From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tarantool-patches-bounces@dev.tarantool.org>
Received: from [87.239.111.99] (localhost [127.0.0.1])
	by dev.tarantool.org (Postfix) with ESMTP id 8A34558A4E1;
	Tue, 15 Aug 2023 17:30:38 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 8A34558A4E1
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev;
	t=1692109838; bh=HrHi05sFKG/I4Vk+MJnmYuPU1K3bN0i5ob2/MbgQK84=;
	h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:Cc:From;
	b=Kq/dl0BY/gI1I5mloMDNSNa1+x4ZEOwcZL8DIcm5f8NCUVZgyD2hFvX7nkE6T2oV2
	 EvC1x2ffR1ze5TAz5vxkrwoL/5zp6UeWNwOWy3DGZbSl/JqvIRcKcd3ba/eRCsBhR+
	 cU1rOvvnvwkGsva5eMJKuJ2cZ5gyq9mCVWZvkbB8=
Received: from smtp52.i.mail.ru (smtp52.i.mail.ru [95.163.41.88])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id 2F478589F42
 for <tarantool-patches@dev.tarantool.org>;
 Tue, 15 Aug 2023 17:30:37 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 2F478589F42
Received: by smtp52.i.mail.ru with esmtpa (envelope-from
 <skaplun@tarantool.org>)
 id 1qVv47-001ueh-2d; Tue, 15 Aug 2023 17:30:36 +0300
To: Maxim Kokryashkin <m.kokryashkin@tarantool.org>,
 Sergey Bronnikov <sergeyb@tarantool.org>
Date: Tue, 15 Aug 2023 17:25:41 +0300
Message-ID: <20230815142541.29855-1-skaplun@tarantool.org>
X-Mailer: git-send-email 2.41.0
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Mailru-Src: smtp
X-7564579A: B8F34718100C35BD
X-77F55803: 4F1203BC0FB41BD969E04B5EED670DC86EE92E42F0C271DDC310B0E58918727B182A05F538085040D5CAC9C037034F72E087B048048B2178E540DD8B3E691B07D9F590868D4498FF
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE70FFC2100EB7B6895EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F79006376AEB812070489DF38638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D88D8D14F2A8026A3395A05CCDC0994396117882F4460429724CE54428C33FAD305F5C1EE8F4F765FCE1488AC3D4DED311A471835C12D1D9774AD6D5ED66289B52BA9C0B312567BB23117882F446042972877693876707352033AC447995A7AD18BDFBBEFFF4125B51D2E47CDBA5A96583BA9C0B312567BB2376E601842F6C81A19E625A9149C048EE4B6963042765DA4BC43C4D2AE8146675D8FC6C240DEA76429C9F4D5AE37F343AA9539A8B242431040A6AB1C7CE11FEE3B5C78E0E843E24DA040F9FF01DFDA4A8C4224003CC836476E2F48590F00D11D6E2021AF6380DFAD1A18204E546F3947C2FFDA4F57982C5F42E808ACE2090B5E1725E5C173C3A84C3776A0366D588B3C3089D37D7C0E48F6C8AA50765F790063752464DD08821749FEFF80C71ABB335746BA297DBC24807EABDAD6C7F3747799A
X-C1DE0DAB: 0D63561A33F958A58617938D8B6E6D0430A4A40EAB2B0644AD2112B2AFC46B8CF87CCE6106E1FC07E67D4AC08A07B9B013BDA61BF53F5E1D9C5DF10A05D560A950611B66E3DA6D700B0A020F03D25A0997E3FB2386030E77
X-C8649E89: 1C3962B70DF3F0ADE00A9FD3E00BEEDF77DD89D51EBB7742D3581295AF09D3DF87807E0823442EA2ED31085941D9CD0AF7F820E7B07EA4CF8E57A0CCD265C40E43C8DFF6C31894385D5C16772D25DA2841534D6CBECFA165B469278E65BD125A90ABE3E74E35EA6FE71CD11787FD2946C7C9B193E46974BDA74DFFEFA5DC0E7F02C26D483E81D6BE5EF9655DD6DEA7D65774BB76CC95456EEC5B5AD62611EEC62B5AFB4261A09AF0
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojHVl7ekwB6hhzq+8JB53cBA==
X-Mailru-Sender: 11C2EC085EDE56FAC07928AF2646A7699F15EFE8FFD60EF7E087B048048B2178C9F871340C5A6C40DEDBA653FF35249392D99EB8CC7091A70E183A470755BFD208F19895AA18418972D6B4FCE48DF648AE208404248635DF
X-Mras: Ok
Subject: [Tarantool-patches] [PATCH luajit] Fix predict_next() in parser.
X-BeenThere: tarantool-patches@dev.tarantool.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
From: Sergey Kaplun via Tarantool-patches <tarantool-patches@dev.tarantool.org>
Reply-To: Sergey Kaplun <skaplun@tarantool.org>
Cc: tarantool-patches@dev.tarantool.org
Errors-To: tarantool-patches-bounces@dev.tarantool.org
Sender: "Tarantool-patches" <tarantool-patches-bounces@dev.tarantool.org>

