[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Lua 5.4.4 Sandbox Escaping & Type confusion caused by the absence of type check
- From: Andrew Gierth <andrew@...>
- Date: Mon, 25 Oct 2021 09:29:57 +0100
>>>>> "강우선" == 강우선 4522 <kws981924@gmail.com> writes:
강우선> collectgarbage('stop')
강우선> debug.sethook(function () end, "r")
강우선> setmetatable(debug.getregistry(), {__mode = 'kv'})
강우선> collectgarbage()
The documentation is quite explicit that use of the debug functions can
crash the interpreter.
In this case what's happening is that you've set the registry to be a
weak table, which explicitly defeats one of the registry's primary uses
(to hold references to objects to protect them from garbage collection).
One of the objects referenced from the registry is the table of hook
functions set by debug.sethook, so the crash is not at all surprising.
(A _lot_ of other stuff will crash if you prematurely GC registry
objects, not least every dynamic-loaded C module since freeing the CLIBS
table will unload modules while there are still pointers into them.)
Your analysis is incorrect, by the way. The actual failure is caused by
calling lua_rawget on a nil value (lua_rawget does not check that the
value at the specified index is a table). The nil value is legitimately
returned on the stack by lua_getfield, because the hook table has no
references except from the registry so it gets GC'd when you force a
garbage collection after making the registry weak. The code does not
check for this case, because hookf cannot be called unless a table has
been stored under that registry key, and code that modifies the registry
does so at its own risk.
--
Andrew.
