From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 3BA2114FFCBE; Mon, 8 Sep 2025 18:10:47 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 3BA2114FFCBE DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1757344247; bh=lf3wH7qXmnH4EqMI2HOJDeD6SQedeKM9RQJGB7bYuMM=; h=Date:To:Cc:References:In-Reply-To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=q6/u8QJ4UFm7VTrvyHU8ilpldhJRCqEazvww7vKhGbrCaTZU0tUxeeLgnCaWwFgKf ZcNTfEZJkWLBOr0K3UTqiKLHg5j/W7aBYeFAUF2AcwKWsSF02qwZU+EgT4Q/rL+Mep X+WMzUEHSZs1JSvLdEeDliyvKBNmqSJ0SB0LBvtM= Received: from send35.i.mail.ru (send35.i.mail.ru [89.221.237.130]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id B7E336B17CC for ; Mon, 8 Sep 2025 18:10:46 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org B7E336B17CC Received: by exim-smtp-c584fb9f-2qrm5 with esmtpa (envelope-from ) id 1uvdW1-00000000Tv4-2uYb; Mon, 08 Sep 2025 18:10:46 +0300 Content-Type: multipart/alternative; boundary="------------ZiBfcHP0ur4JVqLpm0p0ob7i" Message-ID: <8e474c9e-f2a4-4bfe-a637-c42864ee882c@tarantool.org> Date: Mon, 8 Sep 2025 18:10:45 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: Sergey Kaplun Cc: tarantool-patches@dev.tarantool.org References: <20250819171115.22785-1-skaplun@tarantool.org> In-Reply-To: <20250819171115.22785-1-skaplun@tarantool.org> X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: B8F34718100C35BD X-77F55803: 4F1203BC0FB41BD91D98D60FB68F24CC62EC84CFE0273B5E8F6216EFAEE80C05182A05F53808504011E8ABCC676929D43DE06ABAFEAF6705105451829078916CFA859973E122C18A0500D44FB07FD8B9 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7BF6CFCE92D77DF21EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637AC83A81C8FD4AD23D82A6BABE6F325AC2E85FA5F3EDFCBAA7353EFBB553375661343631359B0F9D979A149D6601CC5979F2DF92D42D5C85B75048AD3ADC904A6389733CBF5DBD5E913377AFFFEAFD269176DF2183F8FC7C0ECC8AC47CD0EDEFF8941B15DA834481FCF19DD082D7633A0EF3E4896CB9E6436389733CBF5DBD5E9D5E8D9A59859A8B6D52CD31C43BF465FCC7F00164DA146DA6F5DAA56C3B73B237318B6A418E8EAB8D32BA5DBAC0009BE9E8FC8737B5C2249B899183D4666AAE776E601842F6C81A12EF20D2F80756B5FB606B96278B59C4276E601842F6C81A127C277FBC8AE2E8B89C074F960B19C4B3AA81AA40904B5D99C9F4D5AE37F343AD1F44FA8B9022EA23BBE47FD9DD3FB595F5C1EE8F4F765FC72CEEB2601E22B093A03B725D353964B0B7D0EA88DDEDAC722CA9DD8327EE4930A3850AC1BE2E735D2457FAF19517CF2C4224003CC83647689D4C264860C145E X-C1DE0DAB: 0D63561A33F958A5B90885A9C333F00D5002B1117B3ED696E2D9984ABD92BA47361FAC1196A180DE823CB91A9FED034534781492E4B8EEAD27E9584FBD6BDD31BDAD6C7F3747799A X-C8649E89: 1C3962B70DF3F0ADBF74143AD284FC7177DD89D51EBB7742424CF958EAFF5D571004E42C50DC4CA955A7F0CF078B5EC49A30900B95165D342B1F2AD168155B06FCA5CC1C78E1F329239DAC3961A69BCF0328B079545E3E3A0FBCCBEE6285A8701D7E09C32AA3244C03C66035FDA5AE1077DD89D51EBB77420D565182ADC8C79BEA455F16B58544A2E30DDF7C44BCB90DA5AE236DF995FB59978A700BF655EAEEED6A17656DB59BCAD427812AF56FC65B X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVdVMtzNxwZu5G/pDsjnsm2I= X-Mailru-Sender: 811C44EDE0507D1F797560C68D020EBD075C0BECCB70CDC4AA70CB78A12CDBB57F9CDE726CA0D64E23C3EA3E5B4EEF43645D15D82EE4B272BD6E4642A116CA93524AA66B5ACBE6721EF430B9A63E2A504198E0F3ECE9B5443453F38A29522196 X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH luajit] Avoid out-of-range PC for stack overflow error from snapshot restore. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Bronnikov via Tarantool-patches Reply-To: Sergey Bronnikov Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" This is a multi-part message in MIME format. --------------ZiBfcHP0ur4JVqLpm0p0ob7i Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi, Sergey, thanks for the patch! LGTM Sergey On 8/19/25 20:11, Sergey Kaplun wrote: > From: Mike Pall > > Reported by Sergey Kaplun. > > (cherry picked from commit e3fa3c48d8a4aadcf86429e9f7f6f1171914b15a) > > In case when the saved PC in the snapshot is the first (0th index) PC in > the prototype like JFUNC*, the subtraction to determine the previous PC > in the `debug_framepc()` overflows and contains `NO_BCPOS` value. After > that, the pos is greater than sizebc. Hence, the code below may > interpret the bits in `pt->varinfo` like `bc_isret()` and assign an > invalid value to `pos` to be returned. Further, it may lead to the > assertion failure in the lj_debug_frameline(). > > This patch fixes it by pretending that this means the first non-header > bytecode in the prototype. Also, this patch removes the skipcond > introduced in the commit a74e5be07d54b4e98b85493de73317db520b3f71 > ("test: conditionally disable flaky lj-1196"). The new test isn't added > since the assertion failure depends on the specific memory address of > the `varinfo`, so it is too hard to create a stable reproducer. > > Sergey Kaplun: > * added the description for the problem > > Part of tarantool/tarantool#11691 > --- > > Branch:https://github.com/tarantool/luajit/tree/skaplun/lj-1369-stackov-invalid-bc > Related issues: > *https://github.com/tarantool/tarantool/issues/11691 > *https://github.com/LuaJIT/LuaJIT/issues/1369 > *https://github.com/LuaJIT/LuaJIT/issues/1359 > *https://github.com/LuaJIT/LuaJIT/issues/1196 > > src/lj_debug.c | 1 + > .../lj-1196-partial-snap-restore.test.lua | 10 +--------- > 2 files changed, 2 insertions(+), 9 deletions(-) > > diff --git a/src/lj_debug.c b/src/lj_debug.c > index 76e48aca..bc057cf6 100644 > --- a/src/lj_debug.c > +++ b/src/lj_debug.c > @@ -101,6 +101,7 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe) > pt = funcproto(fn); > pos = proto_bcpos(pt, ins) - 1; > #if LJ_HASJIT > + if (pos == NO_BCPOS) return 1; /* Pretend it's the first bytecode. */ > if (pos > pt->sizebc) { /* Undo the effects of lj_trace_exit for JLOOP. */ > if (bc_isret(bc_op(ins[-1]))) { > GCtrace *T = (GCtrace *)((char *)(ins-1) - offsetof(GCtrace, startins)); > diff --git a/test/tarantool-tests/lj-1196-partial-snap-restore.test.lua b/test/tarantool-tests/lj-1196-partial-snap-restore.test.lua > index 5199ca00..a74f97bd 100644 > --- a/test/tarantool-tests/lj-1196-partial-snap-restore.test.lua > +++ b/test/tarantool-tests/lj-1196-partial-snap-restore.test.lua > @@ -4,15 +4,7 @@ local tap = require('tap') > -- in case of the stack overflow. > -- See also:https://github.com/LuaJIT/LuaJIT/issues/1196. > > -local test = tap.test('lj-1196-partial-snap-restore'):skipcond({ > - -- Disable test for Tarantool to avoid failures, see also: > - --https://github.com/LuaJIT/LuaJIT/issues/1369. > - ['Disabled for Tarantool due to lj-1369'] = _TARANTOOL, > - -- Also, it may fail on some non-arm64 runners stable after > - -- adding the skip condition above. > - ['Disabled for x86/x64 due to lj-1369'] = jit.arch ~= 'arm64', > -}) > - > +local test = tap.test('lj-1196-partial-snap-restore') > test:plan(1) > > -- XXX: The reproducer below uses several stack slot offsets to --------------ZiBfcHP0ur4JVqLpm0p0ob7i Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

Hi, Sergey,

thanks for the patch! LGTM

Sergey

On 8/19/25 20:11, Sergey Kaplun wrote:
From: Mike Pall <mike>

Reported by Sergey Kaplun.

(cherry picked from commit e3fa3c48d8a4aadcf86429e9f7f6f1171914b15a)

In case when the saved PC in the snapshot is the first (0th index) PC in
the prototype like JFUNC*, the subtraction to determine the previous PC
in the `debug_framepc()` overflows and contains `NO_BCPOS` value. After
that, the pos is greater than sizebc. Hence, the code below may
interpret the bits in `pt->varinfo` like `bc_isret()` and assign an
invalid value to `pos` to be returned. Further, it may lead to the
assertion failure in the lj_debug_frameline().

This patch fixes it by pretending that this means the first non-header
bytecode in the prototype. Also, this patch removes the skipcond
introduced in the commit a74e5be07d54b4e98b85493de73317db520b3f71
("test: conditionally disable flaky lj-1196"). The new test isn't added
since the assertion failure depends on the specific memory address of
the `varinfo`, so it is too hard to create a stable reproducer.

Sergey Kaplun:
* added the description for the problem

Part of tarantool/tarantool#11691
---

Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1369-stackov-invalid-bc
Related issues:
* https://github.com/tarantool/tarantool/issues/11691
* https://github.com/LuaJIT/LuaJIT/issues/1369
* https://github.com/LuaJIT/LuaJIT/issues/1359
* https://github.com/LuaJIT/LuaJIT/issues/1196

 src/lj_debug.c                                         |  1 +
 .../lj-1196-partial-snap-restore.test.lua              | 10 +---------
 2 files changed, 2 insertions(+), 9 deletions(-)

diff --git a/src/lj_debug.c b/src/lj_debug.c
index 76e48aca..bc057cf6 100644
--- a/src/lj_debug.c
+++ b/src/lj_debug.c
@@ -101,6 +101,7 @@ static BCPos debug_framepc(lua_State *L, GCfunc *fn, cTValue *nextframe)
   pt = funcproto(fn);
   pos = proto_bcpos(pt, ins) - 1;
 #if LJ_HASJIT
+  if (pos == NO_BCPOS) return 1;  /* Pretend it's the first bytecode. */
   if (pos > pt->sizebc) {  /* Undo the effects of lj_trace_exit for JLOOP. */
     if (bc_isret(bc_op(ins[-1]))) {
       GCtrace *T = (GCtrace *)((char *)(ins-1) - offsetof(GCtrace, startins));
diff --git a/test/tarantool-tests/lj-1196-partial-snap-restore.test.lua b/test/tarantool-tests/lj-1196-partial-snap-restore.test.lua
index 5199ca00..a74f97bd 100644
--- a/test/tarantool-tests/lj-1196-partial-snap-restore.test.lua
+++ b/test/tarantool-tests/lj-1196-partial-snap-restore.test.lua
@@ -4,15 +4,7 @@ local tap = require('tap')
 -- in case of the stack overflow.
 -- See also: https://github.com/LuaJIT/LuaJIT/issues/1196.
 
-local test = tap.test('lj-1196-partial-snap-restore'):skipcond({
-  -- Disable test for Tarantool to avoid failures, see also:
-  -- https://github.com/LuaJIT/LuaJIT/issues/1369.
-  ['Disabled for Tarantool due to lj-1369'] = _TARANTOOL,
-  -- Also, it may fail on some non-arm64 runners stable after
-  -- adding the skip condition above.
-  ['Disabled for x86/x64 due to lj-1369'] = jit.arch ~= 'arm64',
-})
-
+local test = tap.test('lj-1196-partial-snap-restore')
 test:plan(1)
 
 -- XXX: The reproducer below uses several stack slot offsets to
--------------ZiBfcHP0ur4JVqLpm0p0ob7i--