Re: Second stack overflow luaO

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: Second stack overflow luaO_pushvfstring
From: Roberto Ierusalimschy <roberto@...>
Date: Fri, 17 Jul 2020 14:12:14 -0300

> >>>>> "Yongheng" == Yongheng Chen <changochen1@gmail.com> writes:
> 
>  Yongheng> Hi, It seems that the latest commit haven’t completely fix
>  Yongheng> the bug. Here’s the POC:
> 
> Something's underflowing nCcalls - possibly subtracting from it more
> than once in between checks for whether it went below the CSTACKERRMARK
> redzone?

You are right. In luaD_callnoyield, when there is a possible stack
overflow, it zeros the number of CallInfos to force a check (and
then an error) when calling the function. However, if the "function"
is not a function, the code will raise an error without checking
the stack. Then, the error handling calls luaD_callnoyield again,
doing what you said: nCcalls is decremented twice in a row
without an intervenient stack check. After that, in your words,
"hilarity ensues". (This loop can only happens once, because the
error handler must be a function. But that is enough to cross
the redzone.)

-- Roberto

References:
- Second stack overflow luaO_pushvfstring, Yongheng Chen
- Re: Second stack overflow luaO_pushvfstring, Andrew Gierth

Prev by Date: Re: Proposal: Make creating large arrays faster and "allow" nils in arrays
Next by Date: Re: Question about to-be-closed methods
Previous by thread: Re: Second stack overflow luaO_pushvfstring
Next by thread: Question about the major gc
Index(es):
- Date
- Thread