• Subject: Re: Numeric key collision related bug in Lua 5.3
• From: Andrew Starks <andrew.starks@...>
• Date: Tue, 21 Apr 2015 15:04:07 -0500

```On Tue, Apr 21, 2015 at 2:45 PM, Tim Hill <drtimhill@gmail.com> wrote:
>
> On Apr 21, 2015, at 9:36 AM, Dirk Laurie <dirk.laurie@gmail.com> wrote:
>
> The indexing of tables follows the definition of raw equality in the
> language. The expressions a[i] and a[j] denote the same table element
> if and only if i and j are raw equal (that is, equal without
> metamethods). In particular, floats with integral values are equal to
> their respective integers (e.g., 1.0 == 1). To avoid ambiguities, any
> float with integral value used as a key is converted to its respective
> integer. For instance, if you write a[2.0] = true, the actual key
> inserted into the table will be the integer 2. (On the other hand, 2
> and "2" are different Lua values and therefore denote different table
> entries.)
>
>
> nkey = (1<<63)-333
> fkey = nkey + 0.0
>
> Now, of course, nkey == fkey by the Lua rules of converting both to floats
> before doing the comparison. But is fkey a "float with integral value"? I
> dont think it is, and math.tointeger() doesn't either (it returns nil).
>
> The reality is Lua has three number ranges:
> [a] Integers with a magnitude less than 2^52 (and can be represented exactly
> either as float or integer)
> [b] Integers with magnitude greater than 2^52 but less than 2^63 (and can
> only be represented exactly as integers)
> [c] Floats with magnitudes greater than 2^63
>
> It's the [b] range that is the problem here, and I don't see any clear
> guidelines in the Lua docs to indicate how this range is handled when used
> as table keys.
>
> --Tim
>
I am following along, and not remotely qualified to participate as a
peer in this discussion. With that caveat established and given that
it is important to document and to know the limitations of the tool
that you are using, what are there substantive consequences beyond
that?

It would add tremendously to my understanding if someone someone would
make up a story that includes a user in a real-world scenario hitting
this edge case. Is there a story that could be imagined that includes
how this may be exploited by a nefarious user?

-Andrew

```