[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Heap overflow in luaH_get
- From: Andrew Gierth <andrew@...>
- Date: Fri, 10 Jul 2020 02:24:36 +0100
>>>>> "Roberto" == Roberto Ierusalimschy <roberto@inf.puc-rio.br> writes:
>> As Andrew Gierth said, the table is G_OLD1 and the metatable is
>> white and G_SURVIVAL. The age difference is strange.
>>
>> How it happens ?
[...]
Roberto> But keep in mind that the age difference is potentially
Roberto> unbounded, as an object can have its metatable set way after
Roberto> being created.
Presumably not unbounded, because if the table is already old when the
metatable is set, then the barrier that is done when setting the
metatable will advance the metatable's age to OLD0. So the only allowed
differences after the setmetatable call would be SURVIVAL -> NEW
(becoming OLD1 -> SURVIVAL after one collection cycle), OLD1 -> OLD0,
OLD -> OLD0, OLD -> OLD1 etc.
In this case, the metatable (newly created and thus NEW) is set when the
table's age is SURVIVAL, so after one further collection pass the
metatable is SURVIVAL while the object table is OLD1. (This shows why it
is necessary for the collector to re-mark black OLD1 objects, because
they might still point to white young objects, which need to be marked
black for this cycle.) Had the marking happened in this case (which it
did not because of the object table's incorrect positioning on the allgc
list), then the metatable would have become OLD1 itself, with the object
table going to OLD.
--
Andrew.
