Fixed bug for emergency collection in upvalue creation

When creating an upvalue, an emergency collection can collect the previous upvalue where the new one would be linked. The following code can trigger the bug, using valgrind on Lua compiled with the -DHARDMEMTESTS option: local x; local y (function () return y end)(); (function () return x end)()
author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2019-07-19 12:13:00 -0300
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2019-07-19 12:13:00 -0300
commit: 440a5ee78c8592230780310c9c8d8c2ba1700cb1 (patch)
tree: 30d361cbe23eb652f8874e580750ca65fcca5b52
parent: dc07719b0dbc4f2df0f42e34e18be1e0ac4fa2c3 (diff)
download: lua-440a5ee78c8592230780310c9c8d8c2ba1700cb1.tar.gz
lua-440a5ee78c8592230780310c9c8d8c2ba1700cb1.tar.bz2
lua-440a5ee78c8592230780310c9c8d8c2ba1700cb1.zip
3 files changed, 10 insertions, 8 deletions
diff --git a/lfunc.c b/lfunc.c
index 9f91ad4f..f7edf56b 100644
--- a/lfunc.c
+++ b/lfunc.c
@@ -82,20 +82,22 @@ static UpVal *newupval (lua_State *L, int tbc, StkId level, UpVal **prev) {
 /*
-** Find and reuse, or create if it does not exist, a regular upvalue
+** Find and reuse, or create if it does not exist, an upvalue
-** at the given level.
+** at the given level and set it to the given slot.
 */
-UpVal *luaF_findupval (lua_State *L, StkId level) {
+void luaF_setupval (lua_State *L, StkId level, UpVal **slot) {
  UpVal **pp = &L->openupval;
  UpVal *p;
  lua_assert(isintwups(L) || L->openupval == NULL);
  while ((p = *pp) != NULL && uplevel(p) >= level) {  /* search for it */
+    *slot = p;
    if (uplevel(p) == level && !isdead(G(L), p))  /* corresponding upvalue? */
-      return p;  /* return it */
+      return;  /* found it */
    pp = &p->u.open.next;
  }
-  /* not found: create a new upvalue after 'pp' */
+  /* not found: create a new upvalue after 'pp' (which is
-  return newupval(L, 0, level, pp);
+    anchored in 'slot', in case of an emergency collection) */
+  *slot = newupval(L, 0, level, pp);
 }
diff --git a/lfunc.h b/lfunc.h
index 0ed79c48..72fc913a 100644
--- a/lfunc.h
+++ b/lfunc.h
@@ -57,7 +57,7 @@ LUAI_FUNC Proto *luaF_newproto (lua_State *L);
 LUAI_FUNC CClosure *luaF_newCclosure (lua_State *L, int nelems);
 LUAI_FUNC LClosure *luaF_newLclosure (lua_State *L, int nelems);
 LUAI_FUNC void luaF_initupvals (lua_State *L, LClosure *cl);
-LUAI_FUNC UpVal *luaF_findupval (lua_State *L, StkId level);
+LUAI_FUNC void luaF_setupval (lua_State *L, StkId level, UpVal **slot);
 LUAI_FUNC void luaF_newtbcupval (lua_State *L, StkId level);
 LUAI_FUNC int luaF_close (lua_State *L, StkId level, int status);
 LUAI_FUNC void luaF_unlinkupval (UpVal *uv);
diff --git a/lvm.c b/lvm.c
index d9bd0ab3..d3e05199 100644
--- a/lvm.c
+++ b/lvm.c
@@ -697,7 +697,7 @@ static void pushclosure (lua_State *L, Proto *p, UpVal **encup, StkId base,
  setclLvalue2s(L, ra, ncl);  /* anchor new closure in stack */
  for (i = 0; i < nup; i++) {  /* fill in its upvalues */
    if (uv[i].instack)  /* upvalue refers to local variable? */
-      ncl->upvals[i] = luaF_findupval(L, base + uv[i].idx);
+      luaF_setupval(L, base + uv[i].idx, &ncl->upvals[i]);
    else  /* get upvalue from enclosing function */
      ncl->upvals[i] = encup[uv[i].idx];
    luaC_objbarrier(L, ncl, ncl->upvals[i]);
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2019-07-19 12:13:00 -0300
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2019-07-19 12:13:00 -0300
commit	440a5ee78c8592230780310c9c8d8c2ba1700cb1 (patch)
tree	30d361cbe23eb652f8874e580750ca65fcca5b52
parent	dc07719b0dbc4f2df0f42e34e18be1e0ac4fa2c3 (diff)
download	lua-440a5ee78c8592230780310c9c8d8c2ba1700cb1.tar.gz lua-440a5ee78c8592230780310c9c8d8c2ba1700cb1.tar.bz2 lua-440a5ee78c8592230780310c9c8d8c2ba1700cb1.zip