[ruby-core:117697] [Ruby master Bug#20453] Pointer being freed was not allocated in Regexp timeout
Issue #20453 has been reported by dodecadaniel (Daniel Colson). ---------------------------------------- Bug #20453: Pointer being freed was not allocated in Regexp timeout https://bugs.ruby-lang.org/issues/20453 * Author: dodecadaniel (Daniel Colson) * Status: Open * Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN ---------------------------------------- https://bugs.ruby-lang.org/issues/20228 frees `stk_base` to avoid a memory leak, but `stk_base` is sometimes stack allocated ([see `xalloca`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/r...)). So the free only works if the regex stack grows enough that it needs to double ([see `xmalloc` and `xrealloc` in `stack_double`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/r...). Reproduction: ```ruby Regexp.timeout = 0.001 /^(a*)x$/ =~ "a" * 1000000 + "x"' ``` I'll open a PR shortly. https://bugs.ruby-lang.org/issues/20228 was backported to 3.3.1, so this bug affects that version as well. -- https://bugs.ruby-lang.org/
Issue #20453 has been updated by dodecadaniel (Daniel Colson). I opened https://github.com/ruby/ruby/pull/10630. I'm still fairly new to all this, so please correct me if I got something wrong! ---------------------------------------- Bug #20453: Pointer being freed was not allocated in Regexp timeout https://bugs.ruby-lang.org/issues/20453#change-108107 * Author: dodecadaniel (Daniel Colson) * Status: Open * Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN ---------------------------------------- https://bugs.ruby-lang.org/issues/20228 frees `stk_base` to avoid a memory leak, but `stk_base` is sometimes stack allocated ([see `xalloca`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/r...)). So the free only works if the regex stack grows enough that it needs to double ([see `xmalloc` and `xrealloc` in `stack_double`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/r...). Reproduction: ```ruby Regexp.timeout = 0.001 /^(a*)x$/ =~ "a" * 1000000 + "x"' ``` I'll open a PR shortly. https://bugs.ruby-lang.org/issues/20228 was backported to 3.3.1, so this bug affects that version as well. -- https://bugs.ruby-lang.org/
Issue #20453 has been updated by k0kubun (Takashi Kokubun). Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE ruby_3_3 commit:cf643fabd5c564c1dfeb337b50b4aa76ebaa11c1 merged revision(s) commit:d292a9b98ce03c76dbe13138d20b9fbf613cc02d. ---------------------------------------- Bug #20453: Pointer being freed was not allocated in Regexp timeout https://bugs.ruby-lang.org/issues/20453#change-108505 * Author: dodecadaniel (Daniel Colson) * Status: Closed * Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE ---------------------------------------- https://bugs.ruby-lang.org/issues/20228 frees `stk_base` to avoid a memory leak, but `stk_base` is sometimes stack allocated ([see `xalloca`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/r...)). So the free only works if the regex stack grows enough that it needs to double ([see `xmalloc` and `xrealloc` in `stack_double`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/r...). Reproduction: ```ruby Regexp.timeout = 0.001 /^(a*)x$/ =~ "a" * 1000000 + "x"' ``` I'll open a PR shortly. https://bugs.ruby-lang.org/issues/20228 was backported to 3.3.1, so this bug affects that version as well. -- https://bugs.ruby-lang.org/
Issue #20453 has been updated by nagachika (Tomoyuki Chikanaga). Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: WONTFIX, 3.3: DONE Since I have marked https://bugs.ruby-lang.org/issues/20228 as Backport: "3.2 WONTFIX", I believe the issue is not present in the ruby_3_2 branch now. Therefore, I will mark this ticket as "3.2: WONTFIX" as well. I have partially backported commit:d292a9b98ce03c76dbe13138d20b9fbf613cc02d (only the test case) in commit:c22398f96c29c2357bee50b291c358cc34837013. ---------------------------------------- Bug #20453: Pointer being freed was not allocated in Regexp timeout https://bugs.ruby-lang.org/issues/20453#change-109130 * Author: dodecadaniel (Daniel Colson) * Status: Closed * Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: WONTFIX, 3.3: DONE ---------------------------------------- https://bugs.ruby-lang.org/issues/20228 frees `stk_base` to avoid a memory leak, but `stk_base` is sometimes stack allocated ([see `xalloca`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/r...)). So the free only works if the regex stack grows enough that it needs to double ([see `xmalloc` and `xrealloc` in `stack_double`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/r...). Reproduction: ```ruby Regexp.timeout = 0.001 /^(a*)x$/ =~ "a" * 1000000 + "x"' ``` I'll open a PR shortly. https://bugs.ruby-lang.org/issues/20228 was backported to 3.3.1, so this bug affects that version as well. -- https://bugs.ruby-lang.org/
participants (3)
-
dodecadaniel (Daniel Colson) -
k0kubun (Takashi Kokubun)
-
nagachika (Tomoyuki Chikanaga)