVE_STACK_PTR: Opnd = Opnd::Reg(XZR_REG);
+pub const NATIVE_BASE_PTR: Opnd = Opnd::Reg(X29_REG);
 
 // These constants define the way we work with Arm64's stack pointer. The stack
 // pointer always needs to be aligned to a 16-byte boundary.
@@ -911,18 +912,54 @@ impl Assembler
                         cb.write_byte(0);
                     }
                 },
-                Insn::FrameSetup => {
+                &Insn::FrameSetup { preserved, mut slot_count } => {
+                    const { assert!(SIZEOF_VALUE == 8, "alignment logic relies on SIZEOF_VALUE == 8"); }
+                    // Preserve X29 and set up frame record
                     stp_pre(cb, X29, X30, A64Opnd::new_mem(128, C_SP_REG, -16));
-
-                    // X29 (frame_pointer) = SP
                     mov(cb, X29, C_SP_REG);
-                },
-                Insn::FrameTeardown => {
+
+                    for regs in preserved.chunks(2) {
+                        // For the body, store pairs and move SP
+                        if let [reg0, reg1] = regs {
+                            stp_pre(cb, reg1.into(), reg0.into(), A64Opnd::new_mem(128, C_SP_REG, -16));
+                        } else if let [reg] = regs {
+                            // For overhang, store but don't move SP. Combine movement with
+                            // movement for slots below.
+                            stur(cb, reg.into(), A64Opnd::new_mem(64, C_SP_REG, -8));
+                            slot_count += 1;
+                        } else {
+                            unreachable!("chunks(2)");
+                        }
+                    }
+                    // Align slot_count
+                    if slot_count % 2 == 1 {
+                        slot_count += 1
+                    }
+                    if slot_count > 0 {
+                        let slot_offset = (slot_count * SIZEOF_VALUE) as u64;
+                        // Bail when asked to reserve too many slots in one instruction.
+                        ShiftedImmediate::try_from(slot_offset).ok()?;
+                        sub(cb, C_SP_REG, C_SP_REG, A64Opnd::new_uimm(slot_offset));
+                    }
+                }
+                Insn::FrameTeardown { preserved } => {
+                    // Restore preserved registers below frame pointer.
+                    let mut base_offset = 0;
+                    for regs in preserved.chunks(2) {
+                        if let [reg0, reg1] = regs {
+                            base_offset -= 16;
+                            ldp(cb, reg1.into(), reg0.into(), A64Opnd::new_mem(128, X29, base_offset));
+                        } else if let [reg] = regs {
+                            ldur(cb, reg.into(), A64Opnd::new_mem(64, X29, base_offset - 8));
+                        } else {
+                            unreachable!("chunks(2)");
+                        }
+                    }
+
                     // SP = X29 (frame pointer)
                     mov(cb, C_SP_REG, X29);
-
                     ldp_post(cb, X29, X30, A64Opnd::new_mem(128, C_SP_REG, 16));
-                },
+                }
                 Insn::Add { left, right, out } => {
                     // Usually, we issue ADDS, so you could branch on overflow, but ADDS with
                     // out=31 refers to out=XZR, which discards the sum. So, instead of ADDS
@@ -1482,11 +1519,73 @@ mod tests {
     fn test_emit_frame() {
         let (mut asm, mut cb) = setup_asm();
 
-        asm.frame_setup();
-        asm.frame_teardown();
+        asm.frame_setup(&[], 0);
+        asm.frame_teardown(&[]);
         asm.compile_with_num_regs(&mut cb, 0);
     }
 
+    #[test]
+    fn frame_setup_and_teardown() {
+        const THREE_REGS: &'static [Opnd] = &[Opnd::Reg(X19_REG), Opnd::Reg(X20_REG), Opnd::Reg(X21_REG)];
+        // Test 3 preserved regs (odd), odd slot_count
+        {
+            let (mut asm, mut cb) = setup_asm();
+            asm.frame_setup(THREE_REGS, 3);
+            asm.frame_teardown(THREE_REGS);
+            asm.compile_with_num_regs(&mut cb, 0);
+            assert_disasm!(cb, "fd7bbfa9fd030091f44fbfa9f5831ff8ff8300d1b44f7fa9b5835ef8bf030091fd7bc1a8", "
+                0x0: stp x29, x30, [sp, #-0x10]!
+                0x4: mov x29, sp
+                0x8: stp x20, x19, [sp, #-0x10]!
+                0xc: stur x21, [sp, #-8]
+                0x10: sub sp, sp, #0x20
+                0x14: ldp x20, x19, [x29, #-0x10]
+                0x18: ldur x21, [x29, #-0x18]
+                0x1c: mov sp, x29
+                0x20: ldp x29, x30, [sp], #0x10
+            ");
+        }
+
+        // Test 3 preserved regs (odd), even slot_count
+        {
+            let (mut asm, mut cb) = setup_asm();
+            asm.frame_setup(THREE_REGS, 4);
+            asm.frame_teardown(THREE_REGS);
+            asm.compile_with_num_regs(&mut cb, 0);
+            assert_disasm!(cb, "fd7bbfa9fd030091f44fbfa9f5831ff8ffc300d1b44f7fa9b5835ef8bf030091fd7bc1a8", "
+                0x0: stp x29, x30, [sp, #-0x10]!
+                0x4: mov x29, sp
+                0x8: stp x20, x19, [sp, #-0x10]!
+                0xc: stur x21, [sp, #-8]
+                0x10: sub sp, sp, #0x30
+                0x14: ldp x20, x19, [x29, #-0x10]
+                0x18: ldur x21, [x29, #-0x18]
+                0x1c: mov sp, x29
+                0x20: ldp x29, x30, [sp], #0x10
+            ");
+        }
+
+        // Test 4 preserved regs (even), odd slot_count
+        {
+            static FOUR_REGS: &'static [Opnd] = &[Opnd::Reg(X19_REG), Opnd::Reg(X20_REG), Opnd::Reg(X21_REG), Opnd::Reg(X22_REG)];
+            let (mut asm, mut cb) = setup_asm();
+            asm.frame_setup(FOUR_REGS, 3);
+            asm.frame_teardown(FOUR_REGS);
+            asm.compile_with_num_regs(&mut cb, 0);
+            assert_disasm!(cb, "fd7bbfa9fd030091f44fbfa9f657bfa9ff8300d1b44f7fa9b6577ea9bf030091fd7bc1a8", "
+                0x0: stp x29, x30, [sp, #-0x10]!
+                0x4: mov x29, sp
+                0x8: stp x20, x19, [sp, #-0x10]!
+                0xc: stp x22, x21, [sp, #-0x10]!
+                0x10: sub sp, sp, #0x20
+                0x14: ldp x20, x19, [x29, #-0x10]
+                0x18: ldp x22, x21, [x29, #-0x20]
+                0x1c: mov sp, x29
+                0x20: ldp x29, x30, [sp], #0x10
+            ");
+        }
+    }
+
     #[test]
     fn test_emit_je_fits_into_bcond() {
         let (mut asm, mut cb) = setup_asm();
diff --git a/zjit/src/backend/lir.rs b/zjit/src/backend/lir.rs
index 7bac210bee6689..36e783bd4e658a 100644
--- a/zjit/src/backend/lir.rs
+++ b/zjit/src/backend/lir.rs
@@ -12,10 +12,12 @@ use crate::asm::{CodeBlock, Label};
 pub use crate::backend::current::{
     Reg,
     EC, CFP, SP,
-    NATIVE_STACK_PTR,
+    NATIVE_STACK_PTR, NATIVE_BASE_PTR,
     C_ARG_OPNDS, C_RET_REG, C_RET_OPND,
 };
 
+pub static JIT_PRESERVED_REGS: &'static [Opnd] = &[CFP, SP, EC];
+
 // Memory operand base
 #[derive(Clone, Copy, PartialEq, Eq, Debug)]
 pub enum MemBase
@@ -291,8 +293,6 @@ pub enum Target
         context: Option<SideExitContext>,
         /// We use this to enrich asm comments.
         reason: SideExitReason,
-        /// The number of bytes we need to adjust the C stack pointer by.
-        c_stack_bytes: usize,
         /// Some if the side exit should write this label. We use it for patch points.
         label: Option<Label>,
     },
@@ -404,10 +404,10 @@ pub enum Insn {
     CSelZ { truthy: Opnd, falsy: Opnd, out: Opnd },
 
     /// Set up the frame stack as necessary per the architecture.
-    FrameSetup,
+    FrameSetup { preserved: &'static [Opnd], slot_count: usize },
 
     /// Tear down the frame stack as necessary per the architecture.
-    FrameTeardown,
+    FrameTeardown { preserved: &'static [Opnd], },
 
     // Atomically increment a counter
     // Input: memory operand, increment value
@@ -598,8 +598,8 @@ impl Insn {
             Insn::CSelNE { .. } => "CSelNE",
             Insn::CSelNZ { .. } => "CSelNZ",
             Insn::CSelZ { .. } => "CSelZ",
-            Insn::FrameSetup => "FrameSetup",
-            Insn::FrameTeardown => "FrameTeardown",
+            Insn::FrameSetup { .. } => "FrameSetup",
+            Insn::FrameTeardown { .. } => "FrameTeardown",
             Insn::IncrCounter { .. } => "IncrCounter",
             Insn::Jbe(_) => "Jbe",
             Insn::Jb(_) => "Jb",
@@ -823,8 +823,8 @@ impl<'a> Iterator for InsnOpndIterator<'a> {
             Insn::CPop { .. } |
             Insn::CPopAll |
             Insn::CPushAll |
-            Insn::FrameSetup |
-            Insn::FrameTeardown |
+            Insn::FrameSetup { .. } |
+            Insn::FrameTeardown { .. } |
             Insn::PadPatchPoint |
             Insn::PosMarker(_) => None,
 
@@ -979,8 +979,8 @@ impl<'a> InsnOpndMutIterator<'a> {
             Insn::CPop { .. } |
             Insn::CPopAll |
             Insn::CPushAll |
-            Insn::FrameSetup |
-            Insn::FrameTeardown |
+            Insn::FrameSetup { .. } |
+            Insn::FrameTeardown { .. } |
             Insn::PadPatchPoint |
             Insn::PosMarker(_) => None,
 
@@ -1813,7 +1813,7 @@ impl Assembler
         for (idx, target) in targets {
             // Compile a side exit. Note that this is past the split pass and alloc_regs(),
             // so you can't use a VReg or an instruction that needs to be split.
-            if let Target::SideExit { context, reason, c_stack_bytes, label } = target {
+            if let Target::SideExit { context, reason, label } = target {
                 asm_comment!(self, "Exit: {reason}");
                 let side_exit_label = if let Some(label) = label {
                     Target::Label(label)
@@ -1858,13 +1858,8 @@ impl Assembler
                     self.store(cfp_sp, Opnd::Reg(Assembler::SCRATCH_REG));
                 }
 
-                if c_stack_bytes > 0 {
-                    asm_comment!(self, "restore C stack pointer");
-                    self.add_into(NATIVE_STACK_PTR, c_stack_bytes.into());
-                }
-
                 asm_comment!(self, "exit to the interpreter");
-                self.frame_teardown();
+                self.frame_teardown(&[]); // matching the setup in :bb0-prologue:
                 self.mov(C_RET_OPND, Opnd::UImm(Qundef.as_u64()));
                 self.cret(C_RET_OPND);
 
@@ -2065,12 +2060,14 @@ impl Assembler {
         out
     }
 
-    pub fn frame_setup(&mut self) {
-        self.push_insn(Insn::FrameSetup);
+    pub fn frame_setup(&mut self, preserved_regs: &'static [Opnd], slot_count: usize) {
+        self.push_insn(Insn::FrameSetup { preserved: preserved_regs, slot_count });
     }
 
-    pub fn frame_teardown(&mut self) {
-        self.push_insn(Insn::FrameTeardown);
+    /// The inverse of [Self::frame_setup] used before return. `reserve_bytes`
+    /// not necessary since we use a base pointer register.
+    pub fn frame_teardown(&mut self, preserved_regs: &'static [Opnd]) {
+        self.push_insn(Insn::FrameTeardown { preserved: preserved_regs });
     }
 
     pub fn incr_counter(&mut self, mem: Opnd, value: Opnd) {
diff --git a/zjit/src/backend/x86_64/mod.rs b/zjit/src/backend/x86_64/mod.rs
index 942705fb95bb75..4543252573800c 100644
--- a/zjit/src/backend/x86_64/mod.rs
+++ b/zjit/src/backend/x86_64/mod.rs
@@ -29,6 +29,7 @@ pub const C_ARG_OPNDS: [Opnd; 6] = [
 pub const C_RET_REG: Reg = RAX_REG;
 pub const C_RET_OPND: Opnd = Opnd::Reg(RAX_REG);
 pub const NATIVE_STACK_PTR: Opnd = Opnd::Reg(RSP_REG);
+pub const NATIVE_BASE_PTR: Opnd = Opnd::Reg(RBP_REG);
 
 impl CodeBlock {
     // The number of bytes that are generated by jmp_ptr
@@ -110,9 +111,9 @@ impl Assembler
         vec![RAX_REG, RCX_REG, RDX_REG, RSI_REG, RDI_REG, R8_REG, R9_REG, R10_REG, R11_REG]
     }
 
-    /// How many bytes a call and a [Self::frame_setup] would change native SP
+    /// How many bytes a call and a bare bones [Self::frame_setup] would change native SP
     pub fn frame_size() -> i32 {
-        0x8
+        0x10
     }
 
     // These are the callee-saved registers in the x86-64 SysV ABI
@@ -476,22 +477,34 @@ impl Assembler
                     cb.write_byte(0);
                 },
 
-                // Set up RBP to work with frame pointer unwinding
+                // Set up RBP as frame pointer work with unwinding
                 // (e.g. with Linux `perf record --call-graph fp`)
-                Insn::FrameSetup => {
-                    if false { // We don't support --zjit-perf yet
-                        // TODO(alan): Change Assembler::frame_size() when adding --zjit-perf support
-                        push(cb, RBP);
-                        mov(cb, RBP, RSP);
-                        push(cb, RBP);
+                // and to allow push and pops in the function.
+                &Insn::FrameSetup { preserved, mut slot_count } => {
+                    // Bump slot_count for alignment if necessary
+                    const { assert!(SIZEOF_VALUE == 8, "alignment logic relies on SIZEOF_VALUE == 8"); }
+                    let total_slots = 2 /* rbp and return address*/ + slot_count + preserved.len();
+                    if total_slots % 2 == 1 {
+                        slot_count += 1;
                     }
-                },
-                Insn::FrameTeardown => {
-                    if false { // We don't support --zjit-perf yet
-                        pop(cb, RBP);
-                        pop(cb, RBP);
+                    push(cb, RBP);
+                    mov(cb, RBP, RSP);
+                    for reg in preserved {
+                        push(cb, reg.into());
                     }
-                },
+                    if slot_count > 0 {
+                        sub(cb, RSP, uimm_opnd((slot_count * SIZEOF_VALUE) as u64));
+                    }
+                }
+                &Insn::FrameTeardown { preserved } => {
+                    let mut preserved_offset = -8;
+                    for reg in preserved {
+                        mov(cb, reg.into(), mem_opnd(64, RBP, preserved_offset));
+                        preserved_offset -= 8;
+                    }
+                    mov(cb, RSP, RBP);
+                    pop(cb, RBP);
+                }
 
