lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

> >>>>> "Yongheng" == Yongheng Chen <> writes:
>  Yongheng> Hi, It seems that the latest commit haven’t completely fix
>  Yongheng> the bug. Here’s the POC:
> Something's underflowing nCcalls - possibly subtracting from it more
> than once in between checks for whether it went below the CSTACKERRMARK
> redzone?

You are right. In luaD_callnoyield, when there is a possible stack
overflow, it zeros the number of CallInfos to force a check (and
then an error) when calling the function. However, if the "function"
is not a function, the code will raise an error without checking
the stack. Then, the error handling calls luaD_callnoyield again,
doing what you said: nCcalls is decremented twice in a row
without an intervenient stack check. After that, in your words,
"hilarity ensues". (This loop can only happens once, because the
error handler must be a function. But that is enough to cross
the redzone.)

-- Roberto