lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Stern.Jason wrote:
> 376  	  ls->fs = fs->prev;
> 377  	  L->top -= 2;  /* remove table and prototype from the stack */
> 378  	  /* last token read was anchored in defunct function; must reanchor it */
> 
> Event check_after_deref: Pointer "fs" dereferenced before NULL check
> 379  	  if (fs) anchor_token(ls);
> 
> Is it safe to remove this null check, or should the null check be moved to before line 359?

Within close_func() fs is always a valid pointer. The check should
be against ls->fs (i.e. fs->prev), since that's the outer scope
where the token is going to be reanchored:

  if (ls->fs) anchor_token(ls);

But ... that's a pointless check because the parser can only get
there with ls->fs == NULL when the outermost scope hits the end of
the stream. Then the token must be TK_EOS (see luaY_parser). But
this token is not reanchored in anchor_token(), so ls->fs is not
dereferenced in this case (deep down in luaX_newstring()).

This also implies the original code cannot crash.

Suggested fix: either replace 'if (fs)' with 'if (ls->fs)' or
remove the check and document that anchor_token() depends on
ls->t.token == TK_EOS in case ls->fs == NULL.

--Mike