                 Insn::Add { left, right, .. } => {
                     let opnd1 = emit_64bit_immediate(cb, right);
@@ -1306,4 +1319,37 @@ mod tests {
             0x6: mov dword ptr [rax], 0x80000001
         "});
     }
+
+    #[test]
+    fn frame_setup_teardown() {
+        let (mut asm, mut cb) = setup_asm();
+        asm.frame_setup(JIT_PRESERVED_REGS, 0);
+        asm.frame_teardown(JIT_PRESERVED_REGS);
+
+        asm.cret(C_RET_OPND);
+
+        asm.frame_setup(&[], 5);
+        asm.frame_teardown(&[]);
+
+        asm.compile_with_num_regs(&mut cb, 0);
+        assert_disasm!(cb, "554889e541555341544883ec084c8b6df8488b5df04c8b65e84889ec5dc3554889e54883ec304889ec5d", {"
+            0x0: push rbp
+            0x1: mov rbp, rsp
+            0x4: push r13
+            0x6: push rbx
+            0x7: push r12
+            0x9: sub rsp, 8
+            0xd: mov r13, qword ptr [rbp - 8]
+            0x11: mov rbx, qword ptr [rbp - 0x10]
+            0x15: mov r12, qword ptr [rbp - 0x18]
+            0x19: mov rsp, rbp
+            0x1c: pop rbp
+            0x1d: ret
+            0x1e: push rbp
+            0x1f: mov rbp, rsp
+            0x22: sub rsp, 0x30
+            0x26: mov rsp, rbp
+            0x29: pop rbp
+        "});
+    }
 }
diff --git a/zjit/src/codegen.rs b/zjit/src/codegen.rs
index c460dddfb82ce1..1d694bffd9fc57 100644
--- a/zjit/src/codegen.rs
+++ b/zjit/src/codegen.rs
@@ -8,7 +8,7 @@ use crate::invariants::{track_bop_assumption, track_cme_assumption};
 use crate::gc::{get_or_create_iseq_payload, append_gc_offsets};
 use crate::state::ZJITState;
 use crate::{asm::CodeBlock, cruby::*, options::debug, virtualmem::CodePtr};
-use crate::backend::lir::{self, asm_comment, asm_ccall, Assembler, Opnd, SideExitContext, Target, CFP, C_ARG_OPNDS, C_RET_OPND, EC, NATIVE_STACK_PTR, SP};
+use crate::backend::lir::{self, asm_comment, asm_ccall, Assembler, Opnd, SideExitContext, Target, CFP, C_ARG_OPNDS, C_RET_OPND, EC, NATIVE_STACK_PTR, NATIVE_BASE_PTR, SP};
 use crate::hir::{iseq_to_hir, Block, BlockId, BranchEdge, CallInfo, Invariant, RangeType, SideExitReason, SideExitReason::*, SpecialObjectType, SELF_PARAM_IDX};
 use crate::hir::{Const, FrameState, Function, Insn, InsnId};
 use crate::hir_type::{types::Fixnum, Type};
@@ -29,18 +29,18 @@ struct JITState {
     branch_iseqs: Vec<(Rc<Branch>, IseqPtr)>,
 
     /// The number of bytes allocated for basic block arguments spilled onto the C stack
-    c_stack_bytes: usize,
+    c_stack_slots: usize,
 }
 
 impl JITState {
     /// Create a new JITState instance
-    fn new(iseq: IseqPtr, num_insns: usize, num_blocks: usize, c_stack_bytes: usize) -> Self {
+    fn new(iseq: IseqPtr, num_insns: usize, num_blocks: usize, c_stack_slots: usize) -> Self {
         JITState {
             iseq,
             opnds: vec![None; num_insns],
             labels: vec![None; num_blocks],
             branch_iseqs: Vec::default(),
-            c_stack_bytes,
+            c_stack_slots,
         }
     }
 
@@ -128,7 +128,7 @@ fn gen_iseq_entry_point_body(cb: &mut CodeBlock, iseq: IseqPtr) -> *const u8 {
             append_gc_offsets(iseq, &gc_offsets);
 
             // Compile an entry point to the JIT code
-            (gen_entry(cb, iseq, &function, start_ptr, jit.c_stack_bytes), jit.branch_iseqs)
+            (gen_entry(cb, iseq, &function, start_ptr), jit.branch_iseqs)
         },
         None => (None, vec![]),
     };
@@ -170,21 +170,18 @@ fn register_with_perf(iseq_name: String, start_ptr: usize, code_size: usize) {
 }
 
 /// Compile a JIT entry
-fn gen_entry(cb: &mut CodeBlock, iseq: IseqPtr, function: &Function, function_ptr: CodePtr, c_stack_bytes: usize) -> Option<CodePtr> {
+fn gen_entry(cb: &mut CodeBlock, iseq: IseqPtr, function: &Function, function_ptr: CodePtr) -> Option<CodePtr> {
     // Set up registers for CFP, EC, SP, and basic block arguments
     let mut asm = Assembler::new();
     gen_entry_prologue(&mut asm, iseq);
-    gen_entry_params(&mut asm, iseq, function.block(BlockId(0)), c_stack_bytes);
+    gen_entry_params(&mut asm, iseq, function.block(BlockId(0)));
 
     // Jump to the first block using a call instruction
     asm.ccall(function_ptr.raw_ptr(cb) as *const u8, vec![]);
 
     // Restore registers for CFP, EC, and SP after use
-    asm_comment!(asm, "exit to the interpreter");
-    asm.cpop_into(SP);
-    asm.cpop_into(EC);
-    asm.cpop_into(CFP);
-    asm.frame_teardown();
+    asm_comment!(asm, "return to the interpreter");
+    asm.frame_teardown(lir::JIT_PRESERVED_REGS);
     asm.cret(C_RET_OPND);
 
     if get_option!(dump_lir) {
@@ -231,8 +228,8 @@ fn gen_iseq(cb: &mut CodeBlock, iseq: IseqPtr) -> Option<(CodePtr, Vec<(Rc<Branc
 
 /// Compile a function
 fn gen_function(cb: &mut CodeBlock, iseq: IseqPtr, function: &Function) -> Option<(CodePtr, Vec<CodePtr>, JITState)> {
-    let c_stack_bytes = aligned_stack_bytes(max_num_params(function).saturating_sub(ALLOC_REGS.len()));
-    let mut jit = JITState::new(iseq, function.num_insns(), function.num_blocks(), c_stack_bytes);
+    let c_stack_slots = max_num_params(function).saturating_sub(ALLOC_REGS.len());
+    let mut jit = JITState::new(iseq, function.num_insns(), function.num_blocks(), c_stack_slots);
     let mut asm = Assembler::new();
 
     // Compile each basic block
@@ -245,16 +242,9 @@ fn gen_function(cb: &mut CodeBlock, iseq: IseqPtr, function: &Function) -> Optio
         let label = jit.get_label(&mut asm, block_id);
         asm.write_label(label);
 
-        // Set up the frame at the first block
+        // Set up the frame at the first block. :bb0-prologue:
         if block_id == BlockId(0) {
-            asm.frame_setup();
-
-            // Bump the C stack pointer for basic block arguments
-            if jit.c_stack_bytes > 0 {
-                asm_comment!(asm, "bump C stack pointer");
-                let new_sp = asm.sub(NATIVE_STACK_PTR, jit.c_stack_bytes.into());
-                asm.mov(NATIVE_STACK_PTR, new_sp);
-            }
+            asm.frame_setup(&[], jit.c_stack_slots);
         }
 
         // Compile all parameters
@@ -335,7 +325,7 @@ fn gen_insn(cb: &mut CodeBlock, jit: &mut JITState, asm: &mut Assembler, functio
             gen_send_without_block(jit, asm, call_info, *cd, &function.frame_state(*state), opnd!(self_val), opnds!(args))?,
         Insn::SendWithoutBlockDirect { cme, iseq, self_val, args, state, .. } => gen_send_without_block_direct(cb, jit, asm, *cme, *iseq, opnd!(self_val), opnds!(args), &function.frame_state(*state))?,
         Insn::InvokeBuiltin { bf, args, state } => gen_invokebuiltin(asm, &function.frame_state(*state), bf, opnds!(args))?,
-        Insn::Return { val } => return Some(gen_return(jit, asm, opnd!(val))?),
+        Insn::Return { val } => return Some(gen_return(asm, opnd!(val))?),
         Insn::FixnumAdd { left, right, state } => gen_fixnum_add(jit, asm, opnd!(left), opnd!(right), &function.frame_state(*state))?,
         Insn::FixnumSub { left, right, state } => gen_fixnum_sub(jit, asm, opnd!(left), opnd!(right), &function.frame_state(*state))?,
         Insn::FixnumMult { left, right, state } => gen_fixnum_mult(jit, asm, opnd!(left), opnd!(right), &function.frame_state(*state))?,
@@ -569,12 +559,8 @@ fn gen_putspecialobject(asm: &mut Assembler, value_type: SpecialObjectType) -> O
 /// Compile an interpreter entry block to be inserted into an ISEQ
 fn gen_entry_prologue(asm: &mut Assembler, iseq: IseqPtr) {
     asm_comment!(asm, "ZJIT entry point: {}", iseq_get_location(iseq, 0));
-    asm.frame_setup();
-
     // Save the registers we'll use for CFP, EP, SP
-    asm.cpush(CFP);
-    asm.cpush(EC);
-    asm.cpush(SP);
+    asm.frame_setup(lir::JIT_PRESERVED_REGS, 0);
 
     // EC and CFP are passed as arguments
     asm.mov(EC, C_ARG_OPNDS[0]);
@@ -587,7 +573,7 @@ fn gen_entry_prologue(asm: &mut Assembler, iseq: IseqPtr) {
 }
 
 /// Assign method arguments to basic block arguments at JIT entry
-fn gen_entry_params(asm: &mut Assembler, iseq: IseqPtr, entry_block: &Block, c_stack_bytes: usize) {
+fn gen_entry_params(asm: &mut Assembler, iseq: IseqPtr, entry_block: &Block) {
     let num_params = entry_block.params().len() - 1; // -1 to exclude self
     if num_params > 0 {
         asm_comment!(asm, "set method params: {num_params}");
@@ -616,8 +602,8 @@ fn gen_entry_params(asm: &mut Assembler, iseq: IseqPtr, entry_block: &Block, c_s
             // the HIR function ────────────► └────────────┘
             // is running
             match param {
-                Opnd::Mem(lir::Mem { base, disp, num_bits }) => {
-                    let param_slot = Opnd::Mem(lir::Mem { num_bits, base, disp: disp - c_stack_bytes as i32 - Assembler::frame_size() });
+                Opnd::Mem(lir::Mem { base: _, disp, num_bits }) => {
+                    let param_slot = Opnd::mem(num_bits, NATIVE_STACK_PTR, disp - Assembler::frame_size());
                     asm.mov(param_slot, local);
                 }
                 // Prepare for parallel move for locals in registers
@@ -848,7 +834,7 @@ fn gen_send_without_block_direct(
     asm_comment!(asm, "side-exit if callee side-exits");
     asm.cmp(ret, Qundef.into());
     // Restore the C stack pointer on exit
-    asm.je(Target::SideExit { context: None, reason: CalleeSideExit, c_stack_bytes: jit.c_stack_bytes, label: None });
+    asm.je(Target::SideExit { context: None, reason: CalleeSideExit, label: None });
 
     asm_comment!(asm, "restore SP register for the caller");
     let new_sp = asm.sub(SP, sp_offset.into());
@@ -912,7 +898,7 @@ fn gen_new_range(
 }
 
 /// Compile code that exits from JIT code with a return value
-fn gen_return(jit: &JITState, asm: &mut Assembler, val: lir::Opnd) -> Option<()> {
+fn gen_return(asm: &mut Assembler, val: lir::Opnd) -> Option<()> {
     // Pop the current frame (ec->cfp++)
     // Note: the return PC is already in the previous CFP
     asm_comment!(asm, "pop stack frame");
@@ -924,16 +910,8 @@ fn gen_return(jit: &JITState, asm: &mut Assembler, val: lir::Opnd) -> Option<()>
     // we need to load the return value, which might be part of the frame.
     asm.load_into(C_RET_OPND, val);
 
-    // Restore the C stack pointer bumped for basic block arguments
-    if jit.c_stack_bytes > 0 {
-        asm_comment!(asm, "restore C stack pointer");
-        let new_sp = asm.add(NATIVE_STACK_PTR, jit.c_stack_bytes.into());
-        asm.mov(NATIVE_STACK_PTR, new_sp);
-    }
-
-    asm.frame_teardown();
-
     // Return from the function
+    asm.frame_teardown(&[]); // matching the setup in :bb0-prologue:
     asm.cret(C_RET_OPND);
     Some(())
 }
@@ -1140,7 +1118,7 @@ fn param_opnd(idx: usize) -> Opnd {
     if idx < ALLOC_REGS.len() {
         Opnd::Reg(ALLOC_REGS[idx])
     } else {
-        Opnd::mem(64, NATIVE_STACK_PTR, (idx - ALLOC_REGS.len()) as i32 * SIZEOF_VALUE_I32)
+        Opnd::mem(64, NATIVE_BASE_PTR, (idx - ALLOC_REGS.len() + 1) as i32 * -SIZEOF_VALUE_I32)
     }
 }
 
@@ -1196,7 +1174,6 @@ fn build_side_exit(jit: &mut JITState, state: &FrameState, reason: SideExitReaso
             locals,
         }),
         reason,
-        c_stack_bytes: jit.c_stack_bytes,
         label,
     };
     Some(target)
@@ -1225,26 +1202,6 @@ fn max_num_params(function: &Function) -> usize {
     }).max().unwrap_or(0)
 }
 
-/// Given the number of spill slots needed for a function, return the number of bytes
-/// the function needs to allocate on the stack for the stack frame.
-fn aligned_stack_bytes(num_slots: usize) -> usize {
-    // Both x86_64 and arm64 require the stack to be aligned to 16 bytes.
-    let num_slots = if cfg!(target_arch = "x86_64") && num_slots % 2 == 0 {
-        // On x86_64, since the call instruction bumps the stack pointer by 8 bytes on entry,
-        // we need to round up `num_slots` to an odd number.
-        num_slots + 1
-    } else if cfg!(target_arch = "aarch64") && num_slots % 2 == 1 {
-        // On arm64, the stack pointer is always aligned to 16 bytes, so we need to round up
-        // `num_slots`` to an even number.
-        num_slots + 1
-    } else {
-        num_slots
-    };
-
-    const { assert!(SIZEOF_VALUE == 8, "aligned_stack_bytes() assumes SIZEOF_VALUE == 8"); }
-    num_slots * SIZEOF_VALUE
-}
-
 impl Assembler {
     /// Make a C call while marking the start and end positions of it
     fn ccall_with_branch(&mut self, fptr: *const u8, opnds: Vec<Opnd>, branch: &Rc<Branch>) -> Opnd {

From 043489abc2fe9a1953e19588101e469cbc505f38 Mon Sep 17 00:00:00 2001
From: Stan Lo <stan.lo@shopify.com>
Date: Mon, 28 Jul 2025 20:32:32 +0100
Subject: [PATCH 2/9] ZJIT: Inline guard type checks for some built-in types
 (#14017)

This implements similar fast-path guard type checks as YJIT.
---
 zjit/src/codegen.rs | 25 ++++++++++++++++++++++---
 1 file changed, 22 insertions(+), 3 deletions(-)

diff --git a/zjit/src/codegen.rs b/zjit/src/codegen.rs
index 1d694bffd9fc57..490ead64652b80 100644
--- a/zjit/src/codegen.rs
+++ b/zjit/src/codegen.rs
@@ -11,7 +11,7 @@ use crate::{asm::CodeBlock, cruby::*, options::debug, virtualmem::CodePtr};
 use crate::backend::lir::{self, asm_comment, asm_ccall, Assembler, Opnd, SideExitContext, Target, CFP, C_ARG_OPNDS, C_RET_OPND, EC, NATIVE_STACK_PTR, NATIVE_BASE_PTR, SP};
 use crate::hir::{iseq_to_hir, Block, BlockId, BranchEdge, CallInfo, Invariant, RangeType, SideExitReason, SideExitReason::*, SpecialObjectType, SELF_PARAM_IDX};
 use crate::hir::{Const, FrameState, Function, Insn, InsnId};
-use crate::hir_type::{types::Fixnum, Type};
+use crate::hir_type::{types, Type};
 use crate::options::get_option;
 
 /// Ephemeral code generation state
@@ -1024,10 +1024,29 @@ fn gen_test(asm: &mut Assembler, val: lir::Opnd) -> Option<lir::Opnd> {
 
 /// Compile a type check with a side exit
 fn gen_guard_type(jit: &mut JITState, asm: &mut Assembler, val: lir::Opnd, guard_type: Type, state: &FrameState) -> Option<lir::Opnd> {
-    if guard_type.is_subtype(Fixnum) {
-        // Check if opnd is Fixnum
+    if guard_type.is_subtype(types::Fixnum) {
         asm.test(val, Opnd::UImm(RUBY_FIXNUM_FLAG as u64));
         asm.jz(side_exit(jit, state, GuardType(guard_type))?);
+    } else if guard_type.is_subtype(types::Flonum) {
+        // Flonum: (val & RUBY_FLONUM_MASK) == RUBY_FLONUM_FLAG
+        let masked = asm.and(val, Opnd::UImm(RUBY_FLONUM_MASK as u64));
+        asm.cmp(masked, Opnd::UImm(RUBY_FLONUM_FLAG as u64));
+        asm.jne(side_exit(jit, state, GuardType(guard_type))?);
+    } else if guard_type.is_subtype(types::StaticSymbol) {
+        // Static symbols have (val & 0xff) == RUBY_SYMBOL_FLAG
+        // Use 8-bit comparison like YJIT does
+        asm.cmp(val.with_num_bits(8).unwrap(), Opnd::UImm(RUBY_SYMBOL_FLAG as u64));
+        asm.jne(side_exit(jit, state, GuardType(guard_type))?);
+    } else if guard_type.is_subtype(types::NilClassExact) {
+        asm.cmp(val, Qnil.into());
+        asm.jne(side_exit(jit, state, GuardType(guard_type))?);
+    } else if guard_type.is_subtype(types::TrueClassExact) {
+        asm.cmp(val, Qtrue.into());
+        asm.jne(side_exit(jit, state, GuardType(guard_type))?);
+    } else if guard_type.is_subtype(types::FalseClassExact) {
+        assert!(Qfalse.as_i64() == 0);
+        asm.test(val, val);
+        asm.jne(side_exit(jit, state, GuardType(guard_type))?);
     } else if let Some(expected_class) = guard_type.runtime_exact_ruby_class() {
         asm_comment!(asm, "guard exact class");
 

From f6dccdb1ff271d391fa51935370e07747c5722a3 Mon Sep 17 00:00:00 2001
From: Max Bernstein <ruby@bernsteinbear.com>
Date: Mon, 28 Jul 2025 09:54:25 -0400
Subject: [PATCH 3/9] ZJIT: Remove Integer subclasses from lattice

While Integer can technically be subclassed, instances of subclasses
cannot be created. Remove it from the type lattice.
---
 zjit/src/hir_type/gen_hir_type.rb |  9 ++++-
 zjit/src/hir_type/hir_type.inc.rs | 56 ++++++++++++++-----------------
 zjit/src/hir_type/mod.rs          | 14 ++------
 3 files changed, 36 insertions(+), 43 deletions(-)

diff --git a/zjit/src/hir_type/gen_hir_type.rb b/zjit/src/hir_type/gen_hir_type.rb
index 361026e101a939..27f936a389fad9 100644
--- a/zjit/src/hir_type/gen_hir_type.rb
+++ b/zjit/src/hir_type/gen_hir_type.rb
@@ -68,6 +68,13 @@ def base_type name
   [type, exact]
 end
 
+# Define a new type that cannot be subclassed.
+def final_type name
+  type = $object.subtype name
+  $builtin_exact << type.name
+  type
+end
+
 base_type "String"
 base_type "Array"
 base_type "Hash"
@@ -77,7 +84,7 @@ def base_type name
 module_class, _ = base_type "Module"
 module_class.subtype "Class"
 
-_, integer_exact = base_type "Integer"
+integer_exact = final_type "Integer"
 # CRuby partitions Integer into immediate and non-immediate variants.
 fixnum = integer_exact.subtype "Fixnum"
 integer_exact.subtype "Bignum"
diff --git a/zjit/src/hir_type/hir_type.inc.rs b/zjit/src/hir_type/hir_type.inc.rs
index 21ef8c8bdd4a03..aaef14467b9bcc 100644
--- a/zjit/src/hir_type/hir_type.inc.rs
+++ b/zjit/src/hir_type/hir_type.inc.rs
@@ -9,7 +9,7 @@ mod bits {
   pub const BasicObjectSubclass: u64 = 1u64 << 3;
   pub const Bignum: u64 = 1u64 << 4;
   pub const BoolExact: u64 = FalseClassExact | TrueClassExact;
-  pub const BuiltinExact: u64 = ArrayExact | BasicObjectExact | FalseClassExact | FloatExact | HashExact | IntegerExact | ModuleExact | NilClassExact | ObjectExact | RangeExact | RegexpExact | SetExact | StringExact | SymbolExact | TrueClassExact;
+  pub const BuiltinExact: u64 = ArrayExact | BasicObjectExact | FalseClassExact | FloatExact | HashExact | Integer | ModuleExact | NilClassExact | ObjectExact | RangeExact | RegexpExact | SetExact | StringExact | SymbolExact | TrueClassExact;
   pub const CBool: u64 = 1u64 << 5;
   pub const CDouble: u64 = 1u64 << 6;
   pub const CInt: u64 = CSigned | CUnsigned;
@@ -43,41 +43,39 @@ mod bits {
   pub const HashSubclass: u64 = 1u64 << 26;
   pub const HeapFloat: u64 = 1u64 << 27;
   pub const Immediate: u64 = FalseClassExact | Fixnum | Flonum | NilClassExact | StaticSymbol | TrueClassExact | Undef;
-  pub const Integer: u64 = IntegerExact | IntegerSubclass;
-  pub const IntegerExact: u64 = Bignum | Fixnum;
-  pub const IntegerSubclass: u64 = 1u64 << 28;
+  pub const Integer: u64 = Bignum | Fixnum;
   pub const Module: u64 = Class | ModuleExact | ModuleSubclass;
-  pub const ModuleExact: u64 = 1u64 << 29;
-  pub const ModuleSubclass: u64 = 1u64 << 30;
+  pub const ModuleExact: u64 = 1u64 << 28;
+  pub const ModuleSubclass: u64 = 1u64 << 29;
   pub const NilClass: u64 = NilClassExact | NilClassSubclass;
-  pub const NilClassExact: u64 = 1u64 << 31;
-  pub const NilClassSubclass: u64 = 1u64 << 32;
+  pub const NilClassExact: u64 = 1u64 << 30;
+  pub const NilClassSubclass: u64 = 1u64 << 31;
   pub const Object: u64 = Array | FalseClass | Float | Hash | Integer | Module | NilClass | ObjectExact | ObjectSubclass | Range | Regexp | Set | String | Symbol | TrueClass;
-  pub const ObjectExact: u64 = 1u64 << 33;
-  pub const ObjectSubclass: u64 = 1u64 << 34;
+  pub const ObjectExact: u64 = 1u64 << 32;
+  pub const ObjectSubclass: u64 = 1u64 << 33;
   pub const Range: u64 = RangeExact | RangeSubclass;
-  pub const RangeExact: u64 = 1u64 << 35;
-  pub const RangeSubclass: u64 = 1u64 << 36;
+  pub const RangeExact: u64 = 1u64 << 34;
+  pub const RangeSubclass: u64 = 1u64 << 35;
   pub const Regexp: u64 = RegexpExact | RegexpSubclass;
-  pub const RegexpExact: u64 = 1u64 << 37;
-  pub const RegexpSubclass: u64 = 1u64 << 38;
+  pub const RegexpExact: u64 = 1u64 << 36;
+  pub const RegexpSubclass: u64 = 1u64 << 37;
   pub const RubyValue: u64 = BasicObject | CallableMethodEntry | Undef;
   pub const Set: u64 = SetExact | SetSubclass;
-  pub const SetExact: u64 = 1u64 << 39;
-  pub const SetSubclass: u64 = 1u64 << 40;
-  pub const StaticSymbol: u64 = 1u64 << 41;
+  pub const SetExact: u64 = 1u64 << 38;
+  pub const SetSubclass: u64 = 1u64 << 39;
+  pub const StaticSymbol: u64 = 1u64 << 40;
   pub const String: u64 = StringExact | StringSubclass;
-  pub const StringExact: u64 = 1u64 << 42;
-  pub const StringSubclass: u64 = 1u64 << 43;
-  pub const Subclass: u64 = ArraySubclass | BasicObjectSubclass | FalseClassSubclass | FloatSubclass | HashSubclass | IntegerSubclass | ModuleSubclass | NilClassSubclass | ObjectSubclass | RangeSubclass | RegexpSubclass | SetSubclass | StringSubclass | SymbolSubclass | TrueClassSubclass;
+  pub const StringExact: u64 = 1u64 << 41;
+  pub const StringSubclass: u64 = 1u64 << 42;
+  pub const Subclass: u64 = ArraySubclass | BasicObjectSubclass | FalseClassSubclass | FloatSubclass | HashSubclass | ModuleSubclass | NilClassSubclass | ObjectSubclass | RangeSubclass | RegexpSubclass | SetSubclass | StringSubclass | SymbolSubclass | TrueClassSubclass;
   pub const Symbol: u64 = SymbolExact | SymbolSubclass;
   pub const SymbolExact: u64 = DynamicSymbol | StaticSymbol;
-  pub const SymbolSubclass: u64 = 1u64 << 44;
+  pub const SymbolSubclass: u64 = 1u64 << 43;
   pub const TrueClass: u64 = TrueClassExact | TrueClassSubclass;
-  pub const TrueClassExact: u64 = 1u64 << 45;
-  pub const TrueClassSubclass: u64 = 1u64 << 46;
-  pub const Undef: u64 = 1u64 << 47;
-  pub const AllBitPatterns: [(&'static str, u64); 77] = [
+  pub const TrueClassExact: u64 = 1u64 << 44;
+  pub const TrueClassSubclass: u64 = 1u64 << 45;
+  pub const Undef: u64 = 1u64 << 46;
+  pub const AllBitPatterns: [(&'static str, u64); 75] = [
     ("Any", Any),
     ("RubyValue", RubyValue),
     ("Immediate", Immediate),
@@ -114,8 +112,6 @@ mod bits {
     ("Module", Module),
     ("ModuleSubclass", ModuleSubclass),
     ("ModuleExact", ModuleExact),
-    ("Integer", Integer),
-    ("IntegerSubclass", IntegerSubclass),
     ("Float", Float),
     ("FloatExact", FloatExact),
     ("HeapFloat", HeapFloat),
@@ -124,7 +120,7 @@ mod bits {
     ("HashExact", HashExact),
     ("Flonum", Flonum),
     ("FloatSubclass", FloatSubclass),
-    ("IntegerExact", IntegerExact),
+    ("Integer", Integer),
     ("Fixnum", Fixnum),
     ("FalseClass", FalseClass),
     ("FalseClassSubclass", FalseClassSubclass),
@@ -156,7 +152,7 @@ mod bits {
     ("ArrayExact", ArrayExact),
     ("Empty", Empty),
   ];
-  pub const NumTypeBits: u64 = 48;
+  pub const NumTypeBits: u64 = 47;
 }
 pub mod types {
   use super::*;
@@ -204,8 +200,6 @@ pub mod types {
   pub const HeapFloat: Type = Type::from_bits(bits::HeapFloat);
   pub const Immediate: Type = Type::from_bits(bits::Immediate);
   pub const Integer: Type = Type::from_bits(bits::Integer);
-  pub const IntegerExact: Type = Type::from_bits(bits::IntegerExact);
-  pub const IntegerSubclass: Type = Type::from_bits(bits::IntegerSubclass);
   pub const Module: Type = Type::from_bits(bits::Module);
   pub const ModuleExact: Type = Type::from_bits(bits::ModuleExact);
   pub const ModuleSubclass: Type = Type::from_bits(bits::ModuleSubclass);
diff --git a/zjit/src/hir_type/mod.rs b/zjit/src/hir_type/mod.rs
index 35d8866844d167..462a84ff013f91 100644
--- a/zjit/src/hir_type/mod.rs
+++ b/zjit/src/hir_type/mod.rs
@@ -442,7 +442,7 @@ impl Type {
         if self.is_subtype(types::FalseClassExact) { return Some(unsafe { rb_cFalseClass }); }
         if self.is_subtype(types::FloatExact) { return Some(unsafe { rb_cFloat }); }
         if self.is_subtype(types::HashExact) { return Some(unsafe { rb_cHash }); }
-        if self.is_subtype(types::IntegerExact) { return Some(unsafe { rb_cInteger }); }
+        if self.is_subtype(types::Integer) { return Some(unsafe { rb_cInteger }); }
         if self.is_subtype(types::ModuleExact) { return Some(unsafe { rb_cModule }); }
         if self.is_subtype(types::NilClassExact) { return Some(unsafe { rb_cNilClass }); }
         if self.is_subtype(types::ObjectExact) { return Some(unsafe { rb_cObject }); }
@@ -547,10 +547,8 @@ mod tests {
         assert_subtype(Type::fixnum(123), Type::fixnum(123));
         assert_not_subtype(Type::fixnum(123), Type::fixnum(200));
         assert_subtype(Type::from_value(VALUE::fixnum_from_usize(123)), types::Fixnum);
-        assert_subtype(types::Fixnum, types::IntegerExact);
-        assert_subtype(types::Bignum, types::IntegerExact);
-        assert_subtype(types::IntegerExact, types::Integer);
-        assert_subtype(types::IntegerSubclass, types::Integer);
+        assert_subtype(types::Fixnum, types::Integer);
+        assert_subtype(types::Bignum, types::Integer);
     }
 
