-
Vladimir Davydov authored
Runtime tuple formats are reusable, which means that a tuple format returned by runtime_tuple_format_new may not be brand new, but actually be used by a Lua object. As a result, if we call any function that may trigger Lua GC between runtime_tuple_format_new and tuple_format_ref, the tuple format may be deleted, leading to a use-after-free bug. This is what happens in lbox_tuple_format_new. Fix this issue by moving the runtime_tuple_format_new call after the Lua object allocation. Closes #8889 NO_DOC=bug fix NO_TEST=difficult to reproduce, found by ASAN
Vladimir Davydov authoredRuntime tuple formats are reusable, which means that a tuple format returned by runtime_tuple_format_new may not be brand new, but actually be used by a Lua object. As a result, if we call any function that may trigger Lua GC between runtime_tuple_format_new and tuple_format_ref, the tuple format may be deleted, leading to a use-after-free bug. This is what happens in lbox_tuple_format_new. Fix this issue by moving the runtime_tuple_format_new call after the Lua object allocation. Closes #8889 NO_DOC=bug fix NO_TEST=difficult to reproduce, found by ASAN
