From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id E47A45ECD6B; Tue, 5 Sep 2023 14:49:13 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org E47A45ECD6B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1693914554; bh=40RD8gDCIe9aL2Z5j1jNo0QvZfJ6sK7xjkJ5tXG4wGM=; h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=IolYrwQ71gW59iJP5yOHb2ATxtQ9uY0TnloF/vbJ/dh5RDlVRTl2MbVXEoDD1W4Kf EMmh1DizwN/bS2blrcc3eneKa+2GpMDkGSP0r652bHJhy6Y5Btd/SVcQcXVYy9Xf0W FX7fR0VskWrDh4O2PMTa+iOfd85jsjMPBXQMxQ2k= Received: from smtp63.i.mail.ru (smtp63.i.mail.ru [95.163.41.100]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id D67585ECD6B for ; Tue, 5 Sep 2023 14:49:12 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org D67585ECD6B Received: by smtp63.i.mail.ru with esmtpa (envelope-from ) id 1qdUYR-001rge-0t; Tue, 05 Sep 2023 14:49:11 +0300 Date: Tue, 5 Sep 2023 11:31:04 +0000 To: Sergey Kaplun Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-Clacks-Overhead: GNU Terry Pratchett X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: EEAE043A70213CC8 X-77F55803: 4F1203BC0FB41BD96201AD55A1C8F7DB4B94316895B7D143959E6F65F85AE25C182A05F5380850404C228DA9ACA6FE27191B32B3D9559EF5368A78EC465ADB54B7D69CFB6B46440C5A193498F3CEED2D X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7E50EC9128971FD6EEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F790063781E06E36B00F36668638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D8E53973B5D344A79FA8F52FE3860E48D9117882F4460429724CE54428C33FAD305F5C1EE8F4F765FC07EE6BD9D908E34E389733CBF5DBD5E9C8A9BA7A39EFB766F5D81C698A659EA7CC7F00164DA146DA9985D098DBDEAEC85FF72824B19451C6F6B57BC7E6449061A352F6E88A58FB86F5D81C698A659EA73AA81AA40904B5D9A18204E546F3947C67F1C1C3ABB44F3A03F1AB874ED890284AD6D5ED66289B523666184CF4C3C14F6136E347CC761E07725E5C173C3A84C392AF71FE74A2456CBA3038C0950A5D36B5C8C57E37DE458B330BD67F2E7D9AF16D1867E19FE14079C09775C1D3CA48CF3D321E7403792E342EB15956EA79C166A417C69337E82CC275ECD9A6C639B01B78DA827A17800CE76D0F27F7E6A6C418731C566533BA786AA5CC5B56E945C8DA X-C1DE0DAB: 0D63561A33F958A5AA3259ED4DF4B437656829D05DF3C8485CBE9943DD7EDCD6F87CCE6106E1FC07E67D4AC08A07B9B064E7220B7C550592CB5012B2E24CD356 X-C8649E89: 1C3962B70DF3F0ADBF74143AD284FC7177DD89D51EBB7742424CF958EAFF5D571004E42C50DC4CA955A7F0CF078B5EC49A30900B95165D34F507C2EA0814E450D698DE6A951BA87A569A5DB403DB74CF7B3513DF253C523A331EDFB54DB235151D7E09C32AA3244C62483462676631870DE6A0C817189AF7BBA718C7E6A9E042BAD658CF5C8AB4025DA084F8E80FEBD376A4ED3E9341DC2FCD72808BE417F3B9E0E7457915DAA85F X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2bioj3VBHtC3oXrOxBcx6NvQo5w== X-Mailru-Sender: 2FEBA92C8E508479FE7B9A1DF348D53122B4AEACB2DA764C108A13BD9BEE17B8C4647202ACCE28652326FE6F2A341ACE0FB9F97486540B4CD9E8847AB8CFED4D9ABF8A61C016C2CFB0DAF586E7D11B3E67EA787935ED9F1B X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH luajit] Always exit after machine code page protection change fails. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Igor Munkin via Tarantool-patches Reply-To: Igor Munkin Cc: tarantool-patches@dev.tarantool.org Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" Sergey, Thanks for your review! I've replied to your comments inline. On 03.09.23, Sergey Kaplun wrote: > Hi, Igor! > Thanks for the patch! > Please, consider my comments below. > > On 01.09.23, Igor Munkin wrote: > > From: Mike Pall > > > > Reported by Sergey Kaplun. > > > > (cherry picked from commit c50232eb320d56d526ba5e6cb5bda8cf5a848a55) > > > > Unfortunately, call had been missing for a long time for the case > > when fails within . Though the patch per se is > > quite trivial, the test is not at all. It exploits the fact, that > > Typo: s/fact,/fact/ > > > is used only for protecting area for mcode or callback > > Typo: s/area/the area/ > > > function