Registering a string that depend on a dependent string as fstring
can lead to use-after-free. See c06ddfe and 3f95620 for details.
The following script triggers use-after-free on trunk, 2.4.6, 2.5.5
and 2.6.3. Credits to @wanabe for using eval as a cross-version way
of registering a fstring.
```ruby
a = ('j' * 24).b.b
eval('', binding, a)
p a
4.times { GC.start }
p a
```
- string.c (str_replace_shared_without_enc): when given a
dependent string, depend on the root of the dependent
string.
[Bug #15934]
Added by usa (Usaku NAKAMURA) over 4 years ago
merge revision(s) 9dec4e8fc3a6018261834b5ac9b9877f787b97ca: [Backport #15934]
String#b: Don't depend on dependent string
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_5@67767 b2dd03c8-39d4-4d8f-98ff-823fe69b080e