Lua 5.2 parsing bug with long identifiers

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Lua 5.2 parsing bug with long identifiers

Jean-Luc Jumpertz-2
Hi,

Recently, a few users of my CodeFlow IDE, embedding Lua 5.2.4, got many application crashes. After investigating the problem, I found that the root cause was in the Lua parser: under some conditions, the Lua parser could GC a long string corresponding to a name or string token, while this token was still being processed, which could have nasty consequences and lead to the crash of the application embedding Lua.

I'm perfectly aware that the 5.2 branch is not maintained anymore, but there are still people using it, and they might bump into the same issue, and I hope that this post might help them.

So back to the bug: making the parser crash can be as easy as writing:

function f () end
someVeryLongIdentiferConvertedByLuaAsALongString = 0

What happens here is that the token string created after the function 'end' is not correctly anchored to the calling funcstate if it is a long string, so if the GC triggers, it can be freed and overwritten by something else…

Actually this is a known old bug, namely https://www.lua.org/bugs.html#5.2.2-6, that was fixed by Roberto back in 2013. But the correction reported to the 5.2 branch was incomplete.

The good news is that the correction done in Lua commit https://github.com/lua/lua/commit/8ef9e8460e775793f760deb28d0c3d10dda31b49 completely solves the problem, and reporting it in the context of Lua 5.2.4 is safe and actually solves the issue.

Roberto, could you confirm this ?

So if you are still using Lua 5.2.x and your Lua source code might have long identifiers, you probably might want report the fix in your Lua version…

Regards,
Jean-Luc

PS: Having the Lua change history on GitHub is great and was incredibly helpful in this case! :-)