Re: Causing the currently running function to be garbage collected

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Causing the currently running function to be garbage collected
From: Mike Pall <mikelu-0810@...>
Date: Mon, 20 Oct 2008 18:13:53 +0200

Roberto Ierusalimschy wrote:
> > If a function's upvalues pointed to all the instances of that function
> > on the stack, and assuming that the function does not exist in any
> > tables, then if that function set all of it's upvalues to nil, and
> > then a GC collection, then it would cause itself to be collected. This
> > then causes all kinds of fun (i.e. segfaults) as the current
> > environment table has probably just been collected as well.
> 
> Could you explain better? I am afraid I cannot understand what you have
> done.

My take on it: the modified bytecode verifies ok, but crashes when
run since the currently running function is collected. Normally
this can't happen because there's always a reference to it at
L->func = L->base-1. But the upvalue can be maliciously redirected
to overwrite this stack slot.

Summary: it's a bug in the bytecode verifier.

--Mike

Follow-Ups:
- Re: Causing the currently running function to be garbage collected, Peter Cawley

References:
- Causing the currently running function to be garbage collected, Peter Cawley
- Re: Causing the currently running function to be garbage collected, Roberto Ierusalimschy

Prev by Date: Luarocks 1.0 in macports [Re: LuaRocks available through OS X fink]
Next by Date: Re: Causing the currently running function to be garbage collected
Previous by thread: Re: Causing the currently running function to be garbage collected
Next by thread: Re: Causing the currently running function to be garbage collected
Index(es):
- Date
- Thread