From Fedora Project Wiki
(Update links to the official news and release announcement)
(Updated detailed description from release announcement.)
 
(One intermediate revision by the same user not shown)
Line 47: Line 47:
Ruby 3.2 is upstream's new major release of Ruby. Many new features and improvements are included.
Ruby 3.2 is upstream's new major release of Ruby. Many new features and improvements are included.


=== Regexp timeout ===
=== Production-ready YJIT ===


A timeout feature for Regexp matching is introduced.
* YJIT is no longer experimental
** Has been tested on production workloads for over a year and proven to be quite stable.
* The YJIT 3.2 release is faster than 3.1, and has about 1/3 as much memory overhead.
** Overall YJIT is 41% faster (geometric mean) than the Ruby interpreter on [https://github.com/Shopify/yjit-bench yjit-bench].
** Physical memory for JIT code is lazily allocated.
** Introduce Code GC that frees all code pages when the memory consumption by JIT code reaches `--yjit-exec-mem-size`.
** `RubyVM::YJIT.runtime_stats` returns Code GC metrics in addition to existing `inline_code_size` and `outlined_code_size` keys: `code_gc_count`, `live_page_count`, `freed_page_count`, and `freed_code_size`.
* Most of the statistics produced by `RubyVM::YJIT.runtime_stats` are now available in release builds.
** Simply run ruby with `--yjit-stats` to compute and dump stats (incurs some run-time overhead).
* YJIT is now optimized to take advantage of object shapes.
* Take advantage of finer-grained constant invalidation to invalidate less code when defining new constants.


It is known that Regexp matching may take unexpectedly long. If your code attempts to match an possibly inefficient Regexp against an untrusted input, an attacker may exploit it for efficient Denial of Service (so-called Regular expression DoS, or ReDoS).
=== Regexp improvements against ReDoS ===


The risk of DoS can be prevented or significantly mitigated by configuring `Regexp.timeout` according to the requirements of your Ruby application. Please try it out in your application and welcome your feedback.
It is known that Regexp matching may take unexpectedly long. If your code attempts to match a possibly inefficient Regexp against an untrusted input, an attacker may exploit it for efficient Denial of Service (so-called Regular expression DoS, or ReDoS).
 
Ruby 3.2 introduces two improvements that significantly mitigate ReDoS.
 
==== Improved Regexp matching algorithm ====
 
Since Ruby 3.2, Regexp's matching algorithm has been greatly improved by using a memoization technique.
 
The improved matching algorithm allows most Regexp matching (about 90% in our experiments) to be completed in linear time.
 
This optimization may consume memory proportional to the input length for each match. No practical problems are expected to arise because this memory allocation is usually delayed, and a normal Regexp match should consume at most 10 times as much memory as the input length.
 
==== Regexp timeout ====
 
The optimization above cannot be applied to some kind of regular expressions, such as those including advanced features (e.g., back-references or look-around), or with a huge fixed number of repetitions. As a fallback measure, a timeout feature for Regexp matches is also introduced.
 
Note that `Regexp.timeout` is a global configuration. If you want to use different timeout settings for some special Regexps, you may want to use the `timeout` keyword for `Regexp.new`.


=== Other Notable New Features ===
=== Other Notable New Features ===
Line 70: Line 96:
=== Other notable changes since 3.1 ===
=== Other notable changes since 3.1 ===


* Data
** New core class to represent simple immutable value object. The class is similar to Struct and partially shares an implementation, but has more lean and strict API.
* Hash
* Hash
** Hash#shift now always returns nil if the hash is empty, instead of returning the default value or calling the default proc.
** Hash#shift now always returns nil if the hash is empty, instead of returning the default value or calling the default proc.
Line 247: Line 275:
* The Ruby 3.2 bumps soname, therefore Ruby packages, which use binary extensions, should be rebuilt. Nevertheless, since upstream paid great attention to source compatibility, no changes to your code are needed.
* The Ruby 3.2 bumps soname, therefore Ruby packages, which use binary extensions, should be rebuilt. Nevertheless, since upstream paid great attention to source compatibility, no changes to your code are needed.


https://github.com/ruby/ruby/blob/master/NEWS.md
https://github.com/ruby/ruby/blob/ruby_3_2/NEWS.md

Latest revision as of 14:21, 4 January 2023


Ruby 3.2

Summary

Ruby 3.2 is the latest stable version of Ruby. Many new features and improvements are included for the increasingly diverse and expanding demands for Ruby. With this major update from Ruby 3.1 in Fedora 37 to Ruby 3.2 in Fedora 38, Fedora becomes the superior Ruby development platform.

Owner


Current status

Detailed Description

Ruby 3.2 is upstream's new major release of Ruby. Many new features and improvements are included.

Production-ready YJIT

  • YJIT is no longer experimental
    • Has been tested on production workloads for over a year and proven to be quite stable.
  • The YJIT 3.2 release is faster than 3.1, and has about 1/3 as much memory overhead.
    • Overall YJIT is 41% faster (geometric mean) than the Ruby interpreter on yjit-bench.
    • Physical memory for JIT code is lazily allocated.
    • Introduce Code GC that frees all code pages when the memory consumption by JIT code reaches --yjit-exec-mem-size.
    • RubyVM::YJIT.runtime_stats returns Code GC metrics in addition to existing inline_code_size and outlined_code_size keys: code_gc_count, live_page_count, freed_page_count, and freed_code_size.
  • Most of the statistics produced by RubyVM::YJIT.runtime_stats are now available in release builds.
    • Simply run ruby with --yjit-stats to compute and dump stats (incurs some run-time overhead).
  • YJIT is now optimized to take advantage of object shapes.
  • Take advantage of finer-grained constant invalidation to invalidate less code when defining new constants.

