They read like this:
```
/home/runner/work/rubygems/rubygems/bundler/tmp/gems/base/ruby/3.4.0/gems/cgi-0.5.0.beta2/lib/cgi/util.rb:13: warning: method redefined; discarding old rfc1123_date
/opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/cgi/util.rb:225: warning: previous definition of rfc1123_date was here
/home/runner/work/rubygems/rubygems/bundler/tmp/gems/base/ruby/3.4.0/gems/cgi-0.5.0.beta2/lib/cgi/util.rb:34: warning: method redefined; discarding old pretty
/opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/cgi/util.rb:246: warning: previous definition of pretty was here
/home/runner/work/rubygems/rubygems/bundler/tmp/gems/base/ruby/3.4.0/gems/cgi-0.5.0.beta2/lib/cgi/escape.rb:16: warning: method redefined; discarding old escape
/home/runner/work/rubygems/rubygems/bundler/tmp/gems/base/ruby/3.4.0/gems/cgi-0.5.0.beta2/lib/cgi/escape.rb:29: warning: method redefined; discarding old unescape
/home/runner/work/rubygems/rubygems/bundler/tmp/gems/base/ruby/3.4.0/gems/cgi-0.5.0.beta2/lib/cgi/util.rb:13: warning: method redefined; discarding old rfc1123_date
/opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/cgi/util.rb:225: warning: previous definition of rfc1123_date was here
/home/runner/work/rubygems/rubygems/bundler/tmp/gems/base/ruby/3.4.0/gems/cgi-0.5.0.beta2/lib/cgi/util.rb:34: warning: method redefined; discarding old pretty
/opt/hostedtoolcache/Ruby/3.4.3/x64/lib/ruby/3.4.0/cgi/util.rb:246: warning: previous definition of pretty was here
/home/runner/work/rubygems/rubygems/bundler/tmp/gems/base/ruby/3.4.0/gems/cgi-0.5.0.beta2/lib/cgi/escape.rb:16: warning: method redefined; discarding old escape
/home/runner/work/rubygems/rubygems/bundler/tmp/gems/base/ruby/3.4.0/gems/cgi-0.5.0.beta2/lib/cgi/escape.rb:29: warning: method redefined; discarding old unescape
```
The problem is that `rspec` loads `erb` for its configuration, which
loads `cgi/util` from system gems.
Then our tests change the `$LOAD_PATH` to make test gems installed in
tmp visible to `require`, and then they all require `cgi` as a
transitive dependency of `rack-test`, this time from `tmp` gems. This
causes system and test specific copies to be mixed together and these
warnings to be printed, but we have also observed failures in some tests
with errors like
> class variable @@accept_charset of CGI::Util is overtaken by CGI::Escape
This changes should also fix those failures.
The fix is to require all of `rack-test` (including `cgi`) before we
have changed the `$LOAD_PATH`. Because the `$LOAD_PATH` is unchanged,
RubyGems respects the version of `cgi` activated by RSpec, avoiding the
double loads.
https://github.com/rubygems/rubygems/commit/34e75465c6
Necessary changes to get tests passing are:
* Rewrite one "out of memory" error spec to not define a subclass inside
a RSpec context block. Due to some [JRuby issue], that's failing in
JRuby 10, so I rewrote the test so that the Bundler process really
goes OOM and that class definition is not necessary.
* JRuby 10, even if Ruby 3.4-compatible, has not yet adapted backtraces
to include receivers, so our tests need an special case for JRuby when
detecting a test method call inside backtraces.
* Warbler test is upgraded to use JRuby 10. Getting it to pass needs [a
PR] to warbler, so our test is temporarily pointing to that PR.
[JRuby issue]: https://github.com/jruby/jruby/issues/8838
[a PR]: https://github.com/jruby/warbler/pull/557https://github.com/rubygems/rubygems/commit/edec85d4c3
The issue was that the property that
```ruby
platform = Gem::Platform.new $string
platform == Gem::Platform.new(platform.to_s)
```
was not always true.
This property (of acchieving a fix point) is important,
since `Gem::Platform` gets serialized to a string and
then deserialized back to a `Gem::Platform` object.
If it doesn't deserialize to the same object, then
different platforms are used for the initial serialization
than subsequent runs.
I used https://github.com/segiddins/Scratch/blob/main/2025/03/rubygems-platform.rb
to find the failing cases and then fixed them.
