lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


> Therefore, when I want to sandbox code using Lua, I must trust not only the
> VM but also the "compiler" (lexer, parser,etc). There's a lot of extra C
> code outside the VM that also needs to be trusted.

You should keep in mind that the Lua VM plus this "lot of extra C code"
is smaller than the VM of most other scripting languages. We are talking
about less than 3000 lines of code for the compiler.

Also, if you check the bug list for recent (or even for old) versions
of Lua, you will see that Lua has very few bugs. If I count correctly,
Lua 5.1 has had a total of 5 bugs related to the compiler; none of them
crashes the VM. And some people have done very nasty things to find bugs
in Lua.

-- Roberto