* [ruby-core:117697] [Ruby master Bug#20453] Pointer being freed was not allocated in Regexp timeout
@ 2024-04-25 2:19 dodecadaniel (Daniel Colson) via ruby-core
2024-04-25 2:51 ` [ruby-core:117698] " dodecadaniel (Daniel Colson) via ruby-core
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: dodecadaniel (Daniel Colson) via ruby-core @ 2024-04-25 2:19 UTC (permalink / raw)
To: ruby-core; +Cc: dodecadaniel (Daniel Colson)
Issue #20453 has been reported by dodecadaniel (Daniel Colson).
----------------------------------------
Bug #20453: Pointer being freed was not allocated in Regexp timeout
https://bugs.ruby-lang.org/issues/20453
* Author: dodecadaniel (Daniel Colson)
* Status: Open
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
----------------------------------------
https://bugs.ruby-lang.org/issues/20228 frees `stk_base` to avoid a memory leak, but `stk_base` is sometimes stack allocated ([see `xalloca`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1177-L1181)). So the free only works if the regex stack grows enough that it needs to double ([see `xmalloc` and `xrealloc` in `stack_double`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1210-L1249).
Reproduction:
```ruby
Regexp.timeout = 0.001
/^(a*)x$/ =~ "a" * 1000000 + "x"'
```
I'll open a PR shortly.
https://bugs.ruby-lang.org/issues/20228 was backported to 3.3.1, so this bug affects that version as well.
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [ruby-core:117698] [Ruby master Bug#20453] Pointer being freed was not allocated in Regexp timeout
2024-04-25 2:19 [ruby-core:117697] [Ruby master Bug#20453] Pointer being freed was not allocated in Regexp timeout dodecadaniel (Daniel Colson) via ruby-core
@ 2024-04-25 2:51 ` dodecadaniel (Daniel Colson) via ruby-core
2024-05-29 23:14 ` [ruby-core:118078] " k0kubun (Takashi Kokubun) via ruby-core
2024-07-15 9:09 ` [ruby-core:118602] " nagachika (Tomoyuki Chikanaga) via ruby-core
2 siblings, 0 replies; 4+ messages in thread
From: dodecadaniel (Daniel Colson) via ruby-core @ 2024-04-25 2:51 UTC (permalink / raw)
To: ruby-core; +Cc: dodecadaniel (Daniel Colson)
Issue #20453 has been updated by dodecadaniel (Daniel Colson).
I opened https://github.com/ruby/ruby/pull/10630. I'm still fairly new to all this, so please correct me if I got something wrong!
----------------------------------------
Bug #20453: Pointer being freed was not allocated in Regexp timeout
https://bugs.ruby-lang.org/issues/20453#change-108107
* Author: dodecadaniel (Daniel Colson)
* Status: Open
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: UNKNOWN, 3.3: UNKNOWN
----------------------------------------
https://bugs.ruby-lang.org/issues/20228 frees `stk_base` to avoid a memory leak, but `stk_base` is sometimes stack allocated ([see `xalloca`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1177-L1181)). So the free only works if the regex stack grows enough that it needs to double ([see `xmalloc` and `xrealloc` in `stack_double`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1210-L1249).
Reproduction:
```ruby
Regexp.timeout = 0.001
/^(a*)x$/ =~ "a" * 1000000 + "x"'
```
I'll open a PR shortly.
https://bugs.ruby-lang.org/issues/20228 was backported to 3.3.1, so this bug affects that version as well.
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [ruby-core:118078] [Ruby master Bug#20453] Pointer being freed was not allocated in Regexp timeout
2024-04-25 2:19 [ruby-core:117697] [Ruby master Bug#20453] Pointer being freed was not allocated in Regexp timeout dodecadaniel (Daniel Colson) via ruby-core
2024-04-25 2:51 ` [ruby-core:117698] " dodecadaniel (Daniel Colson) via ruby-core
@ 2024-05-29 23:14 ` k0kubun (Takashi Kokubun) via ruby-core
2024-07-15 9:09 ` [ruby-core:118602] " nagachika (Tomoyuki Chikanaga) via ruby-core
2 siblings, 0 replies; 4+ messages in thread
From: k0kubun (Takashi Kokubun) via ruby-core @ 2024-05-29 23:14 UTC (permalink / raw)
To: ruby-core; +Cc: k0kubun (Takashi Kokubun)
Issue #20453 has been updated by k0kubun (Takashi Kokubun).
Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: REQUIRED to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE
ruby_3_3 commit:cf643fabd5c564c1dfeb337b50b4aa76ebaa11c1 merged revision(s) commit:d292a9b98ce03c76dbe13138d20b9fbf613cc02d.
