From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tarantool-patches-bounces@dev.tarantool.org>
Received: from [87.239.111.99] (localhost [127.0.0.1])
	by dev.tarantool.org (Postfix) with ESMTP id 2845E482870;
	Wed, 27 Sep 2023 15:54:57 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 2845E482870
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev;
	t=1695819297; bh=GjkQbHtyGBTp+fynt8SFX7gCe1x3TB67BI9bMG4G7yY=;
	h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=YS86Q2SkMt/MfQ8pULklevTrOkSzo+VAm8jvOB/SWaxrrvf1ERFEFDx1OtF/7qCCY
	 TOIShDr/IAbrkXYqr1SO+2kr5v7MRO/KtpZHHYknC5xmWRv0CYJmyL65ZknaFxKpdK
	 DhuWIp7XUQ24qQQV8UHVs3yWJPHuyGTxK4mfpj4Y=
Received: from smtp45.i.mail.ru (smtp45.i.mail.ru [95.163.41.83])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id 9849E482870
 for <tarantool-patches@dev.tarantool.org>;
 Wed, 27 Sep 2023 15:54:38 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 9849E482870
Received: by smtp45.i.mail.ru with esmtpa (envelope-from <imun@tarantool.org>)
 id 1qlU3p-00F83B-2p; Wed, 27 Sep 2023 15:54:38 +0300
Date: Wed, 27 Sep 2023 12:33:15 +0000
To: Sergey Bronnikov <estetus@gmail.com>
Message-ID: <ZRQhCzvOf9mMeNmN@tarantool.org>
References: <8b2d744f68eb138c2b2c37e1ac851181e303b485.1693305720.git.sergeyb@tarantool.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <8b2d744f68eb138c2b2c37e1ac851181e303b485.1693305720.git.sergeyb@tarantool.org>
X-Clacks-Overhead: GNU Terry Pratchett
X-Mailru-Src: smtp
X-7564579A: 646B95376F6C166E
X-77F55803: 4F1203BC0FB41BD9635F647A8D3EE72C0591D95213BBB83F1E68B1C55902BA58182A05F538085040DD0F73F61A0C7D798D17D5E773BC8CFF8B149E220E730551501D7EB287E8AA45
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE73A0E02362971E860EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F790063771C846A5973DEE7E8638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D88395809CC94F8FA8DD629479236E605F117882F4460429724CE54428C33FAD305F5C1EE8F4F765FCF80095D1E57F4578A471835C12D1D9774AD6D5ED66289B52BA9C0B312567BB23117882F446042972877693876707352033AC447995A7AD186FD1C55BDD38FC3FD2E47CDBA5A96583BA9C0B312567BB2376E601842F6C81A19E625A9149C048EE0AC5B80A05675ACD4D0DA9BD313A0613D8FC6C240DEA76429C9F4D5AE37F343AA9539A8B242431040A6AB1C7CE11FEE3F8BD4E506CFA3D882D242C3BD2E3F4C6C4224003CC836476E2F48590F00D11D6E2021AF6380DFAD1A18204E546F3947CB11811A4A51E3B096D1867E19FE1407959CC434672EE6371089D37D7C0E48F6C8AA50765F7900637BF1C901A33650803EFF80C71ABB335746BA297DBC24807EABDAD6C7F3747799A
X-C1DE0DAB: 0D63561A33F958A5FC05B4298638695240247C7D64625D70897F5DAB0EDFE483F87CCE6106E1FC07E67D4AC08A07B9B0A6C7FFFE744CA7FBCB5012B2E24CD356
X-C8649E89: 1C3962B70DF3F0ADBF74143AD284FC7177DD89D51EBB7742DC8270968E61249B1004E42C50DC4CA955A7F0CF078B5EC49A30900B95165D34AC632F0BE69382F370B76AF2BBA747A787562F52D182723D77C20A1264AC8CF742D304E5D55E73141D7E09C32AA3244C9EC497943D71DCC81A1E82A0F9A327FB8894E9C85370243EBAD658CF5C8AB4025DA084F8E80FEBD376A4ED3E9341DC2FCD72808BE417F3B9E0E7457915DAA85F
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojTKVCr97n33Vqpn0L3nixxw==
X-Mailru-Sender: 2FEBA92C8E508479FE7B9A1DF348D531B843E021EF7B0BF7AE9C30B9A8A20A9DB8DD0191BD683AA62326FE6F2A341ACE0FB9F97486540B4CD9E8847AB8CFED4D9ABF8A61C016C2CFB0DAF586E7D11B3E67EA787935ED9F1B
X-Mras: Ok
Subject: Re: [Tarantool-patches] [PATCH luajit] Fix predict_next() in parser
 (again).
X-BeenThere: tarantool-patches@dev.tarantool.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
From: Igor Munkin via Tarantool-patches <tarantool-patches@dev.tarantool.org>
Reply-To: Igor Munkin <imun@tarantool.org>
Cc: max.kokryashkin@gmail.com, tarantool-patches@dev.tarantool.org
Errors-To: tarantool-patches-bounces@dev.tarantool.org
Sender: "Tarantool-patches" <tarantool-patches-bounces@dev.tarantool.org>

Sergey,

I've checked the patchset into all long-term branches in
tarantool/luajit and bumped a new version in master, release/2.11 and
release/2.10.

On 29.08.23, Sergey Bronnikov via Tarantool-patches wrote:
> From: sergeyb@tarantool.org
> 
> Reported by Sergey Bronnikov. #1054
> 
> (cherry picked from commit 309fb42b871b6414f53e0e0e708bce0b0d62daff)
> 
> The following Lua snippet triggers an out of boundary access to a stack:
> 
> ```lua
> a, b, c = 1, 2, 3
> local d
> for _ in nil do end
> ```
> 
> With execution snippet by LuaJIT instrumented by ASAN it leads to
> a heap-buffer-overflow.
> 
> In a function `predict_next` variable `exprpc` looks forward and expects
> extra bytecodes on the stack. However, `KPRI` is merged to the `KNIL`
> and there is no new bytecode to add, so `exprpc == fs->bclim` and it
> leads to out of boundary access.
> 
> Sergey Bronnikov:
> * added the description and the test for the problem
> 
> Part of tarantool/tarantool#8825
> ---
> 
> PR: https://github.com/tarantool/tarantool/pull/9054
> Branch: https://github.com/tarantool/luajit/tree/ligurio/lj-1054-incorrect-pc-value-predict_next
> Related issue:
> * https://github.com/LuaJIT/LuaJIT/issues/1054
> 
>  src/lj_parse.c                                 |  4 +++-
>  ...incorrect-pc-value-in-predict_next.test.lua | 18 ++++++++++++++++++
>  2 files changed, 21 insertions(+), 1 deletion(-)
>  create mode 100644 test/tarantool-tests/lj-1054-incorrect-pc-value-in-predict_next.test.lua
> 

<snipped>

> -- 
> 2.34.1
> 

-- 
Best regards,
IM