Bug #20453
closedPointer being freed was not allocated in Regexp timeout
Description
https://bugs.ruby-lang.org/issues/20228 frees stk_base
to avoid a memory leak, but stk_base
is sometimes stack allocated (see xalloca
). So the free only works if the regex stack grows enough that it needs to double (see xmalloc
and xrealloc
in stack_double
.
Reproduction:
Regexp.timeout = 0.001
/^(a*)x$/ =~ "a" * 1000000 + "x"'
I'll open a PR shortly.
https://bugs.ruby-lang.org/issues/20228 was backported to 3.3.1, so this bug affects that version as well.
Updated by dodecadaniel (Daniel Colson) 8 months ago
I opened https://github.com/ruby/ruby/pull/10630. I'm still fairly new to all this, so please correct me if I got something wrong!
Updated by peterzhu2118 (Peter Zhu) 8 months ago
- Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED
Updated by dodecadaniel (Daniel Colson) 8 months ago
- Status changed from Open to Closed
Applied in changeset git|d292a9b98ce03c76dbe13138d20b9fbf613cc02d.
[Bug #20453] segfault in Regexp timeout
https://bugs.ruby-lang.org/issues/20228 started freeing stk_base
to
avoid a memory leak. But stk_base
is sometimes stack allocated (using
xalloca
), so the free only works if the regex stack has grown enough
to hit stack_double
(which uses xmalloc
and xrealloc
).
To reproduce the problem on master and 3.3.1:
Regexp.timeout = 0.001
/^(a*)x$/ =~ "a" * 1000000 + "x"'
Some details about this potential fix:
stk_base == stk_alloc
on
init,
so if stk_base != stk_alloc
we can be sure we called
stack_double
and it's safe to free. It's also safe to free if we've
saved
the stack to msa->stack_p
, since we do the stk_base != stk_alloc
check before saving.
This matches the check we do inside
stack_double
Updated by k0kubun (Takashi Kokubun) 7 months ago
- Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE
ruby_3_3 cf643fabd5c564c1dfeb337b50b4aa76ebaa11c1 merged revision(s) d292a9b98ce03c76dbe13138d20b9fbf613cc02d.
Updated by nagachika (Tomoyuki Chikanaga) 5 months ago
- Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: WONTFIX, 3.3: DONE
Since I have marked https://bugs.ruby-lang.org/issues/20228 as Backport: "3.2 WONTFIX", I believe the issue is not present in the ruby_3_2 branch now. Therefore, I will mark this ticket as "3.2: WONTFIX" as well.
I have partially backported d292a9b98ce03c76dbe13138d20b9fbf613cc02d (only the test case) in c22398f96c29c2357bee50b291c358cc34837013.