bug#56108: 29.0.50; ASAN use-after-free in re_match_2_internal

[Eli Zaretskii]

> Date: Wed, 22 Jun 2022 10:13:08 +0200
> From: Gerd Möllmann <gerd.moellmann@gmail.com>
> Cc: 56108@debbugs.gnu.org
> 
> On 20. Jun 2022, 21:10 +0200, Eli Zaretskii <eliz@gnu.org>, wrote:
> 
>  I don't understand why some callers of compile_pattern mark the cache
>  entry as busy, but some others don't. If a cache entry that is in use
>  is not marked as busy, then any GC can decide to shrink the cache by
>  freeing that entry.
> 
> struct re_pattern_buffer *bufp;
> ...
> bufp = &compile_pattern (regexp,
> ...
> 
> The address operator is there to confuse the Russians.

Hmm... did you mean by that to explain why some callers of
compile_pattern don't mark the new cache entry as "busy"?  Because if
so, I guess I'm one of the "confused Russians", as I don't understand
the explanation.  Please elaborate.

Or maybe _I_ should elaborate.  By "marking an entry busy" I meant the
call to freeze_pattern, not a call to freeze_buffer_relocation (the
latter is mostly a no-op nowadays, as almost all the supported
platforms don't use ralloc.c).  So it isn't the C pointer we keep
around to compile_pattern's result that bothered me, it's the fact
that the pattern cache entry created by compile_pattern is not
protected from being freed by shrink_regexp_cache that is called by
GC.  AFAIU, that entry must be protected for the whole time the
compiled pattern is in use by re_match_2 or any of its callers.

Does the above make sense?