     #[test]
@@ -590,7 +588,6 @@ mod tests {
     fn fixnum_has_ruby_object() {
         assert_eq!(Type::fixnum(3).ruby_object(), Some(VALUE::fixnum_from_usize(3)));
         assert_eq!(types::Fixnum.ruby_object(), None);
-        assert_eq!(types::IntegerExact.ruby_object(), None);
         assert_eq!(types::Integer.ruby_object(), None);
     }
 
@@ -608,7 +605,6 @@ mod tests {
     fn integer_has_exact_ruby_class() {
         assert_eq!(Type::fixnum(3).exact_ruby_class(), Some(unsafe { rb_cInteger }.into()));
         assert_eq!(types::Fixnum.exact_ruby_class(), None);
-        assert_eq!(types::IntegerExact.exact_ruby_class(), None);
         assert_eq!(types::Integer.exact_ruby_class(), None);
     }
 
@@ -636,7 +632,6 @@ mod tests {
     fn integer_has_ruby_class() {
         assert_eq!(Type::fixnum(3).inexact_ruby_class(), Some(unsafe { rb_cInteger }.into()));
         assert_eq!(types::Fixnum.inexact_ruby_class(), None);
-        assert_eq!(types::IntegerExact.inexact_ruby_class(), None);
         assert_eq!(types::Integer.inexact_ruby_class(), None);
     }
 
@@ -670,7 +665,6 @@ mod tests {
         assert_eq!(format!("{}", Type::from_cbool(false)), "CBool[false]");
         assert_eq!(format!("{}", types::Fixnum), "Fixnum");
         assert_eq!(format!("{}", types::Integer), "Integer");
-        assert_eq!(format!("{}", types::IntegerExact), "IntegerExact");
     }
 
     #[test]
@@ -688,12 +682,10 @@ mod tests {
 
     #[test]
     fn union_bits_subtype() {
-        assert_bit_equal(types::Fixnum.union(types::IntegerExact), types::IntegerExact);
         assert_bit_equal(types::Fixnum.union(types::Integer), types::Integer);
         assert_bit_equal(types::Fixnum.union(types::Object), types::Object);
         assert_bit_equal(Type::fixnum(3).union(types::Fixnum), types::Fixnum);
 
-        assert_bit_equal(types::IntegerExact.union(types::Fixnum), types::IntegerExact);
         assert_bit_equal(types::Integer.union(types::Fixnum), types::Integer);
         assert_bit_equal(types::Object.union(types::Fixnum), types::Object);
         assert_bit_equal(types::Fixnum.union(Type::fixnum(3)), types::Fixnum);

From b2b2aff61d37495801159c2c90e33df0f64db3f6 Mon Sep 17 00:00:00 2001
From: Max Bernstein <ruby@bernsteinbear.com>
Date: Mon, 28 Jul 2025 10:20:55 -0400
Subject: [PATCH 4/9] ZJIT: Mark Symbol, Float, NilClass, TrueClass, FalseClass
 as final

They can be subclassed but new instances cannot be created.
---
 zjit/src/cruby_methods.rs         |   6 +-
 zjit/src/hir.rs                   | 130 +++++++++++++++---------------
 zjit/src/hir_type/gen_hir_type.rb |  10 +--
 zjit/src/hir_type/hir_type.inc.rs |  96 ++++++++--------------
 zjit/src/hir_type/mod.rs          |  69 +++++++---------
 5 files changed, 137 insertions(+), 174 deletions(-)

diff --git a/zjit/src/cruby_methods.rs b/zjit/src/cruby_methods.rs
index 51ecb1c787f9ec..9c29ed5472d8f1 100644
--- a/zjit/src/cruby_methods.rs
+++ b/zjit/src/cruby_methods.rs
@@ -76,12 +76,12 @@ pub fn init() -> Annotations {
 
     annotate!(rb_mKernel, "itself", types::BasicObject, no_gc, leaf, elidable);
     annotate!(rb_cString, "bytesize", types::Fixnum, no_gc, leaf);
-    annotate!(rb_cModule, "name", types::StringExact.union(types::NilClassExact), no_gc, leaf, elidable);
+    annotate!(rb_cModule, "name", types::StringExact.union(types::NilClass), no_gc, leaf, elidable);
     annotate!(rb_cModule, "===", types::BoolExact, no_gc, leaf);
     annotate!(rb_cArray, "length", types::Fixnum, no_gc, leaf, elidable);
     annotate!(rb_cArray, "size", types::Fixnum, no_gc, leaf, elidable);
-    annotate!(rb_cNilClass, "nil?", types::TrueClassExact, no_gc, leaf, elidable);
-    annotate!(rb_mKernel, "nil?", types::FalseClassExact, no_gc, leaf, elidable);
+    annotate!(rb_cNilClass, "nil?", types::TrueClass, no_gc, leaf, elidable);
+    annotate!(rb_mKernel, "nil?", types::FalseClass, no_gc, leaf, elidable);
 
     Annotations {
         cfuncs: std::mem::take(cfuncs)
diff --git a/zjit/src/hir.rs b/zjit/src/hir.rs
index 53e55b44286b5c..77eac854f8b9eb 100644
--- a/zjit/src/hir.rs
+++ b/zjit/src/hir.rs
@@ -1234,8 +1234,8 @@ impl Function {
             Insn::Test { val } if self.type_of(*val).is_known_falsy() => Type::from_cbool(false),
             Insn::Test { val } if self.type_of(*val).is_known_truthy() => Type::from_cbool(true),
             Insn::Test { .. } => types::CBool,
-            Insn::IsNil { val } if self.is_a(*val, types::NilClassExact) => Type::from_cbool(true),
-            Insn::IsNil { val } if !self.type_of(*val).could_be(types::NilClassExact) => Type::from_cbool(false),
+            Insn::IsNil { val } if self.is_a(*val, types::NilClass) => Type::from_cbool(true),
+            Insn::IsNil { val } if !self.type_of(*val).could_be(types::NilClass) => Type::from_cbool(false),
             Insn::IsNil { .. } => types::CBool,
             Insn::StringCopy { .. } => types::StringExact,
             Insn::StringIntern { .. } => types::StringExact,
@@ -3494,7 +3494,7 @@ mod infer_tests {
     fn test_const() {
         let mut function = Function::new(std::ptr::null());
         let val = function.push_insn(function.entry_block, Insn::Const { val: Const::Value(Qnil) });
-        assert_bit_equal(function.infer_type(val), types::NilClassExact);
+        assert_bit_equal(function.infer_type(val), types::NilClass);
     }
 
