[Tarantool-patches] [PATCH luajit v3 1/2] snap: check J->pc is within its proto bytecode
Maksim Kokryashkin
max.kokryashkin at gmail.com
Wed Oct 4 15:50:33 MSK 2023
From: Mike Pall <mike>
(cherry-picked from commit 5c46f47736f7609be407c88d531ecd1689d40a79)
This commit adds an assertion to ensure that the `pc` of the
snapshot being made is located within the current prototype.
Violation of this assertion's condition may lead to all kinds
of buggy behavior on restoration from that snapshot, depending
on what is located in memory at the address under `pc`.
NOTICE: This patch is only a part of the original commit,
and the other part is backported in the following commit. The
patch was split into two, so the test case becomes easier to
implement since it can now depend on this assertion instead
of memory layout.
Maxim Kokryashkin:
* added the description for the problem
Part of tarantool/tarantool#9145
---
src/lj_snap.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/src/lj_snap.c b/src/lj_snap.c
index 6c5e5e53..3f0fccec 100644
--- a/src/lj_snap.c
+++ b/src/lj_snap.c
@@ -115,6 +115,9 @@ static MSize snapshot_framelinks(jit_State *J, SnapEntry *map, uint8_t *topslot)
#else
MSize f = 0;
map[f++] = SNAP_MKPC(J->pc); /* The current PC is always the first entry. */
+ lj_assertJ(!J->pt ||
+ (J->pc >= proto_bc(J->pt) &&
+ J->pc < proto_bc(J->pt) + J->pt->sizebc), "bad snapshot PC");
#endif
while (frame > lim) { /* Backwards traversal of all frames above base. */
if (frame_islua(frame)) {
--
2.39.3 (Apple Git-145)
More information about the Tarantool-patches
mailing list