From: Mike Pall <mike>

Reported by Sergey Kaplun.

(cherry-picked from commit caf7cbc57c945f7b68871ad72abafb2b6e6fb7f5)

Assume, we have the following Lua code:
| local _
| for _ in (nil):foo() do end

The first part of the bytecode emitted for it is the following:
| 0001    KNIL     0   1
| 0002    MOV      2   1
| 0003    TGETS    1   1   0  ; "foo"
| 0004    CALL     1   4   2

The `0001 KNIL` is a result of merging two `KPRI` instructions: one for
the local variable, one for the slot with `nil` object. During parsing in
`predict_next()` the second `MOV` bytecode is examined to set `pairs` or
`next` local variable. But, as far as it moves `nil` value, that isn't
an actual variable, so it has no the name this leads to the crash.

This patch adds the check to be sure that `RD` in the `MOV` bytecode is
an actual variable.

Sergey Kaplun:
* added the description and the test for the problem

Part of tarantool/tarantool#8825
---

Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1033-fix-parsing-predict-next
PR: https://github.com/tarantool/tarantool/pull/8987
Related issues:
* https://github.com/LuaJIT/LuaJIT/issues/1033
* https://github.com/tarantool/tarantool/issues/8825

 src/lj_parse.c                                |  1 +
 .../lj-1033-fix-parsing-predict-next.test.lua | 30 +++++++++++++++++++
 2 files changed, 31 insertions(+)
 create mode 100644 test/tarantool-tests/lj-1033-fix-parsing-predict-next.test.lua

diff --git a/src/lj_parse.c b/src/lj_parse.c
index 3f6caaec..420b95cb 100644
--- a/src/lj_parse.c
+++ b/src/lj_parse.c
@@ -2532,6 +2532,7 @@ static int predict_next(LexState *ls, FuncState *fs, BCPos pc)
   cTValue *o;
   switch (bc_op(ins)) {
   case BC_MOV:
+    if (bc_d(ins) >= fs->nactvar) return 0;
     name = gco2str(gcref(var_get(ls, fs, bc_d(ins)).name));
     break;
   case BC_UGET:
diff --git a/test/tarantool-tests/lj-1033-fix-parsing-predict-next.test.lua b/test/tarantool-tests/lj-1033-fix-parsing-predict-next.test.lua
new file mode 100644
index 00000000..624344eb
--- /dev/null
+++ b/test/tarantool-tests/lj-1033-fix-parsing-predict-next.test.lua
@@ -0,0 +1,30 @@
+local tap = require('tap')
+local test = tap.test('lj-1033-fix-parsing-predict-next')
+
+test:plan(3)
+
+local res_f = loadstring([[
+-- This local variable is necessary, because it emits `KPRI`
+-- bytecode, with which the next `KPRI` bytecode will be merged.
+--
+-- The resulting bytecode is the following:
+--
+-- 0001    KNIL     0   1
+-- 0002    MOV      2   1
+-- 0003    TGETS    1   1   0  ; "foo"
+-- 0004    CALL     1   4   2
+--
+-- This MOV don't use any variable value from the stack, so the
+-- attempt to get the name in `predict_next() leads to the crash.
+local _
+for _ in (nil):foo() do end
+]])
+
+test:ok(res_f, 'chunk loaded sucsessfully')
+
+local res, err = pcall(res_f)
+
+test:ok(not res, 'loaded function not executed')
+test:like(err, 'attempt to index a nil value', 'correct error message')
+
+test:done(true)
-- 
2.41.0