Use Ruby's xmalloc / xfree for internal selector allocations.

`IO_Event_Selector_ready_push` (selector.c) and `IO_Event_Array_lookup` (array.h) both allocated internal bookkeeping structs via raw `malloc` paired with a debug-build-only `assert(...)`.  In a release build (`NDEBUG`) the `assert` compiles to nothing, so if `malloc` returned `NULL` under memory pressure the next line dereferenced a null pointer and crashed the process.

Switch those allocations (and the paired `free` calls on the same objects) to Ruby's `xmalloc` / `xfree`:

- Triggers a GC sweep on memory pressure before failing, increasing the chance of success.
- Raises `NoMemoryError` (a Ruby exception) instead of returning `NULL`, so the `assert` is no longer needed.
- Keeps Ruby's allocation accounting in sync with the actual heap state.

The remaining raw `calloc` / `realloc` / `free(base)` calls in `array.h` already check for `NULL` and propagate `-1` via the C-style API, so they are left as-is.

Supersedes #175.

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: samuel-williams-shopify

ext/io/event/array.h

@@ -72,7 +72,7 @@ inline static void IO_Event_Array_free(struct IO_Event_Array *array)
 			if (element) {
 				array->element_free(element);
 
-				free(element);
+				xfree(element);
 			}
 		}
 
@@ -139,8 +139,8 @@ inline static void* IO_Event_Array_lookup(struct IO_Event_Array *array, size_t i
 
 	// Allocate the element if it doesn't exist:
 	if (*element == NULL) {
-		*element = malloc(array->element_size);
-		assert(*element);
+		// Ruby's allocator triggers GC on memory pressure and raises `NoMemoryError` on failure, so no NULL check is required.
+		*element = xmalloc(array->element_size);
 
 		if (array->element_initialize) {
 			array->element_initialize(*element);
@@ -166,7 +166,7 @@ inline static void IO_Event_Array_truncate(struct IO_Event_Array *array, size_t
 			void **element = array->base + i;
 			if (*element) {
 				array->element_free(*element);
-				free(*element);
+				xfree(*element);
 				*element = NULL;
 			}
 		}

ext/io/event/selector/selector.c

@@ -246,8 +246,8 @@ VALUE IO_Event_Selector_raise(struct IO_Event_Selector *backend, int argc, VALUE
 
 void IO_Event_Selector_ready_push(struct IO_Event_Selector *backend, VALUE fiber)
 {
-	struct IO_Event_Selector_Queue *waiting = malloc(sizeof(struct IO_Event_Selector_Queue));
-	assert(waiting);
+	// Ruby's allocator triggers GC on memory pressure and raises `NoMemoryError` on failure, so no NULL check is required.
+	struct IO_Event_Selector_Queue *waiting = xmalloc(sizeof(struct IO_Event_Selector_Queue));
 
 	waiting->head = NULL;
 	waiting->tail = NULL;
@@ -268,7 +268,7 @@ void IO_Event_Selector_ready_pop(struct IO_Event_Selector *backend, struct IO_Ev
 	if (ready->flags & IO_EVENT_SELECTOR_QUEUE_INTERNAL) {
 		// This means that the fiber was added to the ready queue by the selector itself, and we need to transfer control to it, but before we do that, we need to remove it from the queue, as there is no expectation that returning from `transfer` will remove it.
 		queue_pop(backend, ready);
-		free(ready);
+		xfree(ready);
 	} else if (ready->flags & IO_EVENT_SELECTOR_QUEUE_FIBER) {
 		// This means the fiber added itself to the ready queue, and we need to transfer control back to it. Transferring control back to the fiber will call `queue_pop` and remove it from the queue.
 	} else {

releases.md

@@ -6,6 +6,7 @@
   - Add support for the `io_close` fiber-scheduler hook (Ruby 4.0+). The `URing` selector performs the close asynchronously via the ring; the `Debug::Selector` and `TestScheduler` wrappers forward to the underlying selector when supported.
   - Improve `WorkerPool` GC compaction support and add proper write barriers, fixing potential use-after-free under compacting GC.
   - Keep blocked scheduler fibers alive during GC by registering them as roots in `TestScheduler#block`, preventing premature collection and the resulting use-after-free crash on resume.
+  - Use Ruby's `xmalloc` / `xfree` for internal queue and element allocations in the selector backend. Previously a raw `malloc` paired with a debug-build-only `assert(...)` would silently dereference `NULL` and crash in release builds under memory pressure; switching to `xmalloc` triggers a GC sweep on pressure and raises `NoMemoryError` on real failure.
   - Correctly handle short `io_uring_submit()` results in the `URing` selector. `io_uring_submit()` returns the number of SQEs actually accepted by the kernel and can be short (SQE prep errors, `ENOMEM`, transient `EAGAIN`); the old accounting reset `pending = 0` on any success and silently lost track of unsubmitted SQEs.
   - Enable `IORING_SETUP_SUBMIT_ALL` (kernel 5.18+) on the `URing` selector so the kernel keeps processing the rest of an SQE batch past individual errors, reducing the frequency of short submits in practice.