Closed Mellnik closed 1 year ago
Hello, thank you for reporting this.
I am not familiar with LuaBridge and replicating this issue would require for me to get familiar with it first.
I have an inkling of what might be going on here.
In general, inspect should just output <userdata x>
where x is the order in which inspect has encountered said userdata while parsing its input.
The "has encountered said userdata" test might be where inspect is trying to invoke __eq
on your userdata. My assumption was that every single Lua value is comparable with other values - if anything else, this is needed because in Lua any value can be nil
, so you at least need to be able to nil-check.
If this is correct, then the possibilities I see are:
<userdata x>
, or find a way to know if a userdata has an __lt metamethod (this is unlikely).As I mentioned at the beginning I am not familiar with LuaBridge and I'm afraid I don't have the bandwidth to investigate this. Please feel free to send a Pull Request.
Hi kikito,
thank you very much for your fast reply and feedback.
I think that in no case Lua scripts should be able to crash the host. Of course this only applies if "safe" methods are exposed to Lua and the user C side (host) properly interacts with Lua. This includes properly exposing userdata, as you said, and running code in protected mode (pcall).
From what I see inspect only uses getmetatable and setmetatable which I consider safe as long as the host took preventive measures.
By digging into LuaBridge I found out that it sets the metatable field with a "nil". (See here) Effectively deleting that key. According to Lua documentation metatable must be set in order to prevent any tempering with the default set/getmetatable (not the debug one).
I have modified that part by replacing lua_pushnil with lua_pushboolean.
Now inspect no longer crashes because the metatable of their userdata is no longer accessible.
The LuaBridge documentation states that they set a boolean to __metatable but apparently the current source does not do that.
I am unsure if this fix is the actual proper way of doing it. Or if there is another issue with LuaBridge.
Anyway I am going to report that to LuaBridge.
I think you can close this issue if you have no more to add.
Thank you for your time!
Not really related to the before issue but I just saw that inspect also uses rawget. Would it be possible to add a check whether rawget is available because in some environments this function is not exposed. inspect can still deliver plenty information.
That is easier to model. Do you mind giving this a look, see if it works for you?
https://github.com/kikito/inspect.lua/tree/feat-optional-rawget
Thanks. For me it works well and prints the same output as with rawget.
alright, that change is merged in master now.
I'll close this since LuaBridge seemed to have an issue after all, please reopen if it turns out I was wrong.
Environment
The Crash When inspecting _G it seems like the metamethod __eq is called on the ExampleClass. But apparently there is no valid userdata passed resulting in a crash.