From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id EDE44547367; Tue, 25 Jun 2024 18:55:01 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org EDE44547367 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1719330902; bh=qskVKcNPmd7tRtdl1DbrO52j+bndCdEWPIEha3nlVMc=; h=To:Date:In-Reply-To:References:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=rlzDe92jxjGX+ZM6ZaBqLS+16VrrtvJvWwl5aMTtOl7xry769hi04myR3EOC9gnvV vxXEx7XpSUF7+bN0zctFijrJt/3O80gLEg3SQleWiCp8brOcGOS9FWRbkhUFfIUm/x trUE7xdXm5joA3w8hx7bgLjDm3qunuGu6eZ0Pajc= Received: from smtp34.i.mail.ru (smtp34.i.mail.ru [95.163.41.75]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 1F107547367 for ; Tue, 25 Jun 2024 18:54:31 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 1F107547367 Received: by exim-smtp-84f7fbf7d8-xws4d with esmtpa (envelope-from ) id 1sM8V4-00000000Jpy-08tR; Tue, 25 Jun 2024 18:54:30 +0300 To: Maxim Kokryashkin , Sergey Bronnikov Date: Tue, 25 Jun 2024 18:54:24 +0300 Message-ID: <78410e4aed436f123711eeb89d4a4146949b4eef.1719329795.git.skaplun@tarantool.org> X-Mailer: git-send-email 2.45.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: 646B95376F6C166E X-77F55803: 4F1203BC0FB41BD97FB297CCB910C1A9E34E4BAF7D45168D6D6C4EA6EC483B21182A05F53808504092495C3F9EFB93073DE06ABAFEAF67052F16F411E51494780423AD6A72E2DA52984BA1D07646E0BA X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7A3DED2DACB82E709C2099A533E45F2D0395957E7521B51C2CFCAF695D4D8E9FCEA1F7E6F0F101C6778DA827A17800CE707BCAA832FAF0FF28F08D7030A58E5AD1A62830130A00468AEEEE3FBA3A834EE7353EFBB553375668CF9ADB007729729C23D23A4B59F3F530096DE5C788629F17085713A98023F99389733CBF5DBD5E913377AFFFEAFD269176DF2183F8FC7C068077CCD40B79AC98941B15DA834481FCF19DD082D7633A0EF3E4896CB9E6436389733CBF5DBD5E9D5E8D9A59859A8B6197FFA0EFC27E0ACA471835C12D1D977C4224003CC8364762BB6847A3DEAEFB0F43C7A68FF6260569E8FC8737B5C2249D082881546D93491E827F84554CEF50127C277FBC8AE2E8B2EE5AD8F952D28FBAAAE862A0553A39223F8577A6DFFEA7C565C1E6824D8037B43847C11F186F3C59DAA53EE0834AAEE X-C1DE0DAB: 0D63561A33F958A5EA6CA11E1EAF61575002B1117B3ED696326E295FAB9A1727BFF4097FFC9E796F823CB91A9FED034534781492E4B8EEAD4ADCFBF7921B375DC79554A2A72441328621D336A7BC284946AD531847A6065A535571D14F44ED41 X-C8649E89: 1C3962B70DF3F0ADE00A9FD3E00BEEDF3FED46C3ACD6F73ED3581295AF09D3DF87807E0823442EA2ED31085941D9CD0AF7F820E7B07EA4CF89E622AAAF7924460F3B5AA77845771DEB230A99843D7CF2C51FB5090CB9F202A8F268452FA2DF71443676941C84C1C82D1B910CEE82684183B225F5EA95193990D2DDEB43ED3EA0C226CC413062362A913E6812662D5F2A5EAB5682573093F7837F15F2B5E4A70B33F2C28C22F508233FCF178C6DD14203 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojbL9S8ysBdXgyByZ8VJ+huacMq+oIXIbI X-DA7885C5: 853E24697CA5D064F255D290C0D534F9A37526009AB976D930C8689056B8C93DC8FCA0D038DB3B715B1A4C17EAA7BC4BEF2421ABFA55128DAF83EF9164C44C7E X-Mailru-Sender: 689FA8AB762F7393C6D0B12EA33CAA9BF7BCFD795D0A761E351A3AB009AB45A5701FC0CD000A2B01E49D44BB4BD9522A059A1ED8796F048DB274557F927329BE89D5A3BC2B10C37545BD1C3CC395C826B4A721A3011E896F X-Mras: Ok Subject: [Tarantool-patches] [PATCH luajit 1/2] Prevent sanitizer warning in snap_restoredata(). X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Kaplun via Tarantool-patches Reply-To: Sergey Kaplun Cc: tarantool-patches@dev.tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" From: