From 3fe7be956f23385aa1950dc31e2f25127ccfc0ea Mon Sep 17 00:00:00 2001
From: Roberto Ierusalimschy <roberto@inf.puc-rio.br>
Date: Mon, 17 Mar 2025 16:14:17 -0300
Subject: Bug: message handler can be overwritten

A __close metamethod can overwrite a message handler in the stack
when closing a thread or a state.
---
 testes/coroutine.lua | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

(limited to 'testes')

diff --git a/testes/coroutine.lua b/testes/coroutine.lua
index e566c86e..03e04451 100644
--- a/testes/coroutine.lua
+++ b/testes/coroutine.lua
@@ -493,6 +493,25 @@ assert(not pcall(a, a))
 a = nil
 
 
+do
+  -- bug in 5.4: thread can use message handler higher in the stack
+  -- than the variable being closed
+  local c = coroutine.create(function()
+    local clo <close> = setmetatable({}, {__close=function()
+      local x = 134   -- will overwrite message handler
+      error(x)
+    end})
+    -- yields coroutine but leaves a new message handler for it,
+    -- that would be used when closing the coroutine (except that it
+    -- will be overwritten)
+    xpcall(coroutine.yield, function() return "XXX" end)
+  end)
+
+  assert(coroutine.resume(c))   -- start coroutine
+  local st, msg = coroutine.close(c)
+  assert(not st and msg == 134)
+end
+
 -- access to locals of erroneous coroutines
 local x = coroutine.create (function ()
             local a = 10
-- 
cgit v1.2.3-55-g6feb