fix: destroy C++ locals before raising a Lua error

gennaroprota · gennaroprota · commit d6fc2cdddf9b · 2026-06-17T11:23:07.000+02:00
`luaL_error` and `lua_error` report a failure by longjmp-ing to the
enclosing `lua_pcall`. The jump runs no C++ destructors on the frames
it unwinds, so any local with a non-trivial destructor still alive at
the point of the raise is leaked, and the unwind itself is undefined.

Two of the Lua binding functions raised while such a local was live.
The one invoked when a script assigns to a `dom::Object` field held
the value being assigned and raised from inside a `catch`. The one
invoked when a script calls a `dom::Function` held the argument
`dom::Array`, the call result, and the function being invoked.

Stage the outcome on the Lua stack first - push the result value, or
build a location-prefixed message with `luaL_where` and `lua_concat` -
then close the scope so every C++ local is destroyed, and only then
raise. Lua copies a pushed string, so the message outlives the
destructors.
diff --git a/src/lib/Support/Lua.cpp b/src/lib/Support/Lua.cpp
@@ -598,18 +598,27 @@ domObject_push_metatable(
     [](lua_State* L)
     {
         Access A(L);
-        auto& obj = domObject_get(A, 1);
-        auto key = luaM_getstring(A, 2);
-        dom::Value value = luaValueToDom(L, 3);
-        try
-        {
-            obj.set(key, std::move(value));
-        }
-        catch (std::exception const& ex)
+        // `lua_error` longjmps to the enclosing `pcall` and skips any
+        // pending C++ destructor on this frame, so scope the locals and
+        // stage the error message before raising.
+        bool raised = false;
         {
-            return luaL_error(L, "%s", ex.what());
+            auto& obj = domObject_get(A, 1);
+            auto key = luaM_getstring(A, 2);
+            dom::Value value = luaValueToDom(L, 3);
+            try
+            {
+                obj.set(key, std::move(value));
+            }
+            catch (std::exception const& ex)
+            {
+                luaL_where(A, 1);
+                lua_pushstring(A, ex.what());
+                lua_concat(A, 2);
+                raised = true;
+            }
         }
-        return 0;
+        return raised ? lua_error(A) : 0;
     });
     lua_settable(A, -3);
 
@@ -740,20 +749,32 @@ domFunction_push_metatable(
     {
         Access A(L);
         int const top = lua_gettop(A);
-        dom::Array args;
-        for (int i = 2; i <= top; ++i)
+        // `lua_error` longjmps to the enclosing `pcall` and skips any
+        // pending C++ destructor on this frame, so stage the outcome -
+        // the result value, or a location-prefixed error message, on the
+        // Lua stack - and let every local here be destroyed before
+        // raising.
+        bool raised = false;
         {
-            args.push_back(luaValueToDom(L, i));
-        }
-        dom::Function fn = domFunction_get(A, 1);
-        Expected<dom::Value> result = fn.call(args);
-        if (! result)
-        {
-            return luaL_error(L, "%s",
-                result.error().reason().c_str());
+            dom::Array args;
+            for (int i = 2; i <= top; ++i)
+            {
+                args.push_back(luaValueToDom(L, i));
+            }
+            Expected<dom::Value> result = domFunction_get(A, 1).call(args);
+            if (result)
+            {
+                domValue_push(A, *result);
+            }
+            else
+            {
+                luaL_where(A, 1);
+                lua_pushstring(A, result.error().reason().c_str());
+                lua_concat(A, 2);
+                raised = true;
+            }
         }
-        domValue_push(A, *result);
-        return 1;
+        return raised ? lua_error(A) : 1;
     });
     lua_settable(A, -3);
 
