Avoid setting the stack top below upvalues to be closed

When leaving a scope, the new stack top should be set only after closing any upvalue, to avoid manipulating values in an "invalid" part of the stack.
author: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2019-07-16 14:13:22 -0300
committer: Roberto Ierusalimschy <roberto@inf.puc-rio.br> 2019-07-16 14:13:22 -0300
commit: 298f383ffcc30d0799fbca0293175f647fe6bccf (patch)
tree: b96f7572dd4e185007d20436db45c505976c3122
parent: 758c1ef445ab27d89bace746111add04083a8e20 (diff)
download: lua-298f383ffcc30d0799fbca0293175f647fe6bccf.tar.gz
lua-298f383ffcc30d0799fbca0293175f647fe6bccf.tar.bz2
lua-298f383ffcc30d0799fbca0293175f647fe6bccf.zip
3 files changed, 13 insertions, 9 deletions
diff --git a/lapi.c b/lapi.c
index 661fdb14..0f81107f 100644
--- a/lapi.c
+++ b/lapi.c
@@ -171,19 +171,20 @@ LUA_API int lua_gettop (lua_State *L) {
 LUA_API void lua_settop (lua_State *L, int idx) {
  StkId func = L->ci->func;
+  int diff;  /* difference for new top */
  lua_lock(L);
  if (idx >= 0) {
-    StkId newtop = (func + 1) + idx;
+    api_check(L, idx <= L->ci->top - (func + 1), "new top too large");
-    api_check(L, idx <= L->stack_last - (func + 1), "new top too large");
+    diff = (func + 1) + idx - L->top;
-    while (L->top < newtop)
+    for (; diff > 0; diff--)
-      setnilvalue(s2v(L->top++));
+      setnilvalue(s2v(L->top++));  /* clear new slots */
-    L->top = newtop;
  }
  else {
    api_check(L, -(idx+1) <= (L->top - (func + 1)), "invalid new top");
-    L->top += idx+1;  /* 'subtract' index (index is negative) */
+    diff = idx + 1;  /* will "subtract" index (as it is negative) */
  }
-  luaF_close(L, L->top, LUA_OK);
+  luaF_close(L, L->top + diff, LUA_OK);
+  L->top += diff;  /* correct top only after closing any upvalue */
  lua_unlock(L);
 }
diff --git a/lfunc.c b/lfunc.c
index 55114992..68d0632a 100644
--- a/lfunc.c
+++ b/lfunc.c
@@ -202,6 +202,7 @@ int luaF_close (lua_State *L, StkId level, int status) {
  while ((uv = L->openupval) != NULL && uplevel(uv) >= level) {
    StkId upl = uplevel(uv);
    TValue *slot = &uv->u.value;  /* new position for value */
+    lua_assert(upl < L->top);
    luaF_unlinkupval(uv);
    setobj(L, slot, uv->v);  /* move value to upvalue slot */
    uv->v = slot;  /* now current value lives here */
diff --git a/lvm.c b/lvm.c
index d365bcdd..9838500b 100644
--- a/lvm.c
+++ b/lvm.c
@@ -1601,15 +1601,17 @@ void luaV_execute (lua_State *L, CallInfo *ci) {
        int n = GETARG_B(i) - 1;  /* number of results */
        if (n < 0)  /* not fixed? */
          n = cast_int(L->top - ra);  /* get what is available */
-        else
-          L->top = ra + n;  /* set call for 'luaD_poscall' */
        savepc(ci);
        if (TESTARG_k(i)) {
          int nparams1 = GETARG_C(i);
+          if (L->top < ci->top)
+            L->top = ci->top;
          luaF_close(L, base, LUA_OK);  /* there may be open upvalues */
+          updatestack(ci);
          if (nparams1)  /* vararg function? */
            ci->func -= ci->u.l.nextraargs + nparams1;
        }
+        L->top = ra + n;  /* set call for 'luaD_poscall' */
        luaD_poscall(L, ci, n);
        return;
      }
author	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2019-07-16 14:13:22 -0300
committer	Roberto Ierusalimschy <roberto@inf.puc-rio.br>	2019-07-16 14:13:22 -0300
commit	298f383ffcc30d0799fbca0293175f647fe6bccf (patch)
tree	b96f7572dd4e185007d20436db45c505976c3122
parent	758c1ef445ab27d89bace746111add04083a8e20 (diff)
download	lua-298f383ffcc30d0799fbca0293175f647fe6bccf.tar.gz lua-298f383ffcc30d0799fbca0293175f647fe6bccf.tar.bz2 lua-298f383ffcc30d0799fbca0293175f647fe6bccf.zip