From 6347004be9bed939416af8a59917eb30d10c1849 Mon Sep 17 00:00:00 2001 From: Roberto Ierusalimschy Date: Thu, 2 May 2013 13:13:27 -0300 Subject: [PATCH] stack overflow in vararg functions + garbage collector in recursive loops --- bugs | 77 ++++++++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 70 insertions(+), 7 deletions(-) diff --git a/bugs b/bugs index ea2af432..225f0625 100644 --- a/bugs +++ b/bugs @@ -179,13 +179,13 @@ Tue May 2 15:27:58 EST 2000 ** lparser.c Fri May 12 15:11:12 EST 2000 >> first element in a list constructor is not adjusted to one value ->> (e.g. «a = {gsub('a','a','')}») +>> (e.g. «a = {gsub('a','a','')}») (by Tomas; since 4.0a) ** lparser.c Wed May 24 14:50:16 EST 2000 >> record-constructor starting with an upvalue name gets an error ->> (e.g. «local a; function f() x = {a=1} end») +>> (e.g. «local a; function f() x = {a=1} end») (by Edgar Toernig; since 3.1) ** lparser.c @@ -226,7 +226,7 @@ Wed Sep 27 09:50:19 EST 2000 ** llex.h / llex.c / lparser.c Wed Sep 27 13:39:45 EST 2000 >> parser overwrites semantic information when looking ahead ->> (e.g. «a = {print'foo'}») +>> (e.g. «a = {print'foo'}») (by Edgar Toernig; since 4.0b, deriving from previous bug) ** liolib.c @@ -257,7 +257,7 @@ Thu Feb 1 11:55:45 EDT 2001 ** ldo.c Fri Feb 2 14:06:40 EDT 2001 ->> «while 1 dostring[[print('hello\n')]] end» never reclaims memory +>> «while 1 dostring[[print('hello\n')]] end» never reclaims memory (by Andrew Paton; since 4.0b) ** lbaselib.c @@ -1375,7 +1375,7 @@ patch = [[ Bug{ what = [[As a library, loadlib.c should not access Lua internals (via lobject.h)]], -report = [[Jérôme Vuarand, on 03/2007]], +report = [[Jérôme Vuarand, on 03/2007]], since = [[5.0]], example = [[the bug has no effect on external behavior]], patch = [[remove the '#include "lobject.h" and use @@ -1880,8 +1880,8 @@ patch = [[ +++ lundump.c 2008/04/04 19:51:41 2.7.1.4 @@ -1,5 +1,5 @@ /* --** $Id: bugs,v 1.119 2012/12/03 20:18:02 roberto Exp roberto $ -+** $Id: bugs,v 1.119 2012/12/03 20:18:02 roberto Exp roberto $ +-** $Id: bugs,v 1.120 2013/02/07 15:57:47 roberto Exp roberto $ ++** $Id: bugs,v 1.120 2013/02/07 15:57:47 roberto Exp roberto $ ** load precompiled Lua chunks ** See Copyright Notice in lua.h */ @@ -2854,6 +2854,69 @@ patch = [[ ]] } +Bug{ +what = [[stack overflow in vararg functions with many fixed +parameters called with few arguments]], +report = [[云风, 2013/04/17]], +since = [[5.1]], +fix = nil, +example = [[ +function f(p1, p2, p3, p4, p5, p6, p7, p8, p9, p10, + p11, p12, p13, p14, p15, p16, p17, p18, p19, p20, + p21, p22, p23, p24, p25, p26, p27, p28, p29, p30, + p31, p32, p33, p34, p35, p36, p37, p38, p39, p40, + p41, p42, p43, p44, p45, p46, p48, p49, p50, ...) + local a1, a2, a3, a4, a5, a6, a7, a8, a9, a10, a11, a12, a13, a14 +end + +f() -- seg. fault (on some machines) +]], +patch = [[ +--- ldo.c 2012/10/01 14:05:04 2.108 ++++ ldo.c 2013/04/19 20:56:06 +@@ -324,7 +324,7 @@ + case LUA_TLCL: { /* Lua function: prepare its call */ + StkId base; + Proto *p = clLvalue(func)->p; +- luaD_checkstack(L, p->maxstacksize); ++ luaD_checkstack(L, p->maxstacksize + p->numparams); + func = restorestack(L, funcr); + n = cast_int(L->top - func) - 1; /* number of real arguments */ + for (; n < p->numparams; n++) +]], +} + +--[=[ +Bug{ +what = [[garbage collector can trigger too many times in recursive loops]], +report = [[Roberto, 2013/04/25]], +since = [[5.2.2]], +fix = nil, +example = [[ +function f() f() end +f() -- it takes too long before a "stack overflow" error +]], +patch = [[ +--- lgc.c 2013/04/12 18:48:47 2.140.1.1 ++++ lgc.c 2013/04/25 21:30:20 +@@ -495,2 +495,3 @@ + static lu_mem traversestack (global_State *g, lua_State *th) { ++ int n = 0; + StkId o = th->stack; +@@ -505,3 +506,9 @@ + } +- return sizeof(lua_State) + sizeof(TValue) * th->stacksize; ++ else { /* count call infos to compute size */ ++ CallInfo *ci; ++ for (ci = &th->base_ci; ci != th->ci; ci = ci->next) ++ n++; ++ } ++ return sizeof(lua_State) + sizeof(TValue) * th->stacksize + ++ sizeof(CallInfo) * n; + } +]] +} + --[=[ Bug{ what = [[ ]],