With this patch, the prop check test now passes.
https://github.com/rubygems/rubygems/commit/313fb4bcec
Freeze `Net::HTTP::SSL_IVNAMES`, `Net::HTTPResponse::CODE_CLASS_TO_OBJ`
and `Net::HTTPResponse::CODE_TO_OBJ` to improve Ractor compatibility.
This change allows the following code to work:
Ractor.new {
uri = URI.parse('http://example.com')
http = Net::HTTP.new(uri.host, uri.port)
http.open_timeout = nil
http.read_timeout = nil
http.get('/index.html')
}
https://github.com/ruby/net-http/commit/9f0f5e4b4d
`ruby --yjit --zjit` already warns and exits, but it was still possible
to enable both with `ruby --zjit -e 'RubyVM:YJIT.enable`.
This commit prevents that with a warning and an early return. (We could
also exit, but that seems a bit unfriendly once we're already running
the program.)
Co-authored-by: ywenc <ywenc@github.com>
The following is crashing for me:
```shell
ruby --yjit --yjit-call-threshold=1 -e '1.tap { raise rescue p it }'
ruby: YJIT has panicked. More info to follow...
thread '<unnamed>' panicked at ./yjit/src/codegen.rs:2402:14:
...
```
It seems `it` sometimes points to the wrong value:
```shell
ruby -e '1.tap { raise rescue p it }'
false
ruby -e '1.tap { begin; raise; ensure; p it; end } rescue nil'
false
```
But only when `$!` is set:
```shell
ruby -e '1.tap { begin; nil; ensure; p it; end }'
1
ruby -e '1.tap { begin; nil; rescue; ensure; p it; end }'
1
ruby -e '1.tap { begin; raise; rescue; ensure; p it; end }'
1
```
Prevent double free for too big repetition quantifiers
The previous implementation calls `free(node)` twice (on parsing and compiling a
regexp) when it has an error, so it leads to a double-free issue. This
commit enforces `free(node)` once by introducing a temporal pointer to hold
parsing nodes.
Right now we just crash if we can't compile an ISEQ for any reason
(unimplemented in HIR, unimplemented in codegen, ...) and this fixes
that by bailing out.
Although it almost certainly works in this case, volatile is best not
used for multi-threaded code. Using atomics instead avoids warnings from
TSan.
This also simplifies some logic, as system_working was previously only
ever assigned to 1, so --system_working <= 0 should always return true
(unless it underflowed).
If SSL_CTX_add_extra_chain_cert() fails, the refcount of x509 must be
handled by the caller. This should only occur due to a malloc failure
inside the function.
https://github.com/ruby/openssl/commit/80bcf727dc
OpenSSL::Cipher#encrypt and #decrypt have long supported a hidden
feature to derive a key and an IV from the String argument, but in an
inappropriate way.
This feature is undocumented, untested, and has been deprecated since
commit https://github.com/ruby/ruby/commit/0dc43217b189 on 2004-06-30,
which started printing a non-verbose warning. More than 20 years later,
it must be safe to remove it entirely.
The deprecated usage:
# `password` is a String, `iv` is either a String or nil
cipher = OpenSSL::Cipher.new("aes-256-cbc")
cipher.encrypt(password, iv)
p cipher.update("data") << cipher.final
was equivalent to:
cipher = OpenSSL::Cipher.new("aes-256-cbc")
cipher.encrypt
iv ||= "OpenSSL for Ruby rulez!"
key = ((cipher.key_len + 15) / 16).times.inject([""]) { |ary, _|
ary << OpenSSL::Digest.digest("MD5", ary.last + password + iv[0, 8].ljust(8, "\0"))
}.join
cipher.key = key[...cipher.key_len]
cipher.iv = iv[...cipher.iv_len].ljust(cipher.iv_len, "\0")
p cipher.update("data") << cipher.final
https://github.com/ruby/openssl/commit/e46d992ea1
Building that table will likely malloc several time which
can trigger GC and cause race condition by freeing objects
that were just added to the table.
Disabling GC to prevent the race condition isn't elegant,
but iven this is a deprecated callpath that is executed at
most once per process, it seems acceptable.
The previous implementation assumed `RBasic` size is `2 * sizeof(VALUE)`,
might as well not make assumption and use a proper `sizeof`.
Co-Authored-By: John Hawthorn <john@hawthorn.email>