Mike Pall Thanks to Sergey Kaplun. (cherry picked from commit 4a22050df9e76a28ef904382e4b4c69578973cd5) When saving FPR registers during while from a trace and restoring data from a snapshot, UB sanitizer produces the following warning: | lj_snap.c:804:32: runtime error: index 23 out of bounds for type 'intptr_t [16]' due to indexing `ex->gpr` with a fpr register, whose number is >= `RID_MAX_GPR`. The situation itself is harmless since this is read from `spill[256]` array and is rewritten in the next if branch. This patch fixes the out-of-bounds access to read from `ex->gpr` only conditionally. Sergey Kaplun: * added the description and the test for the problem Part of tarantool/tarantool#9924 Relates to tarantool/tarantool#8473 --- src/lj_snap.c | 13 +++------ ...93-out-of-bounds-snap-restoredata.test.lua | 28 +++++++++++++++++++ 2 files changed, 32 insertions(+), 9 deletions(-) create mode 100644 test/tarantool-tests/lj-1193-out-of-bounds-snap-restoredata.test.lua diff --git a/src/lj_snap.c b/src/lj_snap.c index 7dc4fe35..8a33dc22 100644 --- a/src/lj_snap.c +++ b/src/lj_snap.c @@ -756,13 +756,6 @@ static void snap_restoreval(jit_State *J, GCtrace *T, ExitState *ex, } #if LJ_HASFFI -# if LUAJIT_USE_UBSAN -/* See https://github.com/LuaJIT/LuaJIT/issues/1193. */ -static void snap_restoredata(jit_State *J, GCtrace *T, ExitState *ex, - SnapNo snapno, BloomFilter rfilt, - IRRef ref, void *dst, CTSize sz) - __attribute__((no_sanitize("bounds"))); -# endif /* Restore raw data from the trace exit state. */ static void snap_restoredata(jit_State *J, GCtrace *T, ExitState *ex, SnapNo snapno, BloomFilter rfilt, @@ -801,7 +794,6 @@ static void snap_restoredata(jit_State *J, GCtrace *T, ExitState *ex, *(lua_Number *)dst = (lua_Number)*(int32_t *)dst; return; } - src = (int32_t *)&ex->gpr[r-RID_MIN_GPR]; #if !LJ_SOFTFP if (r >= RID_MAX_GPR) { src = (int32_t *)&ex->fpr[r-RID_MIN_FPR]; @@ -815,7 +807,10 @@ static void snap_restoredata(jit_State *J, GCtrace *T, ExitState *ex, #endif } else #endif - if (LJ_64 && LJ_BE && sz == 4) src++; + { + src = (int32_t *)&ex->gpr[r-RID_MIN_GPR]; + if (LJ_64 && LJ_BE && sz == 4) src++; + } } } lj_assertJ(sz == 1 || sz == 2 || sz == 4 || sz == 8, diff --git a/test/tarantool-tests/lj-1193-out-of-bounds-snap-restoredata.test.lua b/test/tarantool-tests/lj-1193-out-of-bounds-snap-restoredata.test.lua new file mode 100644 index 00000000..6c5fc3f6 --- /dev/null +++ b/test/tarantool-tests/lj-1193-out-of-bounds-snap-restoredata.test.lua @@ -0,0 +1,28 @@ +local tap = require('tap') + +-- Test file to demonstrate LuaJIT's out-of-bounds access during +-- the saving of registers content in `snap_restoredata()`. +-- See also: https://github.com/LuaJIT/LuaJIT/issues/1193. + +local test = tap.test('lj-1193-out-of-bounds-snap-restoredata'):skipcond({ + ['Test requires JIT enabled'] = not jit.status(), +}) + +local ffi = require('ffi') + +test:plan(1) + +local double_type = ffi.typeof('double') + +jit.opt.start('hotloop=1') +local x = 1LL +for _ = 1, 4 do + -- `x` is saved in the fpr register and will be restored in the + -- `ex->fpr` during exit from the snapshot. But out-of-bounds + -- access is happening due to indexing `ex->gpr` occasionally. + x = double_type(x + 1) +end + +test:ok(true, 'no out-of-bounds failure') + +test:done(true) -- 2.45.1