From: Alexander Turenko <alexander.turenko@tarantool.org> To: Vladislav Shpilevoy <v.shpilevoy@tarantool.org> Cc: tarantool-patches@dev.tarantool.org Subject: Re: [Tarantool-patches] [PATCH 2/3] merger: fix NULL dereference when called via iproto Date: Sun, 7 Jun 2020 19:58:16 +0300 [thread overview] Message-ID: <20200607165816.4r5s7ah4pa5uihyl@tkn_work_nb> (raw) In-Reply-To: <920c35d4-150b-bae5-345f-e819ada02367@tarantool.org> > > A particular source implementation may use a Lua state internally, but > > it is not part of the API and should be hid under hood. In fact all > > 1. 'hid' -> 'hidden'. In passive voice V3 is used. Fixed. > > 1. There should be a decision about right balance between speed and > > memory footprint and maybe some eviction strategy for cached Lua > > states. Don't sure we can just always store a state in each > > 2. "Don't sure" -> "Not sure", or "I am not sure". Fixed. > > +/** > > + * Call a user provided function to get a next data chunk (a > > + * buffer). > > + * > > + * Return 1 when a new buffer is received, 0 when a buffers > > + * iterator ends and -1 at error and set a diag. > > + */ > > +static int > > +merge_source_buffer_fetch(struct merge_source_buffer *source) > > +{ > > + int coro_ref = LUA_REFNIL; > > + struct lua_State *L = luaT_temp_luastate(&coro_ref); > > + if (L == NULL) > > + return -1; > > + int rc = luaL_merge_source_buffer_fetch_impl(L, source); > > 3. Looks like if luaL_merge_source_tuple_fetch() gets > luaL_iterator_next() result != 2, you leave on the stack whatever is > left here. If fiber's Lua stack is used, there will be left garbage > on it. It is popped in case the merger is used from Lua, when an error > is thrown. But if the merger would be used from C, the stack would > contain garbage afterwards. > > The same for luaL_merge_source_buffer_fetch_impl(), but not only if > luaL_iterator_next() returns value != 2. > > Not related to this patchset. Nice catch! I didn't bother much about this, because it does not matter much for usual Lua/C functions. However this case is different. I think it should be handled by luaT_temp_luastate() / luaT_release_temp_luastate() within this patchset. I have added one more patch to the series (as third). I'll send it as answer to the cover letter ('[PATCH 2.5/3] merger: clean fiber-local Lua stack after next()'). NB: The test that is added within this patch will not work on 2.4 and below, because those tarantool versions do not expose all symbols from the executable. Updated 2nd patch (this one) with FIXME (which will be resolved and removed by the next patch). | static void | luaT_release_temp_luastate(int coro_ref) | { | + /* | + * FIXME: The reusable fiber-local Lua state is not | + * unreferenced here (coro_ref == LUA_REFNIL), but | + * it must be truncated to its past top to prevent | + * stack overflow. | + */ | luaL_unref(tarantool_L, LUA_REGISTRYINDEX, coro_ref); | } Added the following comment into the commit message: | Usage of the fiber-local Lua state is not quite correct now: merge | source code may left garbage on a stack in case of failures (like | unexpected result of Lua iterator generator function). This behaviour is | kept as is here, but it will be resolved by the next patch. While writting the test, found [1]. I'll send a fix separately. [1]: https://github.com/tarantool/tarantool/issues/5048
next prev parent reply other threads:[~2020-06-07 16:58 UTC|newest] Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top 2020-06-01 18:10 [Tarantool-patches] [PATCH 0/3] Merger's NULL defererence Alexander Turenko 2020-06-01 18:10 ` [Tarantool-patches] [PATCH 1/3] merger: drop luaL prefix where contract allows it Alexander Turenko 2020-06-02 22:47 ` Vladislav Shpilevoy 2020-06-07 16:57 ` Alexander Turenko 2020-06-11 16:17 ` Vladislav Shpilevoy 2020-06-16 11:59 ` Igor Munkin 2020-06-17 17:53 ` Alexander Turenko 2020-06-01 18:10 ` [Tarantool-patches] [PATCH 2/3] merger: fix NULL dereference when called via iproto Alexander Turenko 2020-06-02 22:48 ` Vladislav Shpilevoy 2020-06-07 16:58 ` Alexander Turenko [this message] 2020-06-11 16:18 ` Vladislav Shpilevoy 2020-06-17 17:53 ` Alexander Turenko 2020-06-18 22:47 ` Vladislav Shpilevoy 2020-06-01 18:10 ` [Tarantool-patches] [PATCH 3/3] lua: expose temporary Lua state for iproto calls Alexander Turenko 2020-06-02 22:48 ` Vladislav Shpilevoy 2020-06-07 16:58 ` Alexander Turenko 2020-06-02 22:47 ` [Tarantool-patches] [PATCH 0/3] Merger's NULL defererence Vladislav Shpilevoy 2020-06-07 17:17 ` Alexander Turenko 2020-06-07 16:58 ` [Tarantool-patches] [PATCH 2.5/3] merger: clean fiber-local Lua stack after next() Alexander Turenko 2020-06-11 16:20 ` Vladislav Shpilevoy 2020-06-17 17:53 ` Alexander Turenko 2020-06-18 22:48 ` Vladislav Shpilevoy 2020-06-19 7:41 ` Alexander Turenko 2020-06-17 17:54 ` [Tarantool-patches] [PATCH 0/3] Merger's NULL defererence Alexander Turenko
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200607165816.4r5s7ah4pa5uihyl@tkn_work_nb \ --to=alexander.turenko@tarantool.org \ --cc=tarantool-patches@dev.tarantool.org \ --cc=v.shpilevoy@tarantool.org \ --subject='Re: [Tarantool-patches] [PATCH 2/3] merger: fix NULL dereference when called via iproto' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox