Re: Heap overflow in luaH

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Heap overflow in luaH_get
From: 云风 Cloud Wu <cloudwu@...>
Date: Thu, 9 Jul 2020 19:06:07 +0800

Andrew Gierth <andrew@tao11.riddles.org.uk> 于2020年7月9日周四 下午3:27写道：
> That assert is not reached if the object (in this case the table, not
> the metatable) is not white, and in this case it's black. The metatable,
> which is in fact freed in that code, is white and SURVIVAL (not OLD*).
>

I see.

1. A G_OLD1 table run finalizer in the end of youngcollection() , and
moved back to allgc .
2. Some object contains this table has been resurrected by a finalizer.
3. In the next youngcollection cycle, the table with G_OLD1 could be
marked to black by the object contains it.
4. The table set to G_OLD by `setage(curr, nextage[getage(curr)]);` in
sweepgen() , and then it is in reallyold list .
5. The table is regular old now, so it remains black until next major
collection, and the black flag will prevent marking its metatable and
its contents.

So , adding this line in udata2finalize() may fix this bug ?

static GCObject *udata2finalize (global_State *g) {
  ...
  resetbit(o->marked, FINALIZEDBIT);  /* object is "normal" again */
  setage(o, G_NEW);  /* Treat it as a new object */

-- 
http://blog.codingnow.com

Follow-Ups:
- Re: Heap overflow in luaH_get, Andrew Gierth

References:
- Heap overflow in luaH_get, Yongheng Chen
- Re: Heap overflow in luaH_get, Andrew Gierth
- Re: Heap overflow in luaH_get, 云风 Cloud Wu
- Re: Heap overflow in luaH_get, Andrew Gierth

Prev by Date: Re: Heap overflow in luaH_get
Next by Date: Re: Heap overflow in luaH_get
Previous by thread: Re: Heap overflow in luaH_get
Next by thread: Re: Heap overflow in luaH_get
Index(es):
- Date
- Thread