diff options
author | Daniel Colson <danieljamescolson@gmail.com> | 2024-04-24 22:20:48 -0400 |
---|---|---|
committer | Peter Zhu <peter@peterzhu.ca> | 2024-04-25 10:28:18 -0400 |
commit | d292a9b98ce03c76dbe13138d20b9fbf613cc02d (patch) | |
tree | 5b2919050b343a900176ecfc9280416e2ed6323d /coroutine/win64/Context.h | |
parent | 7ab1a608e7413cdb0f93243eb3e6e20a32cec44e (diff) |
https://bugs.ruby-lang.org/issues/20228 started freeing `stk_base` to
avoid a memory leak. But `stk_base` is sometimes stack allocated (using
`xalloca`), so the free only works if the regex stack has grown enough
to hit `stack_double` (which uses `xmalloc` and `xrealloc`).
To reproduce the problem on master and 3.3.1:
```ruby
Regexp.timeout = 0.001
/^(a*)x$/ =~ "a" * 1000000 + "x"'
```
Some details about this potential fix:
`stk_base == stk_alloc` on
[init](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1153),
so if `stk_base != stk_alloc` we can be sure we called
[`stack_double`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1210)
and it's safe to free. It's also safe to free if we've
[saved](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1187-L1189)
the stack to `msa->stack_p`, since we do the `stk_base != stk_alloc`
check before saving.
This matches the check we do inside
[`stack_double`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1221)
Diffstat (limited to 'coroutine/win64/Context.h')
0 files changed, 0 insertions, 0 deletions