[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Crash Analysis : Erroneous finalizer called during tail call leads to heap buffer overflow
- From: Roberto Ierusalimschy <roberto@...>
- Date: Tue, 14 Dec 2021 13:07:13 -0300
> Yeah, I think your suggestion is indeed an improved version of our first
> patch.
> However, I found that there still remains some trivial error. Although
> error messages are not printed out on console in the crash code,
> when I printed out the message while executing luaG_runerror function with
> debugger, error message is represented as below.
>
> "attempt to call a number value (upvalue 'f')"
>
> which is same as our first suggested patch. This string doesn't seem to be
> perfect, as f() is a function value.
It's true.
This can be seen as another bug, different from the one you reported.
Consider this small variation in your example:
------------------------------------------------
local x = {} for i=1, 2000 do x[i] = i end
-- will call 'f1' (not a function)
local function g() return f1(table.unpack(x)) end
collectgarbage("step")
setmetatable({}, {__gc = 1})
g()
------------------------------------------------
If we run this program with option -W (to see the warning), it runs
correctly, but the message in the warning is wrong too:
Lua warning: error in __gc metamethod (temp:5: attempt to call a number value (global 'f1'))
That's because Lua is handling the flag CIST_FIN as if it marked
the finalizer, while in fact it marks the function that was running
when the finalizer was called.
-- Roberto