Regexp improvements against ReDoS

It is known that Regexp matching may take unexpectedly long. If your code attempts to match a possibly inefficient Regexp against an untrusted input, an attacker may exploit it for efficient Denial of Service (so-called Regular expression DoS, or ReDoS).

Ruby 3.2 introduces two improvements that significantly mitigate ReDoS.

Improved Regexp matching algorithm

Since Ruby 3.2, Regexp's matching algorithm has been greatly improved by using a memoization technique.

The improved matching algorithm allows most Regexp matching (about 90% in our experiments) to be completed in linear time.

This optimization may consume memory proportional to the input length for each match. No practical problems are expected to arise because this memory allocation is usually delayed, and a normal Regexp match should consume at most 10 times as much memory as the input length.

Regexp timeout

The optimization above cannot be applied to some kind of regular expressions, such as those including advanced features (e.g., back-references or look-around), or with a huge fixed number of repetitions. As a fallback measure, a timeout feature for Regexp matches is also introduced.

Note that Regexp.timeout is a global configuration. If you want to use different timeout settings for some special Regexps, you may want to use the timeout keyword for Regexp.new.

Other Notable New Features

  • Language
    • Anonymous rest and keyword rest arguments can now be passed as arguments, instead of just used in method parameters.
    • A proc that accepts a single positional argument and keywords will no longer autosplat.
    • Constant assignment evaluation order for constants set on explicit objects has been made consistent with single attribute assignment evaluation order.
    • Find pattern is no longer experimental.
    • Methods taking a rest parameter and wishing to delegate keyword arguments through foo(*args) must now be marked with ruby2_keywords
  • Performance improvements
    • YJIT
      • Support arm64 / aarch64 on UNIX platforms.
      • Building YJIT requires Rust 1.58.1+.

Other notable changes since 3.1

  • Data
    • New core class to represent simple immutable value object. The class is similar to Struct and partially shares an implementation, but has more lean and strict API.
  • Hash
    • Hash#shift now always returns nil if the hash is empty, instead of returning the default value or calling the default proc.
  • MatchData
    • MatchData#byteoffset has been added.
  • Module
    • Module.used_refinements has been added.
    • Module#refinements has been added.
    • Module#const_added has been added.
  • Proc
    • Proc#dup returns an instance of subclass.
    • Proc#parameters now accepts lambda keyword.
  • Refinement
    • Refinement#refined_class has been added.
  • Set
    • Set is now available as a builtin class without the need for require "set". It is currently autoloaded via the Set constant or a call to Enumerable#to_set.
  • String
    • String#byteindex and String#byterindex have been added.
    • Update Unicode to Version 14.0.0 and Emoji Version 14.0. (also applies to Regexp)
    • String#bytesplice has been added.
  • Struct
    • A Struct class can also be initialized with keyword arguments without keyword_init: true on Struct.new

Compatibility issues

  • Removed constants
    • Fixnum and Bignum
    • Random::DEFAULT
    • Struct::Group
    • Struct::Passwd
  • Removed methods
    • Dir.exists?
    • File.exists?
    • Kernel#=~
    • Kernel#taint, Kernel#untaint, Kernel#tainted?
    • Kernel#trust, Kernel#untrust, Kernel#untrusted?

C API updates

  • Removed C APIs
    • rb_cData variable.
    • "taintedness" and "trustedness" functions.

Feedback

Benefit to Fedora

With a latest release, Ruby language is supporting the newest language features, which enables even faster and easier development of Ruby applications.

Scope

  • Other developers:
    • Rebuild of packages with binary extensions (i.e. packages which depends on libruby) will be handled automatically, but some packages might need fixes/updates to support Ruby 3.2 properly.
  • Release engineering: #11115
    • The packages are going to be rebuild in side-tag, but that does not need releng involvement nowadays.
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with Objectives:

Upgrade/compatibility impact

  • User specific Ruby binary extensions need to be rebuild.
  • Ruby packages/application dependencies might need to be adjusted if newly bundled gems are used.

How To Test

  • No special hardware is needed.
  • To test, install Ruby 3.2. The test builds are published in PR or on Ruby-SIG ML
  • Try to locally rebuild your packages using Ruby 3.2.
  • Use the packages with your applications previously written in Ruby.
  • If something doesn't work as it should, let us know.

User Experience

The Ruby programs/scripts should behave as they were used to.

Dependencies

$ dnf repoquery --disablerepo=* --enablerepo=rawhide --enablerepo=rawhide-source --arch=src --whatrequires 'ruby-devel' | sort | uniq | wc -l
130

Contingency Plan

  • Contingency mechanism: We would like to get a special buildroot tag to be able to rebuild necessary the packages with Ruby 3.2. If anything goes wrong, the tag could be easily dropped and previous version of Ruby 3.1 and its dependencies stays intact. The tag would be merged into F38 after everything is rebuild.
  • Contingency deadline: Mass Rebuild
  • Blocks release? No


Documentation

Release Notes

  • The Ruby 3.2 bumps soname, therefore Ruby packages, which use binary extensions, should be rebuilt. Nevertheless, since upstream paid great attention to source compatibility, no changes to your code are needed.

https://github.com/ruby/ruby/blob/ruby_3_2/NEWS.md