     #[test]
@@ -3593,7 +3593,7 @@ mod infer_tests {
         let param = function.push_insn(exit, Insn::Param { idx: 0 });
         crate::cruby::with_rubyvm(|| {
             function.infer_types();
-            assert_bit_equal(function.type_of(param), types::TrueClassExact.union(types::FalseClassExact));
+            assert_bit_equal(function.type_of(param), types::TrueClass.union(types::FalseClass));
         });
     }
 }
@@ -3975,7 +3975,7 @@ mod tests {
         assert_method_hir_with_opcodes("test", &[YARVINSN_getlocal_WC_0, YARVINSN_setlocal_WC_0], expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject):
-              v1:NilClassExact = Const Value(nil)
+              v1:NilClass = Const Value(nil)
               v3:Fixnum[1] = Const Value(1)
               Return v3
         "#]]);
@@ -4042,10 +4042,10 @@ mod tests {
         assert_method_hir_with_opcode("test", YARVINSN_defined, expect![[r#"
             fn test@<compiled>:2:
             bb0(v0:BasicObject):
-              v2:NilClassExact = Const Value(nil)
+              v2:NilClass = Const Value(nil)
               v3:BasicObject = Defined constant, v2
               v4:BasicObject = Defined func, v0
-              v5:NilClassExact = Const Value(nil)
+              v5:NilClass = Const Value(nil)
               v6:BasicObject = Defined global-variable, v5
               v8:ArrayExact = NewArray v3, v4, v6
               Return v8
@@ -4091,12 +4091,12 @@ mod tests {
         assert_method_hir("test", expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject, v1:BasicObject):
-              v2:NilClassExact = Const Value(nil)
+              v2:NilClass = Const Value(nil)
               v4:CBool = Test v1
               IfFalse v4, bb1(v0, v1, v2)
               v6:Fixnum[3] = Const Value(3)
               Jump bb2(v0, v1, v6)
-            bb1(v8:BasicObject, v9:BasicObject, v10:NilClassExact):
+            bb1(v8:BasicObject, v9:BasicObject, v10:NilClass):
               v12:Fixnum[4] = Const Value(4)
               Jump bb2(v8, v9, v12)
             bb2(v14:BasicObject, v15:BasicObject, v16:Fixnum):
@@ -4261,8 +4261,8 @@ mod tests {
         assert_method_hir("test",  expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject):
-              v1:NilClassExact = Const Value(nil)
-              v2:NilClassExact = Const Value(nil)
+              v1:NilClass = Const Value(nil)
+              v2:NilClass = Const Value(nil)
               v4:Fixnum[0] = Const Value(0)
               v5:Fixnum[10] = Const Value(10)
               Jump bb2(v0, v4, v5)
@@ -4271,7 +4271,7 @@ mod tests {
               v13:BasicObject = SendWithoutBlock v9, :>, v11
               v14:CBool = Test v13
               IfTrue v14, bb1(v7, v8, v9)
-              v16:NilClassExact = Const Value(nil)
+              v16:NilClass = Const Value(nil)
               Return v8
             bb1(v18:BasicObject, v19:BasicObject, v20:BasicObject):
               v22:Fixnum[1] = Const Value(1)
@@ -4311,8 +4311,8 @@ mod tests {
         assert_method_hir("test", expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject):
-              v1:NilClassExact = Const Value(nil)
-              v3:TrueClassExact = Const Value(true)
+              v1:NilClass = Const Value(nil)
+              v3:TrueClass = Const Value(true)
               v4:CBool[true] = Test v3
               IfFalse v4, bb1(v0, v3)
               v6:Fixnum[3] = Const Value(3)
@@ -4528,12 +4528,12 @@ mod tests {
             fn test@<compiled>:3:
             bb0(v0:BasicObject):
               v3:BasicObject = GetConstantPath 0x1000
-              v4:NilClassExact = Const Value(nil)
+              v4:NilClass = Const Value(nil)
               Jump bb1(v0, v4, v3)
-            bb1(v6:BasicObject, v7:NilClassExact, v8:BasicObject):
+            bb1(v6:BasicObject, v7:NilClass, v8:BasicObject):
               v11:BasicObject = SendWithoutBlock v8, :new
               Jump bb2(v6, v11, v7)
-            bb2(v13:BasicObject, v14:BasicObject, v15:NilClassExact):
+            bb2(v13:BasicObject, v14:BasicObject, v15:NilClass):
               Return v14
         "#]]);
     }
@@ -4580,8 +4580,8 @@ mod tests {
         assert_method_hir_with_opcode("test", YARVINSN_opt_newarray_send, expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject, v1:BasicObject, v2:BasicObject):
-              v3:NilClassExact = Const Value(nil)
-              v4:NilClassExact = Const Value(nil)
+              v3:NilClass = Const Value(nil)
+              v4:NilClass = Const Value(nil)
               v7:BasicObject = SendWithoutBlock v1, :+, v2
               SideExit UnknownNewarraySend(MIN)
         "#]]);
@@ -4600,8 +4600,8 @@ mod tests {
         assert_method_hir_with_opcode("test", YARVINSN_opt_newarray_send, expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject, v1:BasicObject, v2:BasicObject):
-              v3:NilClassExact = Const Value(nil)
-              v4:NilClassExact = Const Value(nil)
+              v3:NilClass = Const Value(nil)
+              v4:NilClass = Const Value(nil)
               v7:BasicObject = SendWithoutBlock v1, :+, v2
               SideExit UnknownNewarraySend(HASH)
         "#]]);
@@ -4620,8 +4620,8 @@ mod tests {
         assert_method_hir_with_opcode("test", YARVINSN_opt_newarray_send, expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject, v1:BasicObject, v2:BasicObject):
-              v3:NilClassExact = Const Value(nil)
-              v4:NilClassExact = Const Value(nil)
+              v3:NilClass = Const Value(nil)
+              v4:NilClass = Const Value(nil)
               v7:BasicObject = SendWithoutBlock v1, :+, v2
               v8:StringExact[VALUE(0x1000)] = Const Value(VALUE(0x1000))
               v9:StringExact = StringCopy v8
@@ -4644,8 +4644,8 @@ mod tests {
         assert_method_hir_with_opcode("test", YARVINSN_opt_newarray_send, expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject, v1:BasicObject, v2:BasicObject):
-              v3:NilClassExact = Const Value(nil)
-              v4:NilClassExact = Const Value(nil)
+              v3:NilClass = Const Value(nil)
+              v4:NilClass = Const Value(nil)
               v7:BasicObject = SendWithoutBlock v1, :+, v2
               SideExit UnknownNewarraySend(INCLUDE_P)
         "#]]);
@@ -4808,7 +4808,7 @@ mod tests {
         assert_method_hir_with_opcode("test", YARVINSN_opt_aset, expect![[r#"
             fn test@<compiled>:2:
             bb0(v0:BasicObject, v1:BasicObject, v2:BasicObject):
-              v4:NilClassExact = Const Value(nil)
+              v4:NilClass = Const Value(nil)
               v5:Fixnum[1] = Const Value(1)
               v7:BasicObject = SendWithoutBlock v1, :[]=, v2, v5
               Return v5
@@ -4957,9 +4957,9 @@ mod tests {
         assert_method_hir_with_opcode("reverse_odd", YARVINSN_opt_reverse, expect![[r#"
             fn reverse_odd@<compiled>:3:
             bb0(v0:BasicObject):
-              v1:NilClassExact = Const Value(nil)
-              v2:NilClassExact = Const Value(nil)
-              v3:NilClassExact = Const Value(nil)
+              v1:NilClass = Const Value(nil)
+              v2:NilClass = Const Value(nil)
+              v3:NilClass = Const Value(nil)
               v6:BasicObject = GetIvar v0, :@a
               v8:BasicObject = GetIvar v0, :@b
               v10:BasicObject = GetIvar v0, :@c
@@ -4969,10 +4969,10 @@ mod tests {
         assert_method_hir_with_opcode("reverse_even", YARVINSN_opt_reverse, expect![[r#"
             fn reverse_even@<compiled>:8:
             bb0(v0:BasicObject):
-              v1:NilClassExact = Const Value(nil)
-              v2:NilClassExact = Const Value(nil)
-              v3:NilClassExact = Const Value(nil)
-              v4:NilClassExact = Const Value(nil)
+              v1:NilClass = Const Value(nil)
+              v2:NilClass = Const Value(nil)
+              v3:NilClass = Const Value(nil)
+              v4:NilClass = Const Value(nil)
               v7:BasicObject = GetIvar v0, :@a
               v9:BasicObject = GetIvar v0, :@b
               v11:BasicObject = GetIvar v0, :@c
@@ -5031,7 +5031,7 @@ mod tests {
         assert_function_hir(function, expect![[r#"
             fn start@<internal:gc>:36:
             bb0(v0:BasicObject, v1:BasicObject, v2:BasicObject, v3:BasicObject, v4:BasicObject):
-              v6:FalseClassExact = Const Value(false)
+              v6:FalseClass = Const Value(false)
               v8:BasicObject = InvokeBuiltin gc_start_internal, v0, v1, v2, v3, v6
               Return v8
         "#]]);
@@ -5045,7 +5045,7 @@ mod tests {
         assert_method_hir_with_opcode("test", YARVINSN_dupn, expect![[r#"
             fn test@<compiled>:2:
             bb0(v0:BasicObject, v1:BasicObject):
-              v3:NilClassExact = Const Value(nil)
+              v3:NilClass = Const Value(nil)
               v4:Fixnum[0] = Const Value(0)
               v5:Fixnum[1] = Const Value(1)
               v7:BasicObject = SendWithoutBlock v1, :[], v4, v5
@@ -5054,7 +5054,7 @@ mod tests {
               v10:Fixnum[2] = Const Value(2)
               v12:BasicObject = SendWithoutBlock v1, :[]=, v4, v5, v10
               Return v10
-            bb1(v14:BasicObject, v15:BasicObject, v16:NilClassExact, v17:BasicObject, v18:Fixnum[0], v19:Fixnum[1], v20:BasicObject):
+            bb1(v14:BasicObject, v15:BasicObject, v16:NilClass, v17:BasicObject, v18:Fixnum[0], v19:Fixnum[1], v20:BasicObject):
               Return v20
         "#]]);
     }
@@ -5488,7 +5488,7 @@ mod opt_tests {
         assert_optimized_method_hir("block", expect![[r#"
             fn block@<compiled>:6:
             bb0(v0:BasicObject, v1:BasicObject):
-              v3:NilClassExact = Const Value(nil)
+              v3:NilClass = Const Value(nil)
               Return v3
         "#]]);
         assert_optimized_method_hir("post", expect![[r#"
@@ -5499,7 +5499,7 @@ mod opt_tests {
         assert_optimized_method_hir("forwardable", expect![[r#"
             fn forwardable@<compiled>:7:
             bb0(v0:BasicObject, v1:BasicObject):
-              v3:NilClassExact = Const Value(nil)
+              v3:NilClass = Const Value(nil)
               Return v3
         "#]]);
     }
@@ -6185,7 +6185,7 @@ mod opt_tests {
         assert_optimized_method_hir("test", expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject):
-              v1:NilClassExact = Const Value(nil)
+              v1:NilClass = Const Value(nil)
               v4:ArrayExact = NewArray
               PatchPoint MethodRedefined(Array@0x1000, itself@0x1008, cme:0x1010)
               v7:Fixnum[1] = Const Value(1)
@@ -6206,7 +6206,7 @@ mod opt_tests {
         assert_optimized_method_hir("test", expect![[r#"
             fn test@<compiled>:4:
             bb0(v0:BasicObject):
-              v1:NilClassExact = Const Value(nil)
+              v1:NilClass = Const Value(nil)
               PatchPoint SingleRactorMode
               PatchPoint StableConstantNames(0x1000, M)
               v11:ModuleExact[VALUE(0x1008)] = Const Value(VALUE(0x1008))
@@ -6227,7 +6227,7 @@ mod opt_tests {
         assert_optimized_method_hir("test", expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject):
-              v1:NilClassExact = Const Value(nil)
+              v1:NilClass = Const Value(nil)
               v4:ArrayExact = NewArray
               PatchPoint MethodRedefined(Array@0x1000, length@0x1008, cme:0x1010)
               v7:Fixnum[5] = Const Value(5)
@@ -6327,7 +6327,7 @@ mod opt_tests {
         assert_optimized_method_hir("test", expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject):
-              v1:NilClassExact = Const Value(nil)
+              v1:NilClass = Const Value(nil)
               v4:ArrayExact = NewArray
               PatchPoint MethodRedefined(Array@0x1000, size@0x1008, cme:0x1010)
               v7:Fixnum[5] = Const Value(5)
@@ -6379,7 +6379,7 @@ mod opt_tests {
         assert_optimized_method_hir("test", expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject, v1:BasicObject):
-              v2:NilClassExact = Const Value(nil)
+              v2:NilClass = Const Value(nil)
               v4:ArrayExact[VALUE(0x1000)] = Const Value(VALUE(0x1000))
               v6:ArrayExact = ArrayDup v4
               PatchPoint MethodRedefined(Array@0x1008, first@0x1010, cme:0x1018)
@@ -6587,7 +6587,7 @@ mod opt_tests {
               PatchPoint SingleRactorMode
               PatchPoint StableConstantNames(0x1000, C)
               v20:Class[VALUE(0x1008)] = Const Value(VALUE(0x1008))
-              v4:NilClassExact = Const Value(nil)
+              v4:NilClass = Const Value(nil)
               v11:BasicObject = SendWithoutBlock v20, :new
               Return v11
         "#]]);
@@ -6610,7 +6610,7 @@ mod opt_tests {
               PatchPoint SingleRactorMode
               PatchPoint StableConstantNames(0x1000, C)
               v22:Class[VALUE(0x1008)] = Const Value(VALUE(0x1008))
-              v4:NilClassExact = Const Value(nil)
+              v4:NilClass = Const Value(nil)
               v5:Fixnum[1] = Const Value(1)
               v13:BasicObject = SendWithoutBlock v22, :new, v5
               Return v13
@@ -6744,7 +6744,7 @@ mod opt_tests {
             fn test@<compiled>:2:
             bb0(v0:BasicObject):
               v3:HashExact = NewHash
-              v4:NilClassExact = Const Value(nil)
+              v4:NilClass = Const Value(nil)
               v6:BasicObject = SendWithoutBlock v3, :freeze, v4
               Return v6
         "#]]);
@@ -6803,7 +6803,7 @@ mod opt_tests {
             fn test@<compiled>:2:
             bb0(v0:BasicObject):
               v3:ArrayExact = NewArray
-              v4:NilClassExact = Const Value(nil)
+              v4:NilClass = Const Value(nil)
               v6:BasicObject = SendWithoutBlock v3, :freeze, v4
               Return v6
         "#]]);
@@ -6864,7 +6864,7 @@ mod opt_tests {
             bb0(v0:BasicObject):
               v2:StringExact[VALUE(0x1000)] = Const Value(VALUE(0x1000))
               v3:StringExact = StringCopy v2
-              v4:NilClassExact = Const Value(nil)
+              v4:NilClass = Const Value(nil)
               v6:BasicObject = SendWithoutBlock v3, :freeze, v4
               Return v6
         "#]]);
@@ -6958,7 +6958,7 @@ mod opt_tests {
         assert_optimized_method_hir("test", expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject):
-              v3:NilClassExact = Const Value(nil)
+              v3:NilClass = Const Value(nil)
               Return v3
         "#]]);
     }
@@ -7028,7 +7028,7 @@ mod opt_tests {
               PatchPoint BOPRedefined(ARRAY_REDEFINED_OP_FLAG, BOP_FREEZE)
               v5:Fixnum[-10] = Const Value(-10)
               PatchPoint BOPRedefined(ARRAY_REDEFINED_OP_FLAG, BOP_AREF)
-              v11:NilClassExact = Const Value(nil)
+              v11:NilClass = Const Value(nil)
               Return v11
         "#]]);
     }
@@ -7045,7 +7045,7 @@ mod opt_tests {
               PatchPoint BOPRedefined(ARRAY_REDEFINED_OP_FLAG, BOP_FREEZE)
               v5:Fixnum[10] = Const Value(10)
               PatchPoint BOPRedefined(ARRAY_REDEFINED_OP_FLAG, BOP_AREF)
-              v11:NilClassExact = Const Value(nil)
+              v11:NilClass = Const Value(nil)
               Return v11
         "#]]);
     }
@@ -7129,9 +7129,9 @@ mod opt_tests {
         assert_optimized_method_hir("test", expect![[r#"
             fn test@<compiled>:2:
             bb0(v0:BasicObject):
-              v2:NilClassExact = Const Value(nil)
+              v2:NilClass = Const Value(nil)
               PatchPoint MethodRedefined(NilClass@0x1000, nil?@0x1008, cme:0x1010)
-              v7:TrueClassExact = CCall nil?@0x1038, v2
+              v7:TrueClass = CCall nil?@0x1038, v2
               Return v7
         "#]]);
     }
@@ -7147,7 +7147,7 @@ mod opt_tests {
         assert_optimized_method_hir("test", expect![[r#"
             fn test@<compiled>:3:
             bb0(v0:BasicObject):
-              v2:NilClassExact = Const Value(nil)
+              v2:NilClass = Const Value(nil)
               PatchPoint MethodRedefined(NilClass@0x1000, nil?@0x1008, cme:0x1010)
               v5:Fixnum[1] = Const Value(1)
               Return v5
@@ -7164,7 +7164,7 @@ mod opt_tests {
             bb0(v0:BasicObject):
               v2:Fixnum[1] = Const Value(1)
               PatchPoint MethodRedefined(Integer@0x1000, nil?@0x1008, cme:0x1010)
-              v7:FalseClassExact = CCall nil?@0x1038, v2
+              v7:FalseClass = CCall nil?@0x1038, v2
               Return v7
         "#]]);
     }
@@ -7198,8 +7198,8 @@ mod opt_tests {
             fn test@<compiled>:2:
             bb0(v0:BasicObject, v1:BasicObject):
               PatchPoint MethodRedefined(NilClass@0x1000, nil?@0x1008, cme:0x1010)
-              v7:NilClassExact = GuardType v1, NilClassExact
-              v8:TrueClassExact = CCall nil?@0x1038, v7
+              v7:NilClass = GuardType v1, NilClass
+              v8:TrueClass = CCall nil?@0x1038, v7
               Return v8
         "#]]);
     }
@@ -7215,8 +7215,8 @@ mod opt_tests {
             fn test@<compiled>:2:
             bb0(v0:BasicObject, v1:BasicObject):
               PatchPoint MethodRedefined(FalseClass@0x1000, nil?@0x1008, cme:0x1010)
-              v7:FalseClassExact = GuardType v1, FalseClassExact
-              v8:FalseClassExact = CCall nil?@0x1038, v7
+              v7:FalseClass = GuardType v1, FalseClass
+              v8:FalseClass = CCall nil?@0x1038, v7
               Return v8
         "#]]);
     }
@@ -7232,8 +7232,8 @@ mod opt_tests {
             fn test@<compiled>:2:
             bb0(v0:BasicObject, v1:BasicObject):
               PatchPoint MethodRedefined(TrueClass@0x1000, nil?@0x1008, cme:0x1010)
-              v7:TrueClassExact = GuardType v1, TrueClassExact
-              v8:FalseClassExact = CCall nil?@0x1038, v7
+              v7:TrueClass = GuardType v1, TrueClass
+              v8:FalseClass = CCall nil?@0x1038, v7
               Return v8
         "#]]);
     }
@@ -7250,7 +7250,7 @@ mod opt_tests {
             bb0(v0:BasicObject, v1:BasicObject):
               PatchPoint MethodRedefined(Symbol@0x1000, nil?@0x1008, cme:0x1010)
               v7:StaticSymbol = GuardType v1, StaticSymbol
-              v8:FalseClassExact = CCall nil?@0x1038, v7
+              v8:FalseClass = CCall nil?@0x1038, v7
               Return v8
         "#]]);
     }
@@ -7267,7 +7267,7 @@ mod opt_tests {
             bb0(v0:BasicObject, v1:BasicObject):
               PatchPoint MethodRedefined(Integer@0x1000, nil?@0x1008, cme:0x1010)
               v7:Fixnum = GuardType v1, Fixnum
-              v8:FalseClassExact = CCall nil?@0x1038, v7
+              v8:FalseClass = CCall nil?@0x1038, v7
               Return v8
         "#]]);
     }
@@ -7284,7 +7284,7 @@ mod opt_tests {
             bb0(v0:BasicObject, v1:BasicObject):
               PatchPoint MethodRedefined(Float@0x1000, nil?@0x1008, cme:0x1010)
               v7:Flonum = GuardType v1, Flonum
-              v8:FalseClassExact = CCall nil?@0x1038, v7
+              v8:FalseClass = CCall nil?@0x1038, v7
               Return v8
         "#]]);
     }
@@ -7301,7 +7301,7 @@ mod opt_tests {
             bb0(v0:BasicObject, v1:BasicObject):
               PatchPoint MethodRedefined(String@0x1000, nil?@0x1008, cme:0x1010)
               v7:StringExact = GuardType v1, StringExact
-              v8:FalseClassExact = CCall nil?@0x1038, v7
+              v8:FalseClass = CCall nil?@0x1038, v7
               Return v8
         "#]]);
     }
diff --git a/zjit/src/hir_type/gen_hir_type.rb b/zjit/src/hir_type/gen_hir_type.rb
index 27f936a389fad9..685767898221e6 100644
--- a/zjit/src/hir_type/gen_hir_type.rb
+++ b/zjit/src/hir_type/gen_hir_type.rb
@@ -89,19 +89,19 @@ def final_type name
 fixnum = integer_exact.subtype "Fixnum"
 integer_exact.subtype "Bignum"
 
-_, float_exact = base_type "Float"
+float_exact = final_type "Float"
 # CRuby partitions Float into immediate and non-immediate variants.
 flonum = float_exact.subtype "Flonum"
 float_exact.subtype "HeapFloat"
 
-_, symbol_exact = base_type "Symbol"
+symbol_exact = final_type "Symbol"
 # CRuby partitions Symbol into immediate and non-immediate variants.
 static_sym = symbol_exact.subtype "StaticSymbol"
 symbol_exact.subtype "DynamicSymbol"
 
-_, nil_exact = base_type "NilClass"
-_, true_exact = base_type "TrueClass"
-_, false_exact = base_type "FalseClass"
+nil_exact = final_type "NilClass"
+true_exact = final_type "TrueClass"
+false_exact = final_type "FalseClass"
 
 # Build the cvalue object universe. This is for C-level types that may be
 # passed around when calling into the Ruby VM or after some strength reduction
diff --git a/zjit/src/hir_type/hir_type.inc.rs b/zjit/src/hir_type/hir_type.inc.rs
index aaef14467b9bcc..68039c7f533b82 100644
--- a/zjit/src/hir_type/hir_type.inc.rs
+++ b/zjit/src/hir_type/hir_type.inc.rs
@@ -8,8 +8,8 @@ mod bits {
   pub const BasicObjectExact: u64 = 1u64 << 2;
   pub const BasicObjectSubclass: u64 = 1u64 << 3;
   pub const Bignum: u64 = 1u64 << 4;
-  pub const BoolExact: u64 = FalseClassExact | TrueClassExact;
-  pub const BuiltinExact: u64 = ArrayExact | BasicObjectExact | FalseClassExact | FloatExact | HashExact | Integer | ModuleExact | NilClassExact | ObjectExact | RangeExact | RegexpExact | SetExact | StringExact | SymbolExact | TrueClassExact;
+  pub const BoolExact: u64 = FalseClass | TrueClass;
+  pub const BuiltinExact: u64 = ArrayExact | BasicObjectExact | FalseClass | Float | HashExact | Integer | ModuleExact | NilClass | ObjectExact | RangeExact | RegexpExact | SetExact | StringExact | Symbol | TrueClass;
   pub const CBool: u64 = 1u64 << 5;
   pub const CDouble: u64 = 1u64 << 6;
   pub const CInt: u64 = CSigned | CUnsigned;
@@ -30,70 +30,56 @@ mod bits {
   pub const Class: u64 = 1u64 << 18;
   pub const DynamicSymbol: u64 = 1u64 << 19;
   pub const Empty: u64 = 0u64;
-  pub const FalseClass: u64 = FalseClassExact | FalseClassSubclass;
-  pub const FalseClassExact: u64 = 1u64 << 20;
-  pub const FalseClassSubclass: u64 = 1u64 << 21;
-  pub const Fixnum: u64 = 1u64 << 22;
-  pub const Float: u64 = FloatExact | FloatSubclass;
-  pub const FloatExact: u64 = Flonum | HeapFloat;
-  pub const FloatSubclass: u64 = 1u64 << 23;
-  pub const Flonum: u64 = 1u64 << 24;
+  pub const FalseClass: u64 = 1u64 << 20;
+  pub const Fixnum: u64 = 1u64 << 21;
+  pub const Float: u64 = Flonum | HeapFloat;
+  pub const Flonum: u64 = 1u64 << 22;
   pub const Hash: u64 = HashExact | HashSubclass;
-  pub const HashExact: u64 = 1u64 << 25;
-  pub const HashSubclass: u64 = 1u64 << 26;
-  pub const HeapFloat: u64 = 1u64 << 27;
-  pub const Immediate: u64 = FalseClassExact | Fixnum | Flonum | NilClassExact | StaticSymbol | TrueClassExact | Undef;
+  pub const HashExact: u64 = 1u64 << 23;
+  pub const HashSubclass: u64 = 1u64 << 24;
+  pub const HeapFloat: u64 = 1u64 << 25;
+  pub const Immediate: u64 = FalseClass | Fixnum | Flonum | NilClass | StaticSymbol | TrueClass | Undef;
   pub const Integer: u64 = Bignum | Fixnum;
   pub const Module: u64 = Class | ModuleExact | ModuleSubclass;
-  pub const ModuleExact: u64 = 1u64 << 28;
-  pub const ModuleSubclass: u64 = 1u64 << 29;
-  pub const NilClass: u64 = NilClassExact | NilClassSubclass;
-  pub const NilClassExact: u64 = 1u64 << 30;
-  pub const NilClassSubclass: u64 = 1u64 << 31;
+  pub const ModuleExact: u64 = 1u64 << 26;
+  pub const ModuleSubclass: u64 = 1u64 << 27;
+  pub const NilClass: u64 = 1u64 << 28;
   pub const Object: u64 = Array | FalseClass | Float | Hash | Integer | Module | NilClass | ObjectExact | ObjectSubclass | Range | Regexp | Set | String | Symbol | TrueClass;
-  pub const ObjectExact: u64 = 1u64 << 32;
-  pub const ObjectSubclass: u64 = 1u64 << 33;
+  pub const ObjectExact: u64 = 1u64 << 29;
+  pub const ObjectSubclass: u64 = 1u64 << 30;
   pub const Range: u64 = RangeExact | RangeSubclass;
-  pub const RangeExact: u64 = 1u64 << 34;
-  pub const RangeSubclass: u64 = 1u64 << 35;
+  pub const RangeExact: u64 = 1u64 << 31;
+  pub const RangeSubclass: u64 = 1u64 << 32;
   pub const Regexp: u64 = RegexpExact | RegexpSubclass;
-  pub const RegexpExact: u64 = 1u64 << 36;
-  pub const RegexpSubclass: u64 = 1u64 << 37;
+  pub const RegexpExact: u64 = 1u64 << 33;
+  pub const RegexpSubclass: u64 = 1u64 << 34;
   pub const RubyValue: u64 = BasicObject | CallableMethodEntry | Undef;
   pub const Set: u64 = SetExact | SetSubclass;
-  pub const SetExact: u64 = 1u64 << 38;
-  pub const SetSubclass: u64 = 1u64 << 39;
-  pub const StaticSymbol: u64 = 1u64 << 40;
+  pub const SetExact: u64 = 1u64 << 35;
+  pub const SetSubclass: u64 = 1u64 << 36;
+  pub const StaticSymbol: u64 = 1u64 << 37;
   pub const String: u64 = StringExact | StringSubclass;
-  pub const StringExact: u64 = 1u64 << 41;
-  pub const StringSubclass: u64 = 1u64 << 42;
-  pub const Subclass: u64 = ArraySubclass | BasicObjectSubclass | FalseClassSubclass | FloatSubclass | HashSubclass | ModuleSubclass | NilClassSubclass | ObjectSubclass | RangeSubclass | RegexpSubclass | SetSubclass | StringSubclass | SymbolSubclass | TrueClassSubclass;
-  pub const Symbol: u64 = SymbolExact | SymbolSubclass;
-  pub const SymbolExact: u64 = DynamicSymbol | StaticSymbol;
-  pub const SymbolSubclass: u64 = 1u64 << 43;
-  pub const TrueClass: u64 = TrueClassExact | TrueClassSubclass;
-  pub const TrueClassExact: u64 = 1u64 << 44;
-  pub const TrueClassSubclass: u64 = 1u64 << 45;
-  pub const Undef: u64 = 1u64 << 46;
-  pub const AllBitPatterns: [(&'static str, u64); 75] = [
+  pub const StringExact: u64 = 1u64 << 38;
+  pub const StringSubclass: u64 = 1u64 << 39;
+  pub const Subclass: u64 = ArraySubclass | BasicObjectSubclass | HashSubclass | ModuleSubclass | ObjectSubclass | RangeSubclass | RegexpSubclass | SetSubclass | StringSubclass;
+  pub const Symbol: u64 = DynamicSymbol | StaticSymbol;
+  pub const TrueClass: u64 = 1u64 << 40;
+  pub const Undef: u64 = 1u64 << 41;
+  pub const AllBitPatterns: [(&'static str, u64); 65] = [
     ("Any", Any),
     ("RubyValue", RubyValue),
     ("Immediate", Immediate),
     ("Undef", Undef),
     ("BasicObject", BasicObject),
     ("Object", Object),
-    ("TrueClass", TrueClass),
-    ("Subclass", Subclass),
-    ("TrueClassSubclass", TrueClassSubclass),
     ("BuiltinExact", BuiltinExact),
     ("BoolExact", BoolExact),
-    ("TrueClassExact", TrueClassExact),
-    ("Symbol", Symbol),
-    ("SymbolSubclass", SymbolSubclass),
+    ("TrueClass", TrueClass),
     ("String", String),
+    ("Subclass", Subclass),
     ("StringSubclass", StringSubclass),
     ("StringExact", StringExact),
-    ("SymbolExact", SymbolExact),
+    ("Symbol", Symbol),
     ("StaticSymbol", StaticSymbol),
     ("Set", Set),
     ("SetSubclass", SetSubclass),
@@ -107,24 +93,18 @@ mod bits {
     ("ObjectSubclass", ObjectSubclass),
     ("ObjectExact", ObjectExact),
     ("NilClass", NilClass),
-    ("NilClassSubclass", NilClassSubclass),
-    ("NilClassExact", NilClassExact),
     ("Module", Module),
     ("ModuleSubclass", ModuleSubclass),
     ("ModuleExact", ModuleExact),
     ("Float", Float),
-    ("FloatExact", FloatExact),
     ("HeapFloat", HeapFloat),
     ("Hash", Hash),
     ("HashSubclass", HashSubclass),
     ("HashExact", HashExact),
     ("Flonum", Flonum),
-    ("FloatSubclass", FloatSubclass),
     ("Integer", Integer),
     ("Fixnum", Fixnum),
     ("FalseClass", FalseClass),
-    ("FalseClassSubclass", FalseClassSubclass),
-    ("FalseClassExact", FalseClassExact),
     ("DynamicSymbol", DynamicSymbol),
     ("Class", Class),
     ("CallableMethodEntry", CallableMethodEntry),
@@ -152,7 +132,7 @@ mod bits {
     ("ArrayExact", ArrayExact),
     ("Empty", Empty),
   ];
-  pub const NumTypeBits: u64 = 47;
+  pub const NumTypeBits: u64 = 42;
 }
 pub mod types {
   use super::*;
@@ -187,12 +167,8 @@ pub mod types {
   pub const DynamicSymbol: Type = Type::from_bits(bits::DynamicSymbol);
   pub const Empty: Type = Type::from_bits(bits::Empty);
   pub const FalseClass: Type = Type::from_bits(bits::FalseClass);
-  pub const FalseClassExact: Type = Type::from_bits(bits::FalseClassExact);
-  pub const FalseClassSubclass: Type = Type::from_bits(bits::FalseClassSubclass);
   pub const Fixnum: Type = Type::from_bits(bits::Fixnum);
   pub const Float: Type = Type::from_bits(bits::Float);
-  pub const FloatExact: Type = Type::from_bits(bits::FloatExact);
-  pub const FloatSubclass: Type = Type::from_bits(bits::FloatSubclass);
   pub const Flonum: Type = Type::from_bits(bits::Flonum);
   pub const Hash: Type = Type::from_bits(bits::Hash);
   pub const HashExact: Type = Type::from_bits(bits::HashExact);
@@ -204,8 +180,6 @@ pub mod types {
   pub const ModuleExact: Type = Type::from_bits(bits::ModuleExact);
   pub const ModuleSubclass: Type = Type::from_bits(bits::ModuleSubclass);
   pub const NilClass: Type = Type::from_bits(bits::NilClass);
-  pub const NilClassExact: Type = Type::from_bits(bits::NilClassExact);
-  pub const NilClassSubclass: Type = Type::from_bits(bits::NilClassSubclass);
   pub const Object: Type = Type::from_bits(bits::Object);
   pub const ObjectExact: Type = Type::from_bits(bits::ObjectExact);
   pub const ObjectSubclass: Type = Type::from_bits(bits::ObjectSubclass);
@@ -225,10 +199,6 @@ pub mod types {
   pub const StringSubclass: Type = Type::from_bits(bits::StringSubclass);
   pub const Subclass: Type = Type::from_bits(bits::Subclass);
   pub const Symbol: Type = Type::from_bits(bits::Symbol);
-  pub const SymbolExact: Type = Type::from_bits(bits::SymbolExact);
-  pub const SymbolSubclass: Type = Type::from_bits(bits::SymbolSubclass);
   pub const TrueClass: Type = Type::from_bits(bits::TrueClass);
-  pub const TrueClassExact: Type = Type::from_bits(bits::TrueClassExact);
-  pub const TrueClassSubclass: Type = Type::from_bits(bits::TrueClassSubclass);
   pub const Undef: Type = Type::from_bits(bits::Undef);
 }
diff --git a/zjit/src/hir_type/mod.rs b/zjit/src/hir_type/mod.rs
index 462a84ff013f91..9ad0bdc6492826 100644
--- a/zjit/src/hir_type/mod.rs
+++ b/zjit/src/hir_type/mod.rs
@@ -72,7 +72,7 @@ fn write_spec(f: &mut std::fmt::Formatter, printer: &TypePrinter) -> std::fmt::R
     match ty.spec {
         Specialization::Any | Specialization::Empty => { Ok(()) },
         Specialization::Object(val) if val == unsafe { rb_mRubyVMFrozenCore } => write!(f, "[VMFrozenCore]"),
-        Specialization::Object(val) if ty.is_subtype(types::SymbolExact) => write!(f, "[:{}]", ruby_sym_to_rust_string(val)),
+        Specialization::Object(val) if ty.is_subtype(types::Symbol) => write!(f, "[:{}]", ruby_sym_to_rust_string(val)),
         Specialization::Object(val) => write!(f, "[{}]", val.print(printer.ptr_map)),
         Specialization::Type(val) => write!(f, "[class:{}]", get_class_name(val)),
         Specialization::TypeExact(val) => write!(f, "[class_exact:{}]", get_class_name(val)),
@@ -169,7 +169,7 @@ impl Type {
 
     /// Create a `Type` from a Ruby `VALUE`. The type is not guaranteed to have object
     /// specialization in its `specialization` field (for example, `Qnil` will just be
-    /// `types::NilClassExact`), but will be available via `ruby_object()`.
+    /// `types::NilClass`), but will be available via `ruby_object()`.
     pub fn from_value(val: VALUE) -> Type {
         if val.fixnum_p() {
             Type { bits: bits::Fixnum, spec: Specialization::Object(val) }
@@ -181,9 +181,9 @@ impl Type {
             Type { bits: bits::StaticSymbol, spec: Specialization::Object(val) }
         }
         // Singleton objects; don't specialize
-        else if val == Qnil { types::NilClassExact }
-        else if val == Qtrue { types::TrueClassExact }
-        else if val == Qfalse { types::FalseClassExact }
+        else if val == Qnil { types::NilClass }
+        else if val == Qtrue { types::TrueClass }
+        else if val == Qfalse { types::FalseClass }
         else if val.cme_p() {
             // NB: Checking for CME has to happen before looking at class_of because that's not
             // valid on imemo.
@@ -266,12 +266,12 @@ impl Type {
 
     /// Return true if the value with this type is definitely truthy.
     pub fn is_known_truthy(&self) -> bool {
-        !self.could_be(types::NilClassExact) && !self.could_be(types::FalseClassExact)
+        !self.could_be(types::NilClass) && !self.could_be(types::FalseClass)
     }
 
     /// Return true if the value with this type is definitely falsy.
     pub fn is_known_falsy(&self) -> bool {
-        self.is_subtype(types::NilClassExact) || self.is_subtype(types::FalseClassExact)
+        self.is_subtype(types::NilClass) || self.is_subtype(types::FalseClass)
     }
 
     /// Top self is the Ruby global object, where top-level method definitions go. Return true if
@@ -431,7 +431,7 @@ impl Type {
     }
 
     /// Return a pointer to the Ruby class that an object of this Type would have at run-time, if
-    /// known. This includes classes for HIR types such as ArrayExact or NilClassExact, which have
+    /// known. This includes classes for HIR types such as ArrayExact or NilClass, which have
     /// canonical Type representations that lack an explicit specialization in their `spec` fields.
     pub fn runtime_exact_ruby_class(&self) -> Option<VALUE> {
         if let Some(val) = self.exact_ruby_class() {
@@ -439,19 +439,19 @@ impl Type {
         }
         if self.is_subtype(types::ArrayExact) { return Some(unsafe { rb_cArray }); }
         if self.is_subtype(types::Class) { return Some(unsafe { rb_cClass }); }
-        if self.is_subtype(types::FalseClassExact) { return Some(unsafe { rb_cFalseClass }); }
-        if self.is_subtype(types::FloatExact) { return Some(unsafe { rb_cFloat }); }
+        if self.is_subtype(types::FalseClass) { return Some(unsafe { rb_cFalseClass }); }
+        if self.is_subtype(types::Float) { return Some(unsafe { rb_cFloat }); }
         if self.is_subtype(types::HashExact) { return Some(unsafe { rb_cHash }); }
         if self.is_subtype(types::Integer) { return Some(unsafe { rb_cInteger }); }
         if self.is_subtype(types::ModuleExact) { return Some(unsafe { rb_cModule }); }
-        if self.is_subtype(types::NilClassExact) { return Some(unsafe { rb_cNilClass }); }
+        if self.is_subtype(types::NilClass) { return Some(unsafe { rb_cNilClass }); }
         if self.is_subtype(types::ObjectExact) { return Some(unsafe { rb_cObject }); }
         if self.is_subtype(types::RangeExact) { return Some(unsafe { rb_cRange }); }
         if self.is_subtype(types::RegexpExact) { return Some(unsafe { rb_cRegexp }); }
         if self.is_subtype(types::SetExact) { return Some(unsafe { rb_cSet }); }
         if self.is_subtype(types::StringExact) { return Some(unsafe { rb_cString }); }
-        if self.is_subtype(types::SymbolExact) { return Some(unsafe { rb_cSymbol }); }
-        if self.is_subtype(types::TrueClassExact) { return Some(unsafe { rb_cTrueClass }); }
+        if self.is_subtype(types::Symbol) { return Some(unsafe { rb_cSymbol }); }
+        if self.is_subtype(types::TrueClass) { return Some(unsafe { rb_cTrueClass }); }
         None
     }
 
@@ -520,7 +520,7 @@ mod tests {
     #[test]
     fn empty_is_subtype_of_everything() {
         // Spot check a few cases
-        assert_subtype(types::Empty, types::NilClassExact);
+        assert_subtype(types::Empty, types::NilClass);
         assert_subtype(types::Empty, types::Array);
         assert_subtype(types::Empty, types::Object);
         assert_subtype(types::Empty, types::CUInt16);
@@ -532,7 +532,7 @@ mod tests {
     #[test]
     fn everything_is_a_subtype_of_any() {
         // Spot check a few cases
-        assert_subtype(types::NilClassExact, types::Any);
+        assert_subtype(types::NilClass, types::Any);
         assert_subtype(types::Array, types::Any);
         assert_subtype(types::Object, types::Any);
         assert_subtype(types::CUInt16, types::Any);
@@ -553,18 +553,14 @@ mod tests {
 
     #[test]
     fn float() {
-        assert_subtype(types::Flonum, types::FloatExact);
-        assert_subtype(types::HeapFloat, types::FloatExact);
-        assert_subtype(types::FloatExact, types::Float);
-        assert_subtype(types::FloatSubclass, types::Float);
+        assert_subtype(types::Flonum, types::Float);
+        assert_subtype(types::HeapFloat, types::Float);
     }
 
     #[test]
     fn symbol() {
-        assert_subtype(types::StaticSymbol, types::SymbolExact);
-        assert_subtype(types::DynamicSymbol, types::SymbolExact);
-        assert_subtype(types::SymbolExact, types::Symbol);
-        assert_subtype(types::SymbolSubclass, types::Symbol);
+        assert_subtype(types::StaticSymbol, types::Symbol);
+        assert_subtype(types::DynamicSymbol, types::Symbol);
     }
 
     #[test]
@@ -572,12 +568,9 @@ mod tests {
         assert_subtype(Type::fixnum(123), types::Immediate);
         assert_subtype(types::Fixnum, types::Immediate);
         assert_not_subtype(types::Bignum, types::Immediate);
-        assert_subtype(types::NilClassExact, types::Immediate);
-        assert_subtype(types::TrueClassExact, types::Immediate);
-        assert_subtype(types::FalseClassExact, types::Immediate);
-        assert_not_subtype(types::NilClassSubclass, types::Immediate);
-        assert_not_subtype(types::TrueClassSubclass, types::Immediate);
-        assert_not_subtype(types::FalseClassSubclass, types::Immediate);
+        assert_subtype(types::NilClass, types::Immediate);
+        assert_subtype(types::TrueClass, types::Immediate);
+        assert_subtype(types::FalseClass, types::Immediate);
         assert_subtype(types::StaticSymbol, types::Immediate);
         assert_not_subtype(types::DynamicSymbol, types::Immediate);
         assert_subtype(types::Flonum, types::Immediate);
@@ -594,11 +587,11 @@ mod tests {
     #[test]
     fn singletons_do_not_have_ruby_object() {
         assert_eq!(Type::from_value(Qnil).ruby_object(), None);
-        assert_eq!(types::NilClassExact.ruby_object(), None);
+        assert_eq!(types::NilClass.ruby_object(), None);
         assert_eq!(Type::from_value(Qtrue).ruby_object(), None);
-        assert_eq!(types::TrueClassExact.ruby_object(), None);
+        assert_eq!(types::TrueClass.ruby_object(), None);
         assert_eq!(Type::from_value(Qfalse).ruby_object(), None);
-        assert_eq!(types::FalseClassExact.ruby_object(), None);
+        assert_eq!(types::FalseClass.ruby_object(), None);
     }
 
     #[test]
@@ -611,21 +604,21 @@ mod tests {
     #[test]
     fn singletons_do_not_have_exact_ruby_class() {
         assert_eq!(Type::from_value(Qnil).exact_ruby_class(), None);
-        assert_eq!(types::NilClassExact.exact_ruby_class(), None);
+        assert_eq!(types::NilClass.exact_ruby_class(), None);
         assert_eq!(Type::from_value(Qtrue).exact_ruby_class(), None);
-        assert_eq!(types::TrueClassExact.exact_ruby_class(), None);
+        assert_eq!(types::TrueClass.exact_ruby_class(), None);
         assert_eq!(Type::from_value(Qfalse).exact_ruby_class(), None);
-        assert_eq!(types::FalseClassExact.exact_ruby_class(), None);
+        assert_eq!(types::FalseClass.exact_ruby_class(), None);
     }
 
     #[test]
     fn singletons_do_not_have_ruby_class() {
         assert_eq!(Type::from_value(Qnil).inexact_ruby_class(), None);
-        assert_eq!(types::NilClassExact.inexact_ruby_class(), None);
+        assert_eq!(types::NilClass.inexact_ruby_class(), None);
         assert_eq!(Type::from_value(Qtrue).inexact_ruby_class(), None);
-        assert_eq!(types::TrueClassExact.inexact_ruby_class(), None);
+        assert_eq!(types::TrueClass.inexact_ruby_class(), None);
         assert_eq!(Type::from_value(Qfalse).inexact_ruby_class(), None);
-        assert_eq!(types::FalseClassExact.inexact_ruby_class(), None);
+        assert_eq!(types::FalseClass.inexact_ruby_class(), None);
     }
 
     #[test]

From 3f22434e1afc69dc9f4d6dbff6025c7f41b91380 Mon Sep 17 00:00:00 2001
From: Max Bernstein <ruby@bernsteinbear.com>
Date: Mon, 28 Jul 2025 15:36:20 -0400
Subject: [PATCH 5/9] ZJIT: Fix land race

---
 zjit/src/codegen.rs | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/zjit/src/codegen.rs b/zjit/src/codegen.rs
index 490ead64652b80..b5906b07bb13e6 100644
--- a/zjit/src/codegen.rs
+++ b/zjit/src/codegen.rs
@@ -1037,13 +1037,13 @@ fn gen_guard_type(jit: &mut JITState, asm: &mut Assembler, val: lir::Opnd, guard
         // Use 8-bit comparison like YJIT does
         asm.cmp(val.with_num_bits(8).unwrap(), Opnd::UImm(RUBY_SYMBOL_FLAG as u64));
         asm.jne(side_exit(jit, state, GuardType(guard_type))?);
-    } else if guard_type.is_subtype(types::NilClassExact) {
+    } else if guard_type.is_subtype(types::NilClass) {
         asm.cmp(val, Qnil.into());
         asm.jne(side_exit(jit, state, GuardType(guard_type))?);
-    } else if guard_type.is_subtype(types::TrueClassExact) {
+    } else if guard_type.is_subtype(types::TrueClass) {
         asm.cmp(val, Qtrue.into());
         asm.jne(side_exit(jit, state, GuardType(guard_type))?);
-    } else if guard_type.is_subtype(types::FalseClassExact) {
+    } else if guard_type.is_subtype(types::FalseClass) {
         assert!(Qfalse.as_i64() == 0);
         asm.test(val, val);
         asm.jne(side_exit(jit, state, GuardType(guard_type))?);

From e15f1a71ada7f02a7cfb43b5687423ff6c0fb779 Mon Sep 17 00:00:00 2001
From: Jason Garber <jason@sixtwothree.org>
Date: Mon, 28 Jul 2025 10:54:47 -0400
Subject: [PATCH 6/9] [ruby/tsort] Add `changelog_uri` to gemspec metadata

Adds a link to the GitHub Releases page for this gem consistent with other gems in the Ruby organization. Existing examples include:

- [json](https://github.com/ruby/json/blob/master/json.gemspec)
- [ostruct](https://github.com/ruby/ostruct/blob/master/ostruct.gemspec)

https://github.com/ruby/tsort/commit/8086bb33bc
---
 lib/tsort.gemspec | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/tsort.gemspec b/lib/tsort.gemspec
index 8970cbe8261770..4e0ef0507df008 100644
--- a/lib/tsort.gemspec
+++ b/lib/tsort.gemspec
@@ -19,6 +19,7 @@ Gem::Specification.new do |spec|
 
   spec.metadata["homepage_uri"] = spec.homepage
   spec.metadata["source_code_uri"] = spec.homepage
+  spec.metadata["changelog_uri"] = "#{spec.homepage}/releases"
 
   dir, gemspec = File.split(__FILE__)
   excludes = %W[

From 23000e712346880804b5dd61713293531637752c Mon Sep 17 00:00:00 2001
From: Peter Zhu <peter@peterzhu.ca>
Date: Mon, 28 Jul 2025 15:06:54 -0400
Subject: [PATCH 7/9] Remove unnecessary internal/gc.h include in hash.c

hash.c compiles just fine on HASH_DEBUG without including internal/gc.h.
---
 hash.c | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/hash.c b/hash.c
index 6f3ffb78ba2055..7256063d72e079 100644
--- a/hash.c
+++ b/hash.c
@@ -71,10 +71,6 @@
 #define HASH_DEBUG 0
 #endif
 
-#if HASH_DEBUG
-#include "internal/gc.h"
-#endif
-
 #define SET_DEFAULT(hash, ifnone) ( \
     FL_UNSET_RAW(hash, RHASH_PROC_DEFAULT), \
     RHASH_SET_IFNONE(hash, ifnone))

From a0d0b84bade7c8b07d8be601136a70bb8b9ae866 Mon Sep 17 00:00:00 2001
From: Stan Lo <stan.lo@shopify.com>
Date: Mon, 28 Jul 2025 22:48:41 +0100
Subject: [PATCH 8/9] ZJIT: Support invalidating constant patch points (#13998)

---
 test/ruby/test_zjit.rb | 42 ++++++++++++++++++++++++++++++
 vm_method.c            |  1 +
 zjit.h                 |  2 ++
 zjit/src/codegen.rs    |  6 ++++-
 zjit/src/cruby.rs      |  2 +-
 zjit/src/invariants.rs | 58 +++++++++++++++++++++++++++++++++++++++++-
 6 files changed, 108 insertions(+), 3 deletions(-)

diff --git a/test/ruby/test_zjit.rb b/test/ruby/test_zjit.rb
index fc085d2e93c9a4..b78d53e682233c 100644
--- a/test/ruby/test_zjit.rb
+++ b/test/ruby/test_zjit.rb
@@ -889,6 +889,48 @@ def test = X
     end
   end
 
+  def test_constant_invalidation
+    assert_compiles '123', <<~RUBY, call_threshold: 2, insns: [:opt_getconstant_path]
+      class C; end
+      def test = C
+      test
+      test
+
+      C = 123
+      test
+    RUBY
+  end
+
+  def test_constant_path_invalidation
+    assert_compiles '["Foo::C", "Foo::C", "Bar::C"]', <<~RUBY, call_threshold: 2, insns: [:opt_getconstant_path]
+      module A
+        module B; end
+      end
+
+      module Foo
+        C = "Foo::C"
+      end
+
+      module Bar
+        C = "Bar::C"
+      end
+
+      A::B = Foo
+
+      def test = A::B::C
+
+      result = []
+
+      result << test
+      result << test
+
+      A::B = Bar
+
+      result << test
+      result
+    RUBY
+  end
+
   def test_dupn
     assert_compiles '[[1], [1, 1], :rhs, [nil, :rhs]]', <<~RUBY, insns: [:dupn]
       def test(array) = (array[1, 2] ||= :rhs)
diff --git a/vm_method.c b/vm_method.c
index 84d0ed2f9e4c07..fa81d56c74119d 100644
--- a/vm_method.c
+++ b/vm_method.c
@@ -148,6 +148,7 @@ rb_clear_constant_cache_for_id(ID id)
     }
 
     rb_yjit_constant_state_changed(id);
+    rb_zjit_constant_state_changed(id);
 }
 
 static void
diff --git a/zjit.h b/zjit.h
index 724ae4abd05b15..e354d4b122d0cf 100644
--- a/zjit.h
+++ b/zjit.h
@@ -14,6 +14,7 @@ void rb_zjit_profile_enable(const rb_iseq_t *iseq);
 void rb_zjit_bop_redefined(int redefined_flag, enum ruby_basic_operators bop);
 void rb_zjit_cme_invalidate(const rb_callable_method_entry_t *cme);
 void rb_zjit_invalidate_ep_is_bp(const rb_iseq_t *iseq);
+void rb_zjit_constant_state_changed(ID id);
 void rb_zjit_iseq_mark(void *payload);
 void rb_zjit_iseq_update_references(void *payload);
 #else
@@ -24,6 +25,7 @@ static inline void rb_zjit_profile_enable(const rb_iseq_t *iseq) {}
 static inline void rb_zjit_bop_redefined(int redefined_flag, enum ruby_basic_operators bop) {}
 static inline void rb_zjit_cme_invalidate(const rb_callable_method_entry_t *cme) {}
 static inline void rb_zjit_invalidate_ep_is_bp(const rb_iseq_t *iseq) {}
+static inline void rb_zjit_constant_state_changed(ID id) {}
 #endif // #if USE_YJIT
 
