src/syncterm/wren/vm/wren_vm.c - Historico da BBS TELESC.NET.BR

BBS:      TELESC.NET.BR
Assunto:  src/syncterm/wren/vm/wren_vm.c
De:       Deuc¨
Data:     Sat, 2 May 2026 15:47:32 -0700
-----------------------------------------------------------
https://gitlab.synchro.net/main/sbbs/-/commit/3e714141aa290190f0f09cdd
Modified Files:
	src/syncterm/wren/vm/wren_vm.c
Log Message:
Wren: close upvalues on fiber abort to prevent UAF

runtimeError() unwound the caller chain without calling
closeUpvalues() on the aborting fibers.  Every other code path
that ends a function's stack  CODE_RETURN, CODE_CLOSE_UPVALUE 
closes upvalues first; the abort path was the lone exception.

A closure created inside an aborted frame that survives (held by
a module-level static, a host callback, an observer list, ...) keeps
upvalues whose `value` pointers still point INTO the dead fiber's
stack.  Once GC reclaims the dead fiber and DEALLOCATEs its stack,
subsequent reads through those upvalues return whatever now lives
at that address  silently wrong values at best, SIGSEGV at worst
when the freed memory gets recycled into something whose bytes
decode as a tagged pointer to a stale ObjUpvalue.

Reproducer (200 fibers each capture and abort, then read back):
  before  194 of 200 closures returned the wrong value
  after   0 of 200 wrong

Filed upstream as wren-lang/wren#1234.

Co-Authored-By: Claude Opus 4.7 (1M context) 
n
---
  mSynchronetn  hgVertrauen n hHome of Synchronet n gh[vert/cvs/bbs].synchro.net

-----------------------------------------------------------
[Voltar]