[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: A crash in Lua 5.3.2
- From: Roberto Ierusalimschy <roberto@...>
- Date: Sat, 2 Jan 2016 13:25:13 -0200
> > Does the bug caused by GC, unexpectedly changing the "gc" field, hence the
> hvalue(t) is not a constant?
No.
The bug is in luaV_finishset (lvm.c:187). Rememeber the program:
local MT = {}
MT.__newindex = MT
local T = setmetatable({}, MT)
T[1] = 1
(I changed the variable names to upercase because luaV_finishset has
a C variable named 't', too.)
When Lua executes T[1] = 1 and T[1] has a nil value, it goes into
luaV_finishset. There, it sees the metatable's __newindex field, and so
't' now points to this entry (MT.__newindex) in MT table, which is equal
to 't' (because MT.__newindex == MT). Then, in line 200, we have this:
(oldval = luaH_newkey(L, hvalue(t), key), 1))) {
This opens space to insert the key '1' in table 't', which is MT.
As MT does not have that space, it is rehashed. In this rehash,
the field MT.__newindex (like any other field) is moved to a new
array, and the old array is deleted. But 't' is still pointing
into that old array! Then in line 203, we try to get the value
of 't' and so we end up accessing a deleted array.
-- Roberto