[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Lua 5.2 parsing bug with long identifiers
- From: Jean-Luc Jumpertz <jean-luc@...>
- Date: Sat, 3 Feb 2018 10:19:29 +0100
Hi,
Recently, a few users of my CodeFlow IDE, embedding Lua 5.2.4, got many application crashes. After investigating the problem, I found that the root cause was in the Lua parser: under some conditions, the Lua parser could GC a long string corresponding to a name or string token, while this token was still being processed, which could have nasty consequences and lead to the crash of the application embedding Lua.
I'm perfectly aware that the 5.2 branch is not maintained anymore, but there are still people using it, and they might bump into the same issue, and I hope that this post might help them.
So back to the bug: making the parser crash can be as easy as writing:
function f () end
someVeryLongIdentiferConvertedByLuaAsALongString = 0
What happens here is that the token string created after the function 'end' is not correctly anchored to the calling funcstate if it is a long string, so if the GC triggers, it can be freed and overwritten by something else…
Actually this is a known old bug, namely https://www.lua.org/bugs.html#5.2.2-6, that was fixed by Roberto back in 2013. But the correction reported to the 5.2 branch was incomplete.
The good news is that the correction done in Lua commit https://github.com/lua/lua/commit/8ef9e8460e775793f760deb28d0c3d10dda31b49 completely solves the problem, and reporting it in the context of Lua 5.2.4 is safe and actually solves the issue.
Roberto, could you confirm this ?
So if you are still using Lua 5.2.x and your Lua source code might have long identifiers, you probably might want report the fix in your Lua version…
Regards,
Jean-Luc
PS: Having the Lua change history on GitHub is great and was incredibly helpful in this case! :-)
