次のようにすると core を吐きます。

% ./ruby -e '
str = ["zzz"].pack("p")
str << "a" * 0x20000 + "b"
str.gsub!(/b/) { str.replace ""; "cc" }
p str
'
-e:4: [BUG] Segmentation fault
ruby 1.9.0 (2004-11-02) [i686-linux]

zsh: abort (core dumped)  ./ruby -e 
% gdb ruby core 
GNU gdb 6.1-debian
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i386-linux"...Using host libthread_db library "/lib/libthread_db.so.1".

Core was generated by `./ruby -e 
str = ["zzz"].pack("p")
str << "a" * 0x20000 + "b"
str.gsub!(/b/) {'.
Program terminated with signal 6, Aborted.
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /lib/libcrypt.so.1...done.
Loaded symbols for /lib/libcrypt.so.1
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
#0  0x4009e6b1 in kill () from /lib/libc.so.6
(gdb) bt
#0  0x4009e6b1 in kill () from /lib/libc.so.6
#1  0x4009e435 in raise () from /lib/libc.so.6
#2  0x4009f978 in abort () from /lib/libc.so.6
#3  0x080d3f16 in rb_bug (fmt=0x0) at error.c:214
#4  0x080b11f2 in sigsegv (sig=11) at signal.c:446
#5  <signal handler called>
#6  0x400eca1f in memcpy () from /lib/libc.so.6
#7  0x080b7945 in str_gsub (argc=1076219912, argv=0x4021b008, str=1075608016, bang=1) at string.c:2102
#8  0x080b7ca8 in rb_str_gsub_bang (argc=131076, argv=0x20004, str=131076) at string.c:2171
#9  0x0806a43a in call_cfunc (func=0x80b7c80 <rb_str_gsub_bang>, recv=1075608016, len=1076219912, argc=32769, 
    argv=0xbfffeaf8) at eval.c:5365
#10 0x0805e387 in rb_call0 (klass=1075668916, recv=1075608016, id=4631, oid=131076, argc=1, argv=0xbfffeaf8, 
    body=0x401d5d3c, nosuper=0) at eval.c:5506
#11 0x0805e638 in rb_call (klass=1075668916, recv=1075608016, mid=4631, argc=1, argv=0xbfffeaf8, scope=0) at eval.c:5727
#12 0x080594a8 in rb_eval (self=1075673536, n=0x20004) at ruby.h:633
#13 0x08058858 in rb_eval (self=1075673536, n=0x20004) at eval.c:2920
#14 0x080559dd in ruby_exec_internal () at eval.c:1456
#15 0x080559f6 in ruby_exec () at eval.c:1474
#16 0x08055a40 in ruby_run () at eval.c:1491
#17 0x08053a65 in main (argc=131076, argv=0x20004, envp=0xbffff934) at main.c:38
(gdb) 
-- 
[田中 哲][たなか あきら][Tanaka Akira]