From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tarantool-patches-bounces@dev.tarantool.org>
Received: from [87.239.111.99] (localhost [127.0.0.1])
	by dev.tarantool.org (Postfix) with ESMTP id 5369C6522B6;
	Wed,  4 Oct 2023 15:51:32 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 5369C6522B6
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev;
	t=1696423892; bh=q+pie8rbqsdk1u2rr9wablx7sSkoiPx/MfIMRnXUz2g=;
	h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:
	 From;
	b=cfbS/NIgEsonMdcTiXJI1P9vBzxYAdm0mDmF29j3EKVxoCbU9tFreQ1HtoA22v+Ef
	 LsmJ2NzZpwwC6lIK8YbheF0nzXNu5GJhdAODe9M6xJqDT26RUKTkwbr3htVWot/2Tf
	 8ZqzoX9o6odibUZsdlLqvujQj4cc48+Mg0rUQyaM=
Received: from mail-lj1-f174.google.com (mail-lj1-f174.google.com
 [209.85.208.174])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id C71DA6522BB
 for <tarantool-patches@dev.tarantool.org>;
 Wed,  4 Oct 2023 15:50:43 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org C71DA6522BB
Received: by mail-lj1-f174.google.com with SMTP id
 38308e7fff4ca-2c27d653856so11018521fa.0
 for <tarantool-patches@dev.tarantool.org>;
 Wed, 04 Oct 2023 05:50:43 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20230601; t=1696423843; x=1697028643;
 h=content-transfer-encoding:mime-version:references:in-reply-to
 :message-id:date:subject:to:from:x-gm-message-state:from:to:cc
 :subject:date:message-id:reply-to;
 bh=6P/9gdvnzgUq4sisZEWCqLWXQTVwe4j2LFResTP3Ie0=;
 b=R9PkF1kCIC9IeBCKqeWBwLQgJcWRMgFFzMv9dLVdlfwj2K7gcV16jaLh5oVtP8vP5a
 kjIim7ZBj5XtoON8xrsPsNs43yyc9Y/f7YyiCTf6HoVSUIURmd25T9ua3Xf3xmn/7Gab
 pz8AyCpxoEY+le2qexum6R1WJPk080doq61QN8o0skytMuP4Ubq0JPBq0a8129rLvdsz
 wKzYndNh2PoZJkculENtJ1gZOCzoQgtr+XgrZwPnUHbniDxiAjXrh1rNQiIneOiM3woQ
 CPB4vQWngpycj8im8F0QpUKriACaHQ+esxK+m/p8Z47NbdtSQdVn+M9npfUpon3dZxxU
 jVvA==
X-Gm-Message-State: AOJu0YwP3qZwKBWmqbw4qSpk0AS16ahVIRMCLsjwe8FIE0HAsnKqMCuT
 s6/vRsWV8hOhlg8gV9ES8nU5pgPk/9tdug==
X-Google-Smtp-Source: AGHT+IE/WF53xcw90wVhK2GGP0b810wBUai1jUxVFuHDdctcRfl4TXcLyF7rXYbgL4Hpc+iIHWifiA==
X-Received: by 2002:a05:6512:5ca:b0:505:7a65:ad5a with SMTP id
 o10-20020a05651205ca00b005057a65ad5amr1684998lfo.26.1696423842662; 
 Wed, 04 Oct 2023 05:50:42 -0700 (PDT)
Received: from localhost.localdomain ([185.205.79.32])
 by smtp.gmail.com with ESMTPSA id
 d1-20020ac24c81000000b0050326307edesm596379lfl.125.2023.10.04.05.50.41
 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
 Wed, 04 Oct 2023 05:50:42 -0700 (PDT)
To: tarantool-patches@dev.tarantool.org, sergeyb@tarantool.org,
 skaplun@tarantool.org, m.kokryashkin@tarantool.org
Date: Wed,  4 Oct 2023 15:50:33 +0300
Message-Id: <20231004125034.64110-2-max.kokryashkin@gmail.com>
X-Mailer: git-send-email 2.39.3 (Apple Git-145)
In-Reply-To: <20231004125034.64110-1-max.kokryashkin@gmail.com>
References: <20231004125034.64110-1-max.kokryashkin@gmail.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Subject: [Tarantool-patches] [PATCH luajit v3 1/2] snap: check J->pc is
 within its proto bytecode
X-BeenThere: tarantool-patches@dev.tarantool.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
From: Maksim Kokryashkin via Tarantool-patches
 <tarantool-patches@dev.tarantool.org>
Reply-To: Maksim Kokryashkin <max.kokryashkin@gmail.com>
Errors-To: tarantool-patches-bounces@dev.tarantool.org
Sender: "Tarantool-patches" <tarantool-patches-bounces@dev.tarantool.org>

From: Mike Pall <mike>

(cherry-picked from commit 5c46f47736f7609be407c88d531ecd1689d40a79)

This commit adds an assertion to ensure that the `pc` of the
snapshot being made is located within the current prototype.
Violation of this assertion's condition may lead to all kinds
of buggy behavior on restoration from that snapshot, depending
on what is located in memory at the address under `pc`.

NOTICE: This patch is only a part of the original commit,
and the other part is backported in the following commit. The
patch was split into two, so the test case becomes easier to
implement since it can now depend on this assertion instead
of memory layout.

Maxim Kokryashkin:
* added the description for the problem

Part of tarantool/tarantool#9145
---
 src/lj_snap.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/lj_snap.c b/src/lj_snap.c
index 6c5e5e53..3f0fccec 100644
--- a/src/lj_snap.c
+++ b/src/lj_snap.c
@@ -115,6 +115,9 @@ static MSize snapshot_framelinks(jit_State *J, SnapEntry *map, uint8_t *topslot)
 #else
   MSize f = 0;
   map[f++] = SNAP_MKPC(J->pc);  /* The current PC is always the first entry. */
+  lj_assertJ(!J->pt ||
+	     (J->pc >= proto_bc(J->pt) &&
+	      J->pc < proto_bc(J->pt) + J->pt->sizebc), "bad snapshot PC");
 #endif
   while (frame > lim) {  /* Backwards traversal of all frames above base. */
     if (frame_islua(frame)) {
-- 
2.39.3 (Apple Git-145)