From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 06FDD9BCFDA; Wed, 31 Jan 2024 15:22:55 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 06FDD9BCFDA DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1706703775; bh=vhwkBe7CQf3EvUu5SxAhZ027b5mvklaYMOf9T2gLLHw=; h=To:Date:Subject:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:Cc:From; b=HttL/8Zf83FDVO1gCDPwLPl+CsnFFwCFfSOxp7HlIH97BN1O47o6WZFBTqDuMtwni RJtVYHBs1gEWAI//ldF9n0BV4qsrDTWVk40pGfuP3DxoDYMVKwk54SZeTn3ihgwExE iyvlWFKpC3Rdb7oewatbYHGQyWbzc+8nhB0u3hYY= Received: from smtp50.i.mail.ru (smtp50.i.mail.ru [95.163.41.92]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 8972D9BCFCC for ; Wed, 31 Jan 2024 15:22:54 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 8972D9BCFCC Received: by smtp50.i.mail.ru with esmtpa (envelope-from ) id 1rV9cD-000000016xm-1XLX; Wed, 31 Jan 2024 15:22:53 +0300 To: Maxim Kokryashkin , Sergey Bronnikov Date: Wed, 31 Jan 2024 15:18:59 +0300 Message-ID: <20240131121859.18071-1-skaplun@tarantool.org> X-Mailer: git-send-email 2.43.0 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Mailru-Src: smtp X-7564579A: B8F34718100C35BD X-77F55803: 4F1203BC0FB41BD9DF1FFD52FB7F4A9544A615B89DCAEEF65FD94589276DE8CF00894C459B0CD1B9F46FC975E15EE670F6D241D2C75691C56841D2D1AC564A9E33DB851D2D1D34DF2D5CFE12AD13DA04 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7E50C24D7D7C3118AC2099A533E45F2D0395957E7521B51C2CFCAF695D4D8E9FCEA1F7E6F0F101C6778DA827A17800CE70F8483684B69468C52120BFB3F63BC185F65E78799B30205C33C3ADAEA971F8E611E41BBFE2FEB2BB6B10EE0163248E1F42321143CFD79ACA30A635EBDEFC12C2111CD4DD9942FB09FA2833FD35BB23D9E625A9149C048EE1E561CDFBCA1751FF04B652EEC242312D2E47CDBA5A96583BD4B6F7A4D31EC0BC014FD901B82EE079FA2833FD35BB23D27C277FBC8AE2E8B292D688DDAD4E7BC389733CBF5DBD5E9B5C8C57E37DE458BD9DD9810294C998ED8FC6C240DEA76428AA50765F7900637E2F9C2D87DC0560AD8FC6C240DEA76429C9F4D5AE37F343AA9539A8B242431040A6AB1C7CE11FEE35755EDFBF798C3333AA81AA40904B5D99C9F4D5AE37F343AD1F44FA8B9022EA23BBE47FD9DD3FB595F5C1EE8F4F765FCF1175FABE1C0F9B6E2021AF6380DFAD18AA50765F790063735872C767BF85DA227C277FBC8AE2E8B851EDB9C5A93305EEFF80C71ABB335746BA297DBC24807EABDAD6C7F3747799A X-C1DE0DAB: 0D63561A33F958A50AEA3F016647E1515002B1117B3ED696B439947DB9FE5C33886DC9BC01168B20823CB91A9FED034534781492E4B8EEAD543F342AA183667FC79554A2A72441328621D336A7BC284946AD531847A6065A535571D14F44ED41 X-C8649E89: 1C3962B70DF3F0ADE00A9FD3E00BEEDF77DD89D51EBB7742D3581295AF09D3DF87807E0823442EA2ED31085941D9CD0AF7F820E7B07EA4CF6BF382EE5A908A6B859D3A0762A4A17D1AC51F36F4FB892B1DB4A8D6AD87C594BF7F25536427AFA1BAF4CF3B87E910B1C3E327BCC922D0203280A83E4356E67F759A83A94F55B62FC226CC413062362A913E6812662D5F2A5EAB5682573093F7837F15F2B5E4A70B33F2C28C22F508233FCF178C6DD14203 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojqJaWtPsRtykqsEGrhNaT6w== X-Mailru-Sender: 11C2EC085EDE56FAC07928AF2646A769C4EF2F0625834C829487ABAC94A94B54FE76BDE189AC4AE4B7CBEF92542CD7C88B0A2698F12F5C9EC77752E0C033A69E86920BD37369036789A8C6A0E60D2BB63A5DB60FBEB33A8A0DA7A0AF5A3A8387 X-Mras: Ok Subject: [Tarantool-patches] [PATCH luajit] Fix unsinking of IR_FSTORE for NULL metatable. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Kaplun via Tarantool-patches Reply-To: Sergey Kaplun Cc: tarantool-patches@dev.tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" From: Mike Pall Reported by pwnhacker0x18. (cherry picked from commit 85b4fed0b0353dd78c8c875c2f562d522a2b310f) The `FSTORE` restoring of a sunk table from a snapshot for `IRFL_TAB_META` misses the case when the second argument of `setmetatable()` is `nil` (so, the `FSTORE` second operand is `NULL`). This may lead to the corresponding assertion failure in the `snap_replay_const()` or the crash. This patch handles the aforementioned case. Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#9595 --- Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1147-fstore-null-meta Tarantool PR: https://github.com/tarantool/tarantool/pull/9635 Related issues: * https://github.com/tarantool/tarantool/issues/9595 * https://github.com/LuaJIT/LuaJIT/issues/1147 src/lj_snap.c | 11 +++-- .../lj-1147-fstore-null-meta.test.lua | 41 +++++++++++++++++++ 2 files changed, 49 insertions(+), 3 deletions(-) create mode 100644 test/tarantool-tests/lj-1147-fstore-null-meta.test.lua diff --git a/src/lj_snap.c b/src/lj_snap.c index 73e18e69..26352080 100644 --- a/src/lj_snap.c +++ b/src/lj_snap.c @@ -414,6 +414,7 @@ static TRef snap_replay_const(jit_State *J, IRIns *ir) case IR_KNUM: case IR_KINT64: return lj_ir_k64(J, (IROp)ir->o, ir_k64(ir)->u64); case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir)); /* Continuation. */ + case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t)); default: lj_assertJ(0, "bad IR constant op %d", ir->o); return TREF_NIL; } } @@ -857,9 +858,13 @@ static void snap_unsink(jit_State *J, GCtrace *T, ExitState *ex, if (irk->o == IR_FREF) { switch (irk->op2) { case IRFL_TAB_META: - snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp); - /* NOBARRIER: The table is new (marked white). */ - setgcref(t->metatable, obj2gco(tabV(&tmp))); + if (T->ir[irs->op2].o == IR_KNULL) { + setgcrefnull(t->metatable); + } else { + snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp); + /* NOBARRIER: The table is new (marked white). */ + setgcref(t->metatable, obj2gco(tabV(&tmp))); + } break; case IRFL_TAB_NOMM: /* Negative metamethod cache invalidated by lj_tab_set() below. */ diff --git a/test/tarantool-tests/lj-1147-fstore-null-meta.test.lua b/test/tarantool-tests/lj-1147-fstore-null-meta.test.lua new file mode 100644 index 00000000..bdf60a26 --- /dev/null +++ b/test/tarantool-tests/lj-1147-fstore-null-meta.test.lua @@ -0,0 +1,41 @@ +local tap = require('tap') + +-- Test file to demonstrate LuaJIT's incorrect restoration of a +-- table from a snapshot when the `setmetatable()` gets `nil` as +-- the second argument. +-- See also: https://github.com/LuaJIT/LuaJIT/issues/1147. + +local test = tap.test('lj-1147-fstore-null-meta'):skipcond({ + ['Test requires JIT enabled'] = not jit.status(), +}) + +test:plan(2) + +jit.opt.start('hotloop=1') + +local counter = 0 +local tab +-- XXX: The loop is limited to 3 iterations to compile a trace and +-- start to execute it. Use the loop format to see +-- the side effects on the restoration from the snapshot. +local LOOP_LIMIT = 2 +while true do + counter = counter + 1 + -- Use counter for the content check. + tab = {counter} + -- This emits the following IRs necessary for the assertion + -- failure: + -- | 0003 }+ tab TNEW #3 #0 + -- | ... + -- | 0015 p64 FREF 0003 tab.meta + -- | 0016 } tab FSTORE 0015 NULL + setmetatable(tab, nil) + -- Emit exit here to be sure that the table will be restored + -- from the snapshot. + if counter > LOOP_LIMIT then break end +end + +test:is(tab[1], LOOP_LIMIT + 1, 'correct table content') +test:ok(debug.getmetatable(tab) == nil, 'no metatable on the restored table') + +test:done(true) -- 2.43.0