[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Heap overflow in luaH_get
- From: Andrew Gierth <andrew@...>
- Date: Thu, 09 Jul 2020 05:57:54 +0100
>>>>> "Yongheng" == Yongheng Chen <changochen1@gmail.com> writes:
Yongheng> READ of size 8 at 0x6060000020d8 thread T0
Yongheng> #0 0x431a76 in luaH_get (/home/yongheng/lua_asan/lua+0x431a76)
OK. I think I see some of what's going on with this one.
The generational GC code seems to be assuming that a G_OLD1 object must
be somewhere between g->survival and g->reallyold, or between g->finobj
and g->finobjrold.
But what happens in this case is that some table with an age of OLD1 has
a metatable with a __gc metamethod, and when GCTM is being called for
it, it gets moved back to the allgc list _at the front_, while remaining
G_OLD1 (this is in udata2finalize).
But since the table is not between g->survival and g->reallyold, and
nevertheless is only OLD1 (and its metatable is at this point only
SURVIVAL and white), it's not being processed by markold. Also, at some
point in correctgraylist, the table was changed from grey to black while
its metatable remained white. This results in the metatable being freed
before the object that references it, hence the later crash.
--
Andrew.
