tarantool / luajit / 8550760594 / 1

71%

tarantool/master: 93%

push

github

Handle stack reallocation in debug.setmetatable() and lua_setmetatable().

Thanks to Sergey Kaplun.

(cherry picked from commit 88ed9fdbb)

When we use the aforementioned functions to set a metatable for types
with one shared metatable, we must flush all traces since they are
specialized to base metatables. If we have enabled vmevent handlers,
they invoke a callback on trace flushing. This callback may reallocate
the Lua stack. Thus invalidates the reference to the `TValue *` object
`o` by the given index in the `lua_setmetatable()` and leads to a
heap-use-after-free error.

This patch fixes the behaviour by recalculating the address by the given
index after possible stack reallocation.

Sergey Kaplun:
* added the description and the test for the problem

Part of tarantool/tarantool#9595

5663 of 6018 branches covered (94.1%)

Branch coverage included in aggregate %.

21627 of 23417 relevant lines covered (92.36%)

2922276.73 hits per line