From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tarantool-patches-bounces@dev.tarantool.org>
Received: from [87.239.111.99] (localhost [127.0.0.1])
	by dev.tarantool.org (Postfix) with ESMTP id 72E286AF5C8;
	Wed, 25 Oct 2023 13:47:43 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 72E286AF5C8
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev;
	t=1698230863; bh=ohAC5MME/NuHWg0HICoH0hzF4BjxAKFidCydhduboKY=;
	h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=o6lv7q2TZfi/gX6rf0/468TNZ4dP4P/319vU2PIxOKZ4JgIx8SGQyiEckYgVkUoDg
	 n1HNiPkOEq3im5YmIQ2MlfFsGzStH3lStK02N1l1UUqG1ncBr9nU88ibPL7eAe9WW1
	 tynmXITgTCxA4Aunu8keBr54ktYRMiChc/CYhseA=
Received: from smtpng1.i.mail.ru (smtpng1.i.mail.ru [94.100.181.251])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id 05C9C65341F
 for <tarantool-patches@dev.tarantool.org>;
 