Bug #20453: Pointer being freed was not allocated in Regexp timeout - Ruby master - Ruby Issue Tracking System

Actions

Updated by dodecadaniel (Daniel Colson) 7 months ago

I opened https://github.com/ruby/ruby/pull/10630. I'm still fairly new to all this, so please correct me if I got something wrong!

Actions

Copy link

#2

Updated by peterzhu2118 (Peter Zhu) 7 months ago

Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED

Actions

Copy link

#3

Updated by dodecadaniel (Daniel Colson) 7 months ago

Status changed from Open to Closed

Applied in changeset git|d292a9b98ce03c76dbe13138d20b9fbf613cc02d.

[Bug #20453] segfault in Regexp timeout

https://bugs.ruby-lang.org/issues/20228 started freeing stk_base to
avoid a memory leak. But stk_base is sometimes stack allocated (using
xalloca), so the free only works if the regex stack has grown enough
to hit stack_double (which uses xmalloc and xrealloc).

To reproduce the problem on master and 3.3.1:

Regexp.timeout = 0.001
/^(a*)x$/ =~ "a" * 1000000 + "x"'

Some details about this potential fix:

stk_base == stk_alloc on
init,
so if stk_base != stk_alloc we can be sure we called
stack_double
and it's safe to free. It's also safe to free if we've
saved
the stack to msa->stack_p, since we do the stk_base != stk_alloc
check before saving.

This matches the check we do inside
stack_double

Actions

Copy link

#4 [ruby-core:118078]

Updated by k0kubun (Takashi Kokubun) 6 months ago

Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE

ruby_3_3 cf643fabd5c564c1dfeb337b50b4aa76ebaa11c1 merged revision(s) d292a9b98ce03c76dbe13138d20b9fbf613cc02d.

Actions

Copy link

#5 [ruby-core:118602]

Updated by nagachika (Tomoyuki Chikanaga) 4 months ago

Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: WONTFIX, 3.3: DONE

Since I have marked https://bugs.ruby-lang.org/issues/20228 as Backport: "3.2 WONTFIX", I believe the issue is not present in the ruby_3_2 branch now. Therefore, I will mark this ticket as "3.2: WONTFIX" as well.

I have partially backported d292a9b98ce03c76dbe13138d20b9fbf613cc02d (only the test case) in c22398f96c29c2357bee50b291c358cc34837013.

Project

General

Profile

Ruby » Ruby master

Custom queries

Bug #20453

Pointer being freed was not allocated in Regexp timeout

Updated by dodecadaniel (Daniel Colson) 7 months ago

Updated by peterzhu2118 (Peter Zhu) 7 months ago

Updated by dodecadaniel (Daniel Colson) 7 months ago

Updated by k0kubun (Takashi Kokubun) 6 months ago

Updated by nagachika (Tomoyuki Chikanaga) 4 months ago