[Tarantool-patches] [PATCH luajit v3 1/2] snap: check J->pc is within its proto bytecode

[Sergey Bronnikov]

Hi, Maxim


LGTM

On 10/4/23 15:50, Maksim Kokryashkin wrote:
> From: Mike Pall <mike>
>
> (cherry-picked from commit 5c46f47736f7609be407c88d531ecd1689d40a79)
>
> This commit adds an assertion to ensure that the `pc` of the
> snapshot being made is located within the current prototype.
> Violation of this assertion's condition may lead to all kinds
> of buggy behavior on restoration from that snapshot, depending
> on what is located in memory at the address under `pc`.
>
> NOTICE: This patch is only a part of the original commit,
> and the other part is backported in the following commit. The
> patch was split into two, so the test case becomes easier to
> implement since it can now depend on this assertion instead
> of memory layout.
>
> Maxim Kokryashkin:
> * added the description for the problem
>
> Part of tarantool/tarantool#9145
> ---
>   src/lj_snap.c | 3 +++
>   1 file changed, 3 insertions(+)
>
> diff --git a/src/lj_snap.c b/src/lj_snap.c
> index 6c5e5e53..3f0fccec 100644
> --- a/src/lj_snap.c
> +++ b/src/lj_snap.c
> @@ -115,6 +115,9 @@ static MSize snapshot_framelinks(jit_State *J, SnapEntry *map, uint8_t *topslot)
>   #else
>     MSize f = 0;
>     map[f++] = SNAP_MKPC(J->pc);  /* The current PC is always the first entry. */
> +  lj_assertJ(!J->pt ||
> +	     (J->pc >= proto_bc(J->pt) &&
> +	      J->pc < proto_bc(J->pt) + J->pt->sizebc), "bad snapshot PC");
>   #endif
>     while (frame > lim) {  /* Backwards traversal of all frames above base. */
>       if (frame_islua(frame)) {