 #endif // #ifndef ZJIT_H
diff --git a/zjit/src/codegen.rs b/zjit/src/codegen.rs
index b5906b07bb13e6..de73586249f624 100644
--- a/zjit/src/codegen.rs
+++ b/zjit/src/codegen.rs
@@ -4,7 +4,7 @@ use std::ffi::{c_int};
 
 use crate::asm::Label;
 use crate::backend::current::{Reg, ALLOC_REGS};
-use crate::invariants::{track_bop_assumption, track_cme_assumption};
+use crate::invariants::{track_bop_assumption, track_cme_assumption, track_stable_constant_names_assumption};
 use crate::gc::{get_or_create_iseq_payload, append_gc_offsets};
 use crate::state::ZJITState;
 use crate::{asm::CodeBlock, cruby::*, options::debug, virtualmem::CodePtr};
@@ -505,6 +505,10 @@ fn gen_patch_point(jit: &mut JITState, asm: &mut Assembler, invariant: &Invarian
                 let side_exit_ptr = cb.resolve_label(label);
                 track_cme_assumption(cme, code_ptr, side_exit_ptr);
             }
+            Invariant::StableConstantNames { idlist } => {
+                let side_exit_ptr = cb.resolve_label(label);
+                track_stable_constant_names_assumption(idlist, code_ptr, side_exit_ptr);
+            }
             _ => {
                 debug!("ZJIT: gen_patch_point: unimplemented invariant {invariant:?}");
                 return;
diff --git a/zjit/src/cruby.rs b/zjit/src/cruby.rs
index 2557e2e913dc51..56e342cba03001 100644
--- a/zjit/src/cruby.rs
+++ b/zjit/src/cruby.rs
@@ -259,7 +259,7 @@ pub struct VALUE(pub usize);
 /// An interned string. See [ids] and methods this type.
 /// `0` is a sentinal value for IDs.
 #[repr(transparent)]
-#[derive(Clone, Copy, PartialEq, Eq, Debug)]
+#[derive(Clone, Copy, PartialEq, Eq, Debug, Hash)]
 pub struct ID(pub ::std::os::raw::c_ulong);
 
 /// Pointer to an ISEQ
diff --git a/zjit/src/invariants.rs b/zjit/src/invariants.rs
index 6949da6a86a007..25cffb970e62dc 100644
--- a/zjit/src/invariants.rs
+++ b/zjit/src/invariants.rs
@@ -1,6 +1,6 @@
 use std::{collections::{HashMap, HashSet}};
 
-use crate::{backend::lir::{asm_comment, Assembler}, cruby::{rb_callable_method_entry_t, ruby_basic_operators, src_loc, with_vm_lock, IseqPtr, RedefinitionFlag}, hir::Invariant, options::debug, state::{zjit_enabled_p, ZJITState}, virtualmem::CodePtr};
+use crate::{backend::lir::{asm_comment, Assembler}, cruby::{rb_callable_method_entry_t, ruby_basic_operators, src_loc, with_vm_lock, IseqPtr, RedefinitionFlag, ID}, hir::Invariant, options::debug, state::{zjit_enabled_p, ZJITState}, virtualmem::CodePtr};
 
 #[derive(Debug, Eq, Hash, PartialEq)]
 struct Jump {
@@ -23,6 +23,9 @@ pub struct Invariants {
 
     /// Map from CME to patch points that assume the method hasn't been redefined
     cme_patch_points: HashMap<*const rb_callable_method_entry_t, HashSet<Jump>>,
+
+    /// Map from constant ID to patch points that assume the constant hasn't been redefined
+    constant_state_patch_points: HashMap<ID, HashSet<Jump>>,
 }
 
 /// Called when a basic operator is redefined. Note that all the blocks assuming
@@ -116,6 +119,30 @@ pub fn track_cme_assumption(
     });
 }
 
+/// Track a patch point for each constant name in a constant path assumption.
+pub fn track_stable_constant_names_assumption(
+    idlist: *const ID,
+    patch_point_ptr: CodePtr,
+    side_exit_ptr: CodePtr
+) {
+    let invariants = ZJITState::get_invariants();
+
+    let mut idx = 0;
+    loop {
+        let id = unsafe { *idlist.wrapping_add(idx) };
+        if id.0 == 0 {
+            break;
+        }
+
+        invariants.constant_state_patch_points.entry(id).or_default().insert(Jump {
+            from: patch_point_ptr,
+            to: side_exit_ptr,
+        });
+
+        idx += 1;
+    }
+}
+
 /// Called when a method is redefined. Invalidates all JIT code that depends on the CME.
 #[unsafe(no_mangle)]
 pub extern "C" fn rb_zjit_cme_invalidate(cme: *const rb_callable_method_entry_t) {
@@ -144,3 +171,32 @@ pub extern "C" fn rb_zjit_cme_invalidate(cme: *const rb_callable_method_entry_t)
         }
     });
 }
+
+/// Called when a constant is redefined. Invalidates all JIT code that depends on the constant.
+#[unsafe(no_mangle)]
+pub extern "C" fn rb_zjit_constant_state_changed(id: ID) {
+    // If ZJIT isn't enabled, do nothing
+    if !zjit_enabled_p() {
+        return;
+    }
+
+    with_vm_lock(src_loc!(), || {
+        let invariants = ZJITState::get_invariants();
+        if let Some(jumps) = invariants.constant_state_patch_points.get(&id) {
+            let cb = ZJITState::get_code_block();
+            debug!("Constant state changed: {:?}", id);
+
+            // Invalidate all patch points for this constant ID
+            for jump in jumps {
+                cb.with_write_ptr(jump.from, |cb| {
+                    let mut asm = Assembler::new();
+                    asm_comment!(asm, "Constant state changed: {:?}", id);
+                    asm.jmp(jump.to.into());
+                    asm.compile(cb).expect("can write existing code");
+                });
+            }
+
+            cb.mark_all_executable();
+        }
+    });
+}

From f1acf47ca2061ec04ffca4be0b1e3c9a188403fe Mon Sep 17 00:00:00 2001
From: Takashi Kokubun <takashikkbn@gmail.com>
Date: Mon, 28 Jul 2025 15:17:45 -0700
Subject: [PATCH 9/9] YJIT: Call YJIT hooks before enabling YJIT (#14032)

---
 inits.c                        | 2 +-
 ruby.c                         | 6 ------
 yjit.rb                        | 1 -
 yjit/bindgen/src/main.rs       | 5 +++++
 yjit/src/cruby.rs              | 8 +++++++-
 yjit/src/cruby_bindings.inc.rs | 3 +++
 yjit/src/yjit.rs               | 6 ++++++
 yjit_hook.rb                   | 5 -----
 8 files changed, 22 insertions(+), 14 deletions(-)

diff --git a/inits.c b/inits.c
index 29087a6306481b..b4e58ea25a1cec 100644
--- a/inits.c
+++ b/inits.c
@@ -90,7 +90,6 @@ rb_call_builtin_inits(void)
 #define BUILTIN(n) CALL(builtin_##n)
     BUILTIN(kernel);
     BUILTIN(yjit);
-    // BUILTIN(yjit_hook) is called after rb_yjit_init()
     BUILTIN(gc);
     BUILTIN(ractor);
     BUILTIN(numeric);
@@ -109,6 +108,7 @@ rb_call_builtin_inits(void)
     BUILTIN(nilclass);
     BUILTIN(marshal);
     BUILTIN(zjit);
+    BUILTIN(yjit_hook);
     Init_builtin_prelude();
 }
 #undef CALL
diff --git a/ruby.c b/ruby.c
index 0d09e7ce61e1ab..cc67b0b25db8f8 100644
--- a/ruby.c
+++ b/ruby.c
@@ -1833,12 +1833,6 @@ ruby_opt_init(ruby_cmdline_options_t *opt)
     }
 #endif
 
-#if USE_YJIT
-    // Call yjit_hook.rb after rb_yjit_init() to use `RubyVM::YJIT.enabled?`
-    void Init_builtin_yjit_hook();
-    Init_builtin_yjit_hook();
-#endif
-
     rb_namespace_init_done();
     ruby_init_prelude();
     ruby_set_script_name(opt->script_name);
diff --git a/yjit.rb b/yjit.rb
index e8ba3cdd28752a..e4fafa729eea75 100644
--- a/yjit.rb
+++ b/yjit.rb
@@ -64,7 +64,6 @@ def self.enable(stats: false, log: false, mem_size: nil, call_threshold: nil)
     end
 
     at_exit { print_and_dump_stats } if stats
-    call_yjit_hooks
     Primitive.rb_yjit_enable(stats, stats != :quiet, log, log != :quiet, mem_size, call_threshold)
   end
 
diff --git a/yjit/bindgen/src/main.rs b/yjit/bindgen/src/main.rs
index 7c8ce7bce5c69d..61b6f233269269 100644
--- a/yjit/bindgen/src/main.rs
+++ b/yjit/bindgen/src/main.rs
@@ -105,6 +105,9 @@ fn main() {
         .allowlist_var("SHAPE_ID_NUM_BITS")
         .allowlist_var("SHAPE_ID_HAS_IVAR_MASK")
 
+        // From ruby/internal/eval.h
+        .allowlist_function("rb_funcall")
+
         // From ruby/internal/intern/object.h
         .allowlist_function("rb_obj_is_kind_of")
         .allowlist_function("rb_obj_frozen_p")
@@ -269,6 +272,7 @@ fn main() {
         .allowlist_function("rb_float_new")
 
         // From vm_core.h
+        .allowlist_var("rb_cRubyVM")
         .allowlist_var("rb_mRubyVMFrozenCore")
         .allowlist_var("VM_BLOCK_HANDLER_NONE")
         .allowlist_type("vm_frame_env_flags")
@@ -383,6 +387,7 @@ fn main() {
         .allowlist_function("rb_ivar_defined")
         .allowlist_function("rb_ivar_get")
         .allowlist_function("rb_mod_name")
+        .allowlist_function("rb_const_get")
 
         // From internal/vm.h
         .allowlist_var("rb_vm_insns_count")
diff --git a/yjit/src/cruby.rs b/yjit/src/cruby.rs
index 725a29fa70cf23..f7a08b3b18b537 100644
--- a/yjit/src/cruby.rs
+++ b/yjit/src/cruby.rs
@@ -601,9 +601,15 @@ pub fn rust_str_to_ruby(str: &str) -> VALUE {
 
 /// Produce a Ruby symbol from a Rust string slice
 pub fn rust_str_to_sym(str: &str) -> VALUE {
+    let id = rust_str_to_id(str);
+    unsafe { rb_id2sym(id) }
+}
+
+/// Produce an ID from a Rust string slice
+pub fn rust_str_to_id(str: &str) -> ID {
     let c_str = CString::new(str).unwrap();
     let c_ptr: *const c_char = c_str.as_ptr();
-    unsafe { rb_id2sym(rb_intern(c_ptr)) }
+    unsafe { rb_intern(c_ptr) }
 }
 
 /// Produce an owned Rust String from a C char pointer
diff --git a/yjit/src/cruby_bindings.inc.rs b/yjit/src/cruby_bindings.inc.rs
index 666f5c4f28d614..8268b889199170 100644
--- a/yjit/src/cruby_bindings.inc.rs
+++ b/yjit/src/cruby_bindings.inc.rs
@@ -1019,6 +1019,7 @@ extern "C" {
     pub fn rb_gc_location(obj: VALUE) -> VALUE;
     pub fn rb_gc_writebarrier(old: VALUE, young: VALUE);
     pub fn rb_class_get_superclass(klass: VALUE) -> VALUE;
+    pub fn rb_funcall(recv: VALUE, mid: ID, n: ::std::os::raw::c_int, ...) -> VALUE;
     pub static mut rb_mKernel: VALUE;
     pub static mut rb_cBasicObject: VALUE;
     pub static mut rb_cArray: VALUE;
@@ -1080,6 +1081,7 @@ extern "C" {
     pub fn rb_ivar_get(obj: VALUE, name: ID) -> VALUE;
     pub fn rb_ivar_defined(obj: VALUE, name: ID) -> VALUE;
     pub fn rb_attr_get(obj: VALUE, name: ID) -> VALUE;
+    pub fn rb_const_get(space: VALUE, name: ID) -> VALUE;
     pub fn rb_obj_info_dump(obj: VALUE);
     pub fn rb_class_allocate_instance(klass: VALUE) -> VALUE;
     pub fn rb_obj_equal(obj1: VALUE, obj2: VALUE) -> VALUE;
@@ -1102,6 +1104,7 @@ extern "C" {
         klass: VALUE,
         id: ID,
     ) -> *const rb_callable_method_entry_t;
+    pub static mut rb_cRubyVM: VALUE;
     pub static mut rb_mRubyVMFrozenCore: VALUE;
     pub static mut rb_block_param_proxy: VALUE;
     pub fn rb_vm_ep_local_ep(ep: *const VALUE) -> *const VALUE;
diff --git a/yjit/src/yjit.rs b/yjit/src/yjit.rs
index 4b2b5214f4da13..8df1163d64b725 100644
--- a/yjit/src/yjit.rs
+++ b/yjit/src/yjit.rs
@@ -54,6 +54,12 @@ fn yjit_init() {
     // TODO: need to make sure that command-line options have been
     // initialized by CRuby
 
+    // Call YJIT hooks before enabling YJIT to avoid compiling the hooks themselves
+    unsafe {
+        let yjit = rb_const_get(rb_cRubyVM, rust_str_to_id("YJIT"));
+        rb_funcall(yjit, rust_str_to_id("call_yjit_hooks"), 0);
+    }
+
     // Catch panics to avoid UB for unwinding into C frames.
     // See https://doc.rust-lang.org/nomicon/exception-safety.html
     let result = std::panic::catch_unwind(|| {
diff --git a/yjit_hook.rb b/yjit_hook.rb
index 8f0f38aaf1f535..610a7be3303e2c 100644
--- a/yjit_hook.rb
+++ b/yjit_hook.rb
@@ -1,8 +1,3 @@
-# If YJIT is enabled, load the YJIT-only version of builtin methods
-if defined?(RubyVM::YJIT) && RubyVM::YJIT.enabled?
-  RubyVM::YJIT.send(:call_yjit_hooks)
-end
-
 # Remove the helper defined in kernel.rb
 class Module
   undef :with_yjit