Hello, i have found the UAF which was also mentioned in #856, #853, #763, with the most complete explanation of the cause and reproduction steps present in #853.

At the same time, a fix is yet to be suggested, so i came up with the following: just copying the popped values so that the reallocation of the state does not impact them.

fix_uaf.txt

It fixes the error and does not cause unit tests to fail. Nonetheless, i can't be sure it does not break something i did not notice.