lua-users home
lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]


Hi,

An assertion failure is found by fuzzing in lua (version 5.4.4, git commit: 5d708c3f9cae12820e415d4f89c9eacbe2ab964b.)

poc.lua:
---
for i = 0, 0 do
    local function f(...)
        _ENV[i], a = 0
        return #_ENV
    end
    f((0 % f((0))))
end
---

When building with assertion on and execute "./lua poc.lua", we have the following bt:
---
#2  0x00007ffff625c3fa in __assert_fail_base (
    fmt=0x7ffff63e36c0 "%s%s%s:%u: %s%sAssertion `%s' failed.\n%n",
    assertion=assertion@entry=0x555555611ac0 "(((((uv)->v.p != &(uv)->u.value)) ? (void) (0) : __assert_fail (\"((uv)->v.p != &(uv)->u.value)\", \"lfunc.c\", 198, __extension__ __PRETTY_FUNCTION__)), (((StkId)((uv)->v.p)))) < L->top.p", file=file@entry=0x555555611740 "lfunc.c", line=line@entry=0xc6,
    function=function@entry=0x555555611ee0 <__PRETTY_FUNCTION__.4122> "luaF_closeupval") at assert.c:92
#3  0x00007ffff625c472 in __GI___assert_fail (
    assertion=0x555555611ac0 "(((((uv)->v.p != &(uv)->u.value)) ? (void) (0) : __assert_fail (\"((uv)->v.p != &(uv)->u.value)\", \"lfunc.c\", 198, __extension__ __PRETTY_FUNCTION__)), (((StkId)((uv)->v.p)))) < L->top.p", file=0x555555611740 "lfunc.c", line=0xc6,
    function=0x555555611ee0 <__PRETTY_FUNCTION__.4122> "luaF_closeupval") at assert.c:101
#4  0x000055555559d10e in luaF_closeupval ()
#5  0x000055555559d227 in luaF_close ()
#6  0x00005555555941ab in luaD_rawrunprotected ()
#7  0x0000555555599bfc in luaD_closeprotected ()
#8  0x0000555555599e7d in luaD_pcall ()
#9  0x0000555555589adb in lua_pcallk ()
#10 0x000055555557d09b in docall ()
#11 0x000055555557e406 in pmain ()
#12 0x0000555555597c6b in luaD_precall ()
#13 0x0000555555598dff in luaD_callnoyield ()
#14 0x00005555555941ab in luaD_rawrunprotected ()
#15 0x0000555555599e01 in luaD_pcall ()
#16 0x0000555555589adb in lua_pcallk ()
#17 0x000055555557c5b7 in main ()
---

Without assertion on, lua throws an error:
---
lua: poc.lua:5: attempt to perform 'n%0'
stack traceback:
poc.lua:5: in main chunk
[C]: in ?
---

--
Best Wishes,
Yongheng Chen