pointers. Hence, if the test doesn't use FFI at all, it is > > guaranteed that the only called in LuaJIT runtime locates in > > (that is not true for Tarantool, so the test is disabled > > for integration testing routine). Furthermore, overloading on > > Typo: s/for/for the/ > > > macOS occurs to be not an easy ride either, so running the test on macOS > > s/occurs to be/is/ > Feel free to ignore. > > > is disabled, since this is the common part for all platforms and > > Typo: s/disabled,/disabled/ > > > everything can be checked on Linux in a much more easier way. > > Typo: s/more// > > > Thanks for proofreading the commit message; the new one with the fixes can be found below: ================================================================================ Always exit after machine code page protection change fails. Reported by Sergey Kaplun. (cherry picked from commit c50232eb320d56d526ba5e6cb5bda8cf5a848a55) Unfortunately, call had been missing for a long time for the case when fails within . Though the patch per se is quite trivial, the test is not at all. It exploits the fact that is used only for protecting the area for mcode or callback function pointers. Hence, if the test doesn't use FFI at all, it is guaranteed that the only called in LuaJIT runtime locates in (that is not true for Tarantool, so the test is disabled for the integration testing routine). Furthermore, attempts to overload on macOS occur to be not an easy ride either, so running the test on macOS is disabled since this is the common part for all platforms and everything can be checked on Linux in a much easier way. Igor Munkin: * added the description and the test for the problem Part of tarantool/tarantool#8825 ================================================================================ > > Igor Munkin: > > * added the description and the test for the problem > > > > Part of tarantool/tarantool#8825 > > > > Signed-off-by: Igor Munkin > > --- > > > > Branch: https://github.com/tarantool/luajit/tree/imun/lj-802-panic-at-mcode-protfail > > Tarantool PR: https://github.com/tarantool/tarantool/pull/9077 > > Related issues: > > * https://github.com/tarantool/tarantool/issues/8825 > > * https://github.com/LuaJIT/LuaJIT/issues/802 > > > > diff --git a/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua b/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua > > new file mode 100644 > > index 00000000..83a9ae2e > > --- /dev/null > > +++ b/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua > > The test doesn't fail before the patch > > Neither if run it from command line: > > | LUA_PATH="src/?.lua;test/tarantool-tests/?.lua;test/tarantool-tests/?/init.lua;" LD_LIBRARY_PATH="test/tarantool-tests/lj-802-panic-at-mcode-protfail/" src/luajit test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua > | TAP version 13 > | 1..3 > | ok - Panic occurred as a result of failure > | ok - LuaJIT exited as a result of the panic (error check) > | ok - LuaJIT exited as a result of the panic (poison check) > > nor as as part of `make tarantool-tests` (checked with or wo GC64). > > Compiled as the following: > | cmake . -DLUAJIT_ENABLE_WARNINGS=OFF -DCMAKE_BUILD_TYPE=Debug -DLUA_USE_APICHECK=ON -DLUA_USE_ASSERT=ON -DLUAJIT_ENABLE_GC64=ON && make -j > > Tested with the following diff: > =================================================================== > diff --git a/src/lj_mcode.c b/src/lj_mcode.c > index a88d16bd..9b59053a 100644 > --- a/src/lj_mcode.c > +++ b/src/lj_mcode.c > @@ -180,7 +180,7 @@ static void mcode_protect(jit_State *J, int prot) > #define MCPROT_RUN MCPROT_RX > > /* Protection twiddling failed. Probably due to kernel security. */ > -static LJ_NORET LJ_NOINLINE void mcode_protfail(jit_State *J) > +static LJ_NOINLINE void mcode_protfail(jit_State *J) > { > lua_CFunction panic = J2G(J)->panic; > if (panic) { > @@ -188,7 +188,7 @@ static LJ_NORET LJ_NOINLINE void mcode_protfail(jit_State *J) > setstrV(L, L->top++, lj_err_str(L, LJ_ERR_JITPROT)); > panic(L); > } > - exit(EXIT_FAILURE); > + // exit(EXIT_FAILURE); > } > > /* Change protection of MCode area. */ > =================================================================== > > WDIDW? Building LuaJIT with the internal assertions, LOL. Anyway, thanks for noticing this. I've added additional check to the test (see the incremental diff below): ================================================================================ diff --git a/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua b/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua index 83a9ae2e..f4dc4e1c 100644 --- a/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua +++ b/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua @@ -19,7 +19,7 @@ local test = tap.test('lj-flush-on-trace'):skipcond({ [' cannot be overridden on macOS'] = jit.os == 'OSX', }) -test:plan(3) +test:plan(4) -- runs %testname%/script.lua by -- with the given environment, launch options and CLI arguments. @@ -35,6 +35,8 @@ test:like(output, 'runtime code generation failed, restricted kernel%?', 'Panic occurred as a result of failure') test:unlike(output, 'Segmentation fault', 'LuaJIT exited as a result of the panic (error check)') +test:unlike(output, 'Aborted', + 'LuaJIT exited as a result of the panic (assertion check)') test:unlike(output, poison, 'LuaJIT exited as a result of the panic (poison check)') ================================================================================ > > > @@ -0,0 +1,41 @@ > > +local tap = require('tap') > > +local test = tap.test('lj-flush-on-trace'):skipcond({ > > + ['Test requires JIT enabled'] = not jit.status(), > > + ['Disabled on *BSD due to #4819'] = jit.os == 'BSD', > > + -- XXX: This test has to check the particular patch for > > + -- and is overloaded for this > > Typo: s//,/ > > > + -- purpose. However, is used widely in Tarantool > > Typo: s/is used widely/is widely used/ > > > + -- to play with fiber stacks, so overriding is not > > + -- suitable to test this feature in Tarantool. > > + -- luacheck: no global > > + [' overriding can break Tarantool'] = _TARANTOOL, > > + -- XXX: Unfortunately, it's too hard to overload (or even > > + -- impossible, who knows, since Cupertino fellows do not > > + -- provide any information about their system) something from > > + -- libsystem_kernel.dylib (the library providing ). > > + -- All in all, this test checks the part, that is common for all > > Typo: s/part,/part/ > > > + -- platforms, so it's not vital to run this test on macOS, since > > Typo: s/macOS,/macOS/ > > > + -- everything can be checked on Linux in a much more easier way. > > Typo: s/more// > > > + [' cannot be overridden on macOS'] = jit.os == 'OSX', > > +}) > > + > > +test:plan(3) > > + All the typos in the test code are fixed; the diff is below: ================================================================================ diff --git a/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua b/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua index f4dc4e1c..94f4314f 100644 --- a/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua +++ b/test/tarantool-tests/lj-802-panic-at-mcode-protfail.test.lua @@ -3,8 +3,8 @@ local test = tap.test('lj-flush-on-trace'):skipcond({ ['Test requires JIT enabled'] = not jit.status(), ['Disabled on *BSD due to #4819'] = jit.os == 'BSD', -- XXX: This test has to check the particular patch for - -- and is overloaded for this - -- purpose. However, is used widely in Tarantool + -- , and is overloaded for this + -- purpose. However, is widely used in Tarantool -- to play with fiber stacks, so overriding is not -- suitable to test this feature in Tarantool. -- luacheck: no global @@ -13,9 +13,9 @@ local test = tap.test('lj-flush-on-trace'):skipcond({ -- impossible, who knows, since Cupertino fellows do not -- provide any information about their system) something from -- libsystem_kernel.dylib (the library providing ). - -- All in all, this test checks the part, that is common for all - -- platforms, so it's not vital to run this test on macOS, since - -- everything can be checked on Linux in a much more easier way. + -- All in all, this test checks the part that is common for all + -- platforms, so it's not vital to run this test on macOS since + -- everything can be checked on Linux in a much easier way. [' cannot be overridden on macOS'] = jit.os == 'OSX', }) ================================================================================ > > diff --git a/test/tarantool-tests/lj-802-panic-at-mcode-protfail/script.lua b/test/tarantool-tests/lj-802-panic-at-mcode-protfail/script.lua > > new file mode 100644 > > index 00000000..661099fa > > --- /dev/null > > +++ b/test/tarantool-tests/lj-802-panic-at-mcode-protfail/script.lua > > @@ -0,0 +1,12 @@ > > +jit.opt.start('hotloop=1') > > + > > +-- Run a simple loop that triggers on trace assembling. > > +local a = 0 > > +for i = 1, 3 do > > Minor: Should it be 4 here to actually *run* a loop and be sure that we > don't execute this part of the code? But 3 is this dedicated iteration. Here are some details regarding the loop recording: * The first iteration is executed until the corresponding loop bytecode (BC_FORL, IIRC) is reached. * Starting from the first occurrence of the aforementioned bytecode, the compiler starts recording the loop. This is the second iteration. * To successfully finalize the compilation of the loop, the jump at that bytecode should be done back to the beginning of the loop body (this is the heuristic of JIT compiler, since the loop is not considered "hot" otherwise and there is no reason to finalize this trace). If the jump target is valid in the sense described above, the trace is finalized and, since the jump targets back to the loop body, the next loop iteration is run. * Since the trace is already compiled, the third and the last iteration is run via the mcode instead of VM interpreting the bytecode. At this point the execution of the trace is finished with the corresponding guard checking the "iterator" value. So, if you want one "full" iteration and one "to-be-exited" iteration, I can increment the right boundary of the loop, but I doubt that it's strongly required here (since we check that the compilation is failed at the assembling phase). > > > + a = a + i > > +end > > + > > +-- XXX: Just a simple contract output in case neither panic at > > Typo: s/panic/the panic/ > All the typos in the script code are also fixed; the diff is below: ================================================================================ diff --git a/test/tarantool-tests/lj-802-panic-at-mcode-protfail/script.lua b/test/tarantool-tests/lj-802-panic-at-mcode-protfail/script.lua index 661099fa..201a8ff2 100644 --- a/test/tarantool-tests/lj-802-panic-at-mcode-protfail/script.lua +++ b/test/tarantool-tests/lj-802-panic-at-mcode-protfail/script.lua @@ -6,7 +6,7 @@ for i = 1, 3 do a = a + i end --- XXX: Just a simple contract output in case neither panic at +-- XXX: Just a simple contract output in case neither the panic at -- , nor crash occurs (see for LUAJIT_UNPROTECT_MCODE in -- lj_mcode.c for more info). io.write(arg[1]) ================================================================================ > > +-- , nor crash occurs (see for LUAJIT_UNPROTECT_MCODE in > > +-- lj_mcode.c for more info). > > +io.write(arg[1]) > > -- > > 2.30.2 > > > > -- > Best regards, > Sergey Kaplun -- Best regards, IM