https://bugs.ruby-lang.org/issues/20228 started freeing stk_base to avoid a memory leak. But stk_base is sometimes stack allocated (using xalloca), so the free only works if the regex stack has grown enough to hit stack_double (which uses xmalloc and xrealloc).
To reproduce the problem on master and 3.3.1:
Regexp.timeout=0.001/^(a*)x$/=~"a"*1000000+"x"'
Some details about this potential fix:
stk_base == stk_alloc on init, so if stk_base != stk_alloc we can be sure we called stack_double and it's safe to free. It's also safe to free if we've saved the stack to msa->stack_p, since we do the stk_base != stk_alloc check before saving.
Added by dodecadaniel (Daniel Colson) over 1 year ago
[Bug #20453] segfault in Regexp timeout
https://bugs.ruby-lang.org/issues/20228 started freeing
stk_basetoavoid a memory leak. But
stk_baseis sometimes stack allocated (usingxalloca), so the free only works if the regex stack has grown enoughto hit
stack_double(which usesxmallocandxrealloc).To reproduce the problem on master and 3.3.1:
Some details about this potential fix:
stk_base == stk_alloconinit,
so if
stk_base != stk_allocwe can be sure we calledstack_doubleand it's safe to free. It's also safe to free if we've
saved
the stack to
msa->stack_p, since we do thestk_base != stk_alloccheck before saving.
This matches the check we do inside
stack_double