should be initialize jit_unit->cc_entries.

GC can invoke just after allocation of jit_unit->cc_entries so
it should be zero-cleared.

iseq.c

@@ -363,7 +363,9 @@ rb_iseq_mark(const rb_iseq_t *iseq)
             // TODO: move to mjit.c?
             for (unsigned int i=0; i<body->ci_size; i++) {
                 const struct rb_callcache *cc = body->jit_unit->cc_entries[i];
-                rb_gc_mark((VALUE)cc); // pindown
+                if (cc != NULL) {
+                    rb_gc_mark((VALUE)cc); // pindown
+                }
             }
         }
 #endif

mjit.c

@@ -295,7 +295,7 @@ create_unit(const rb_iseq_t *iseq)
     unit->id = current_unit_num++;
     unit->iseq = (rb_iseq_t *)iseq;
     if (iseq->body->ci_size > 0) {
-        unit->cc_entries = ALLOC_N(const struct rb_callcache *, iseq->body->ci_size);
+        unit->cc_entries = ZALLOC_N(const struct rb_callcache *, iseq->body->ci_size);
     }
     iseq->body->jit_unit = unit;
 }

mjit_worker.c

@@ -1141,7 +1141,7 @@ mjit_copy_cache_from_main_thread(const rb_iseq_t *iseq, union iseq_inline_storag
             if (iseq->body->jit_unit == NULL) rb_fatal("malloc failed");
             if (iseq->body->ci_size > 0) {
                 iseq->body->jit_unit->cc_entries =
-                  (const struct rb_callcache **)malloc(sizeof(const struct rb_callcache *) * iseq->body->ci_size);
+                  (const struct rb_callcache **)calloc(iseq->body->ci_size, sizeof(const struct rb_callcache *));
                 if (iseq->body->jit_unit->cc_entries == NULL) rb_fatal("malloc failed");
             }
         }