lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Mhm, can reproduce the segfault on the original example provided on
default Lua 5.4.4 build, using gcc 7.5.0. Even thought, on valgrind it
reports only this:

./src/lua: ../poc:2: attempt to index a nil value
stack traceback:
    ../poc:2: in function 'c'
    ../poc:2: in function <../poc:2>
    (...tail calls...)

But the asan address sanitizer and gdb backtrace reports the same as
the original author of the bugreport.

On your "shorten" example, can not reproduce the segfault. It just
nicely errors out:

./src/lua: ../poc_3.lua:1: attempt to index a string value
stack traceback:
    ../poc_3.lua:1: in main chunk
    [C]: in ?

On Wed, Feb 23, 2022 at 3:47 PM Roberto Ierusalimschy
<roberto@inf.puc-rio.br> wrote:
>
> >    I found this bug doing some experiments with afl++. It's strange that it
> >    was not found by oss-fuzz project.
>
> Its behavior is weird. A simple "local _ENV <const> = 0; X = 0" is
> enough to trigger the bug, as it violates an assertion. With assertions
> off (the default), however, it is very difficult to create a scenario
> that causes a seg. fault. Even your example does not cause a seg. fault
> when I use it under valgrind.
>
> -- Roberto