From 7c46aa5ed4573ca04e6ffe1b19191e8227db2ab3 Mon Sep 17 00:00:00 2001
From: Peter Zhu <peter@peterzhu.ca>
Date: Wed, 12 Jun 2024 15:07:53 -0400
Subject: [PATCH] [Bug #20577] Fix freeing symbols when RUBY_FREE_AT_EXIT

Dynamic symbols point to a fstring. When we free the symbol, we hash the
fstring to remove it from the table. However, the fstring could have
already been freed, which can cause a crash.

This commit changes it to remove the reference to the fstring before
freeing the symbol so we can avoid this crash.
---
 gc.c | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/gc.c b/gc.c
index 5d512c466a..aa5b720a5c 100644
--- a/gc.c
+++ b/gc.c
@@ -4336,6 +4336,17 @@ rb_objspace_call_finalizer_i(VALUE obj, void *data)
       case T_FILE:
         obj_free(objspace, obj);
         break;
+      case T_SYMBOL:
+        if (rb_free_at_exit) {
+            if (RSYMBOL(obj)->fstr &&
+                    (BUILTIN_TYPE(RSYMBOL(obj)->fstr) == T_NONE ||
+                        BUILTIN_TYPE(RSYMBOL(obj)->fstr) == T_ZOMBIE)) {
+                RSYMBOL(obj)->fstr = 0;
+            }
+
+            obj_free(objspace, obj);
+        }
+        break;
       case T_NONE:
         break;
       default: