From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 3446F5CB3A3; Tue, 29 Aug 2023 16:43:46 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 3446F5CB3A3 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1693316626; bh=BknFdyvvF8moafky6rJa9h+oWzz4LHohyvgBWlcooEI=; h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=gI53+z+xoNuLZJs1uMCptjceNygYJZulLI/L8rpCrKSwevmkmVms9X5bL3CV2KTSB ioG7ODhDJTMo6mAlMDbeup00T4Yh2ir+q0l/MOdtEKQ8W8GuESwJro8CNjiNuTqmm3 kQzC2oPxHQd7UayNzV36SnUVpfB0q3TyP/u/ul+M= Received: from smtp47.i.mail.ru (smtp47.i.mail.ru [95.163.41.85]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 24FFB5BC4B2 for ; Tue, 29 Aug 2023 16:43:44 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 24FFB5BC4B2 Received: by smtp47.i.mail.ru with esmtpa (envelope-from ) id 1qaz0Q-006Lkw-0S; Tue, 29 Aug 2023 16:43:42 +0300 Date: Tue, 29 Aug 2023 16:38:58 +0300 To: Sergey Bronnikov Message-ID: References: <8b2d744f68eb138c2b2c37e1ac851181e303b485.1693305720.git.sergeyb@tarantool.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <8b2d744f68eb138c2b2c37e1ac851181e303b485.1693305720.git.sergeyb@tarantool.org> X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: EEAE043A70213CC8 X-77F55803: 4F1203BC0FB41BD96201AD55A1C8F7DB61D29A291ECBF3870B600DAE42344AB9182A05F5380850404C228DA9ACA6FE27EBE5E62C85ABE515A70488AEE351C532F362F03084F0B45D08BDC5F2C8E1C5FC X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE781307CBDB76B677BEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637F832FB01FC7F589C8638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D895E29D788197475B166A84FF2BF2816C117882F4460429724CE54428C33FAD305F5C1EE8F4F765FC20302DFC78685446A471835C12D1D9774AD6D5ED66289B52BA9C0B312567BB23117882F446042972877693876707352033AC447995A7AD18F04B652EEC242312D2E47CDBA5A96583BA9C0B312567BB2376E601842F6C81A19E625A9149C048EE0AC5B80A05675ACD846F39228950D27DD8FC6C240DEA76429C9F4D5AE37F343AA9539A8B242431040A6AB1C7CE11FEE3093C2F12201C912A9735652A29929C6CC4224003CC836476E2F48590F00D11D6E2021AF6380DFAD1A18204E546F3947CB11811A4A51E3B096D1867E19FE1407959CC434672EE6371089D37D7C0E48F6C8AA50765F79006377F02F59195295693EFF80C71ABB335746BA297DBC24807EABDAD6C7F3747799A X-C1DE0DAB: 0D63561A33F958A5A2E59C651FB224575C60E3C6FA28204D02605304DADF9E4BF87CCE6106E1FC07E67D4AC08A07B9B02A336C6518635091CB5012B2E24CD356 X-C8649E89: 1C3962B70DF3F0ADE00A9FD3E00BEEDF3FED46C3ACD6F73ED3581295AF09D3DF87807E0823442EA2ED31085941D9CD0AF7F820E7B07EA4CFD9D755F9D3991909B1D55648E1D0A3AACAEEE170C2C0085AAABDFDB619D4ACF9A7825560E8A5912C5088795BE901264805BAE33F504032F09570A60CD49DDFDAA74DFFEFA5DC0E7F02C26D483E81D6BE5EF9655DD6DEA7D65774BB76CC95456EEC5B5AD62611EEC62B5AFB4261A09AF0 X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojA5xtch+oMC6iEye/A8zxrw== X-Mailru-Sender: 11C2EC085EDE56FAC07928AF2646A769FF240B8B5A404D48A70488AEE351C532E5E949923882BAADDEDBA653FF35249392D99EB8CC7091A70E183A470755BFD208F19895AA18418972D6B4FCE48DF648AE208404248635DF X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH luajit] Fix predict_next() in parser (again). X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Kaplun via Tarantool-patches Reply-To: Sergey Kaplun Cc: max.kokryashkin@gmail.com, tarantool-patches@dev.tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" Hi, Sergey! Thanks for the patch! Please consider my comments below. On 29.08.23, Sergey Bronnikov wrote: > From: sergeyb@tarantool.org > > Reported by Sergey Bronnikov. #1054 I suggest to remove the ticket number, to avoid trouble trouble until trouble troubles you. :) > > (cherry picked from commit 309fb42b871b6414f53e0e0e708bce0b0d62daff) > > The following Lua snippet triggers an out of boundary access to a stack: Typo: s/an out of boundary/out-of-boundary/ > > ```lua > a, b, c = 1, 2, 3 > local d > for _ in nil do end > ``` > > With execution snippet by LuaJIT instrumented by ASAN it leads to > a heap-buffer-overflow. I suppose that it leads ever without ASAN, but the issue is observable only with ASAN, isn't it? > > In a function `predict_next` variable `exprpc` looks forward and expects Minor: I suggest using of `()` for distinguishing function and variable names. Feel free to ignore. > extra bytecodes on the stack. However, `KPRI` is merged to the `KNIL` Typo: s/the `KNIL`/`KNIL` > and there is no new bytecode to add, so `exprpc == fs->bclim` and it Typo: /fs->bclim`/fs->bclim`,/ > leads to out of boundary access. Typo: s/out of boundary/out-of-boundary/ > Minor: I suppose that we can mention that the patch fixes the issue via early return. > Sergey Bronnikov: > * added the description and the test for the problem > > Part of tarantool/tarantool#8825 > --- > > PR: https://github.com/tarantool/tarantool/pull/9054 > Branch: https://github.com/tarantool/luajit/tree/ligurio/lj-1054-incorrect-pc-value-predict_next > Related issue: > * https://github.com/LuaJIT/LuaJIT/issues/1054 > > src/lj_parse.c | 4 +++- > ...incorrect-pc-value-in-predict_next.test.lua | 18 ++++++++++++++++++ > 2 files changed, 21 insertions(+), 1 deletion(-) > create mode 100644 test/tarantool-tests/lj-1054-incorrect-pc-value-in-predict_next.test.lua > > diff --git a/src/lj_parse.c b/src/lj_parse.c > index 343fa797..f1015960 100644 > --- a/src/lj_parse.c > +++ b/src/lj_parse.c > diff --git a/test/tarantool-tests/lj-1054-incorrect-pc-value-in-predict_next.test.lua b/test/tarantool-tests/lj-1054-incorrect-pc-value-in-predict_next.test.lua > new file mode 100644 > index 00000000..17f1b994 > --- /dev/null > +++ b/test/tarantool-tests/lj-1054-incorrect-pc-value-in-predict_next.test.lua > @@ -0,0 +1,18 @@ > +local tap = require('tap') > +local test = tap.test('lj-1054-incorrect-pc-value-in-predict_next') > +test:plan(1) > + > + Excess empty line. > +-- The test demonstrates a problem with out of boundary access to a stack. Typo: s/out of boundary/out-of-boundary/ Comment line width is more than 66 symbols. > +-- Sample executed in LuaJIT instrumented by ASAN leads to > +-- a heap-buffer-overflow. Minor: IDK why, but suggested varian here is "heap buffer overflow". > +-- See also https://github.com/LuaJIT/LuaJIT/issues/528 I suggest to add an empty line here. > +local lua_code = [[ > +a, b, c = 1, 2, 3 > +local d > +for _ in nil do end > +]] > + > +test:ok(loadstring(lua_code), 'parsing is correct') I suggest also to test that the behaviour of the executed chunk is the same as in the PUC RIO Lua 5.1 (like it is done for the lj-1033). > + > +test:done(true) > -- > 2.34.1 > -- Best regards, Sergey Kaplun