tarantool / luajit / 8554012565

70%

tarantool/master: 93%

Build Type

push

github

Committed by Buristan

Commit Message

Handle stack reallocation in debug.setmetatable() and lua_setmetatable().

Thanks to Sergey Kaplun.

(cherry picked from commit 88ed9fdbb)

When we use the aforementioned functions to set a metatable for types
with one shared metatable, we must flush all traces since they are
specialized to base metatables. If we have enabled vmevent handlers,
they invoke a callback on trace flushing. This callback may reallocate
the Lua stack. Thus invalidates the reference to the `TValue *` object
`o` by the given index in the `lua_setmetatable()` and leads to a
heap-use-after-free error.

This patch fixes the behaviour by recalculating the address by the given
index after possible stack reallocation.

Sergey Kaplun:
* added the description and the test for the problem

Part of tarantool/tarantool#9595

Reviewed-by: Maxim Kokryashkin <m.kokryashkin@tarantool.org>
Reviewed-by: Sergey Bronnikov <sergeyb@tarantool.org>
Signed-off-by: Sergey Kaplun <skaplun@tarantool.org>
(cherry picked from commit e996ad3d7)

Run Details

5638 of 5999 branches covered (93.98%)

Branch coverage included in aggregate %.

1 of 1 new or added line in 1 file covered. (100.0%)

17 existing lines in 5 files now uncovered.

21495 of 23325 relevant lines covered (92.15%)

865441.68 hits per line