[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Stack overflow in luaO_pushvfstring
- From: Roberto Ierusalimschy <roberto@...>
- Date: Fri, 10 Jul 2020 16:45:50 -0300
> >>>>> "Yongheng" == Yongheng Chen <changochen1@gmail.com> writes:
>
> Yongheng> The original POC that can crash a default build lua ( just
> Yongheng> run make on Linux) is:
>
> Yongheng> function errfunc() end function test()
> Yongheng> xpcall(test, coroutine.wrap(function() print(xpcall(test, errfunc)) end))
> Yongheng> end coroutine.wrap(function() print(xpcall(test, errfunc)) end)()
>
> So surely this, in lua_resume, can't possibly be right:
>
> L->nCcalls = getCcalls(from) + from->nci - L->nci - CSTACKCF;
>
> We get here when the stack overflow error trips the first time and we
> try and resume the wrapped coroutine which is supplied as the error
> handling function. getCcalls(from) is correctly below CSTACKMARK, since
> we're in stack error handling, but from->nci is large (~1900) reflecting
> the large number of active stack frames. I get that _unused_ CallInfos
> are already accounted for in getCcalls (so that it need only be checked
> when new CallInfos are allocated), but here its adding a number
> reflecting the _used_ CallInfos, which is surely wrong. (L->nci is 0
> because the coroutine has no CallInfos yet.)
You are right (as usual :-). (A small detail: I think it is not adding
the number of used CallInfos, but the total number of CallInfos, used
plus unused.) A conservative fix would be not to add anything to
getCcalls(from).
-- Roberto
