From: Sergey Kaplun via Tarantool-patches <tarantool-patches@dev.tarantool.org> To: Maxim Kokryashkin <m.kokryashkin@tarantool.org>, Igor Munkin <imun@tarantool.org> Cc: tarantool-patches@dev.tarantool.org Subject: [Tarantool-patches] [PATCH luajit] Ensure correct stack top for OOM error message. Date: Wed, 9 Nov 2022 20:49:48 +0300 [thread overview] Message-ID: <20221109174948.10952-1-skaplun@tarantool.org> (raw) From: Mike Pall <mike> Reported by Sergey Kaplun. (cherry picked from commit ca8d3257bb44e42100c7910c47dcdcf01f494187) `lj_err_mem()` doesn't set up `L->top` for Lua frames, but uses it for pushing error message on the stack. So, when we call some routine that does some allocations, it can raise the OOM error (like `lj_tab_dup()` in `BC_TDUP`) and this error may corrupt stack for unwind in situations when `L->top` < `L->base`. This patch restores `L->top` for Lua frames when raise the error via `lj_err_mem()`. Sergey Kaplun: * added the description and the test for the problem Resolves tarantool/tarantool#3840 Part of tarantool/tarantool#7230 --- Issues: * https://github.com/LuaJIT/LuaJIT/issues/906 * https://github.com/tarantool/tarantool/issues/7230 * https://github.com/tarantool/tarantool/issues/3840 PR: https://github.com/tarantool/tarantool/pull/7915 Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-906-fix-err-mem Red LuaJIT CI for MacOS Release builds is a known issue with self-hosted runners, as Igor has said before. src/lj_err.c | 1 + .../lj-906-fix-err-mem.test.lua | 90 +++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 test/tarantool-tests/lj-906-fix-err-mem.test.lua diff --git a/src/lj_err.c b/src/lj_err.c index c310daf6..70354489 100644 --- a/src/lj_err.c +++ b/src/lj_err.c @@ -546,6 +546,7 @@ LJ_NOINLINE void lj_err_mem(lua_State *L) { if (L->status == LUA_ERRERR+1) /* Don't touch the stack during lua_open. */ lj_vm_unwind_c(L->cframe, LUA_ERRMEM); + if (curr_funcisL(L)) L->top = curr_topL(L); setstrV(L, L->top++, lj_err_str(L, LJ_ERR_ERRMEM)); lj_err_throw(L, LUA_ERRMEM); } diff --git a/test/tarantool-tests/lj-906-fix-err-mem.test.lua b/test/tarantool-tests/lj-906-fix-err-mem.test.lua new file mode 100644 index 00000000..a139e1c9 --- /dev/null +++ b/test/tarantool-tests/lj-906-fix-err-mem.test.lua @@ -0,0 +1,90 @@ +local tap = require('tap') +local ffi = require('ffi') +local table_new = require('table.new') + +-- Avoid test to be killed. +require('utils').skipcond(ffi.abi('gc64'), 'test is not GC64 only') + +local test = tap.test('lj-906-fix-err-mem') +test:plan(1) + +local KB = 1024 +local MB = 1024 * KB + +-- The maximum available table size, taking into account created +-- constants for one function. +local TNEW_SIZE = 511 + +local gc_anchor = {} + +-- This function works until raises the error. +local function eat_chunks(size) + -- Need raise the OOM error inside TDUP, not TNEW, so reserve + -- memory for it. + -- luacheck: no unused + local tnew_anchor = table_new(TNEW_SIZE, 0) + while true do + table.insert(gc_anchor, ffi.new('char [?]', size)) + end +end + +-- Function to format inner tab leading to TDUP emitting. +local function format_inner_tab() + local inner_tab = '' + local inner_depth = 128 + -- Repeate table template for TDUP. + for _ = 1, inner_depth do + inner_tab = inner_tab .. '{a =' + end + inner_tab = inner_tab .. '{}' + for _ = 1, inner_depth do + inner_tab = inner_tab .. '},' + end + return inner_tab +end + +local function format_TDUP_chunk() + local big_tab = 'local _ = {\n' + local inner_tab = format_inner_tab() + for _ = 1, TNEW_SIZE do + big_tab = big_tab .. inner_tab .. '\n' + end + big_tab = big_tab .. '}' + return big_tab +end + +local TDUP, err = loadstring(format_TDUP_chunk()) +assert(TDUP, err) + +local function frame_before_TDUP() + -- Stack slots are needed for coredump in case of misbehaviour. + -- luacheck: no unused + local frame_slot1, frame_slot2 + TDUP() + return frame_slot1, frame_slot2 +end + +collectgarbage() +collectgarbage('stop') + +-- Avoid OOM on traces. +jit.off() + +-- Stack slots are needed for coredump in case of misbehaviour. +-- luacheck: no unused +local r, e = pcall(eat_chunks, 8 * MB) +collectgarbage() +pcall(eat_chunks, 8 * KB) +collectgarbage() +pcall(eat_chunks, 8) +collectgarbage() + +pcall(frame_before_TDUP) + +-- Release memory for `tap` functions. +gc_anchor = nil +collectgarbage() + +test:ok(true, 'correctly throw memory error') + +os.exit(test:check() and 0 or 1) -- 2.34.1
next reply other threads:[~2022-11-09 17:52 UTC|newest] Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top 2022-11-09 17:49 Sergey Kaplun via Tarantool-patches [this message] 2022-11-10 6:02 ` Sergey Kaplun via Tarantool-patches 2022-11-11 8:53 ` Igor Munkin via Tarantool-patches 2022-11-11 12:18 ` Sergey Kaplun via Tarantool-patches 2022-11-11 13:09 ` Sergey Kaplun via Tarantool-patches 2022-11-16 12:30 ` Maxim Kokryashkin via Tarantool-patches 2022-11-22 17:08 ` Igor Munkin via Tarantool-patches 2022-11-23 7:51 ` Igor Munkin via Tarantool-patches
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20221109174948.10952-1-skaplun@tarantool.org \ --to=tarantool-patches@dev.tarantool.org \ --cc=imun@tarantool.org \ --cc=m.kokryashkin@tarantool.org \ --cc=skaplun@tarantool.org \ --subject='Re: [Tarantool-patches] [PATCH luajit] Ensure correct stack top for OOM error message.' \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox