[Date Prev][Date Next][Thread Prev][Thread Next]
[Date Index]
[Thread Index]
- Subject: Re: Heap use after free in luaD_call
- From: Andrew Gierth <andrew@...>
- Date: Wed, 15 Jul 2020 16:24:54 +0100
>>>>> "Andrew" == Andrew Gierth <andrew@tao11.riddles.org.uk> writes:
Andrew> So this one seems to be something corrupting the gray lists, if
Andrew> I understand the logic correctly.
Andrew> What's happening is that a value (in this case a C closure) is
Andrew> being pushed on the stack and then immediately freed because
Andrew> the current thread stack is not being marked (which ought to be
Andrew> happening in the atomic() call, but a breakpoint on
Andrew> traversethread() was not hit). I think this can only happen if
Andrew> the current thread is marked gray (it is) but not actually
Andrew> linked into any gray list...
Getting somewhere. An object (table) is ending up on the grayagain list
(after the atomic phase of a generational step) while still new; it's
still in that list when sweepgen sees it, which clears it to white
without removing it from the list. A subsequent barrier call then sees
it as white and turns it gray, adding it to the (empty) gray list, at
which point everything _else_ that was on grayagain just got dropped on
the floor, and this includes the main thread.
--
Andrew.
