Re: Heap overflow in luaH

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Heap overflow in luaH_get
From: Dibyendu Majumdar <mobile@...>
Date: Fri, 10 Jul 2020 08:58:52 +0100

On Fri, 10 Jul 2020 at 08:51, Dibyendu Majumdar <mobile@majumdar.org.uk> wrote:
>
> On Fri, 10 Jul 2020 at 05:53, 云风 Cloud Wu <cloudwu@gmail.com> wrote:
> >
> > Roberto Ierusalimschy <roberto@inf.puc-rio.br> 于2020年7月9日周四 下午10:02写道：
> > >
> > > Exactly! I guess the correction is moving its age back to OLD0, but
> > > I have to check that. Similar problems should occurr with other ages.
> >
> > I make a simpler test case to reveal this bug. It always crashs when I
> > define a especial allocater for lua .
> > It may be helpful.
> >
> > setmetatable ({}, { __gc = function(a) -- 1st finalizer
> >    setmetatable(a, { __gc = function (b) -- 2nd finalizer
> >      print(getmetatable(b))
> >      print(getmetatable(b).x) -- should be 42
> >      collectgarbage "step"
> >      collectgarbage "step"
> >      print(getmetatable(b))
> >      print(getmetatable(b).x) -- may crash !! use 2nd metatable after free
> >    end,
> >    x = 42,
> >    })
> >    a = nil
> >    collectgarbage "step" -- trigger 2nd finalizer
> > end })
> >
> > collectgarbage "step" -- trigger 1st finalizer
> >
>
> Nice.
> Did you try building Lua with ltests/debug support?
> In Ravi, when I run this - I see GC being invoked recursively ...
> should that happen?
>

BTW this assertion does not fire for the other cases which makes me
believe this is a different issue - maybe caused by GC being invoked
while it is running GC?

> Program received signal SIGABRT, Aborted.
> __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
> 50      ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
> (gdb) where
> #0  __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
> #1  0x00007ffff7d2c859 in __GI_abort () at abort.c:79
> #2  0x00007ffff7d2c729 in __assert_fail_base (fmt=0x7ffff7ec2588
> "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
>     assertion=0x7ffff7f9f149 "(((x_)->tt) & 0x0F) < (9+1)",
> file=0x7ffff7f9e0c8 "/home/d/github/ravi/src/lapi.c",
>     line=945, function=<optimized out>) at assert.c:92
s=-1)

References:
- Heap overflow in luaH_get, Yongheng Chen
- Re: Heap overflow in luaH_get, Andrew Gierth
- Re: Heap overflow in luaH_get, Roberto Ierusalimschy
- Re: Heap overflow in luaH_get, 云风 Cloud Wu
- Re: Heap overflow in luaH_get, Dibyendu Majumdar

Prev by Date: Re: Heap overflow in luaH_get
Next by Date: Re: Heap overflow in luaH_get
Previous by thread: Re: Heap overflow in luaH_get
Next by thread: Re: Heap overflow in luaH_get
Index(es):
- Date
- Thread