----------------------------------------
Bug #20453: Pointer being freed was not allocated in Regexp timeout
https://bugs.ruby-lang.org/issues/20453#change-108505
* Author: dodecadaniel (Daniel Colson)
* Status: Closed
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE
----------------------------------------
https://bugs.ruby-lang.org/issues/20228 frees `stk_base` to avoid a memory leak, but `stk_base` is sometimes stack allocated ([see `xalloca`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1177-L1181)). So the free only works if the regex stack grows enough that it needs to double ([see `xmalloc` and `xrealloc` in `stack_double`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1210-L1249).
Reproduction:
```ruby
Regexp.timeout = 0.001
/^(a*)x$/ =~ "a" * 1000000 + "x"'
```
I'll open a PR shortly.
https://bugs.ruby-lang.org/issues/20228 was backported to 3.3.1, so this bug affects that version as well.
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/postorius/lists/ruby-core.ml.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [ruby-core:118602] [Ruby master Bug#20453] Pointer being freed was not allocated in Regexp timeout
2024-04-25 2:19 [ruby-core:117697] [Ruby master Bug#20453] Pointer being freed was not allocated in Regexp timeout dodecadaniel (Daniel Colson) via ruby-core
2024-04-25 2:51 ` [ruby-core:117698] " dodecadaniel (Daniel Colson) via ruby-core
2024-05-29 23:14 ` [ruby-core:118078] " k0kubun (Takashi Kokubun) via ruby-core
@ 2024-07-15 9:09 ` nagachika (Tomoyuki Chikanaga) via ruby-core
2 siblings, 0 replies; 4+ messages in thread
From: nagachika (Tomoyuki Chikanaga) via ruby-core @ 2024-07-15 9:09 UTC (permalink / raw)
To: ruby-core; +Cc: nagachika (Tomoyuki Chikanaga)
Issue #20453 has been updated by nagachika (Tomoyuki Chikanaga).
Backport changed from 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: REQUIRED, 3.3: DONE to 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: WONTFIX, 3.3: DONE
Since I have marked https://bugs.ruby-lang.org/issues/20228 as Backport: "3.2 WONTFIX", I believe the issue is not present in the ruby_3_2 branch now. Therefore, I will mark this ticket as "3.2: WONTFIX" as well.
I have partially backported commit:d292a9b98ce03c76dbe13138d20b9fbf613cc02d (only the test case) in commit:c22398f96c29c2357bee50b291c358cc34837013.
----------------------------------------
Bug #20453: Pointer being freed was not allocated in Regexp timeout
https://bugs.ruby-lang.org/issues/20453#change-109130
* Author: dodecadaniel (Daniel Colson)
* Status: Closed
* Backport: 3.0: UNKNOWN, 3.1: UNKNOWN, 3.2: WONTFIX, 3.3: DONE
----------------------------------------
https://bugs.ruby-lang.org/issues/20228 frees `stk_base` to avoid a memory leak, but `stk_base` is sometimes stack allocated ([see `xalloca`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1177-L1181)). So the free only works if the regex stack grows enough that it needs to double ([see `xmalloc` and `xrealloc` in `stack_double`](https://github.com/ruby/ruby/blob/dde99215f2bc60c22a00fc941ff7f714f011e920/regexec.c#L1210-L1249).
Reproduction:
```ruby
Regexp.timeout = 0.001
/^(a*)x$/ =~ "a" * 1000000 + "x"'
```
I'll open a PR shortly.
https://bugs.ruby-lang.org/issues/20228 was backported to 3.3.1, so this bug affects that version as well.
--
https://bugs.ruby-lang.org/
______________________________________________
ruby-core mailing list -- ruby-core@ml.ruby-lang.org
To unsubscribe send an email to ruby-core-leave@ml.ruby-lang.org
ruby-core info -- https://ml.ruby-lang.org/mailman3/lists/ruby-core.ml.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-07-15 9:10 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-04-25 2:19 [ruby-core:117697] [Ruby master Bug#20453] Pointer being freed was not allocated in Regexp timeout dodecadaniel (Daniel Colson) via ruby-core
2024-04-25 2:51 ` [ruby-core:117698] " dodecadaniel (Daniel Colson) via ruby-core
2024-05-29 23:14 ` [ruby-core:118078] " k0kubun (Takashi Kokubun) via ruby-core
2024-07-15 9:09 ` [ruby-core:118602] " nagachika (Tomoyuki Chikanaga) via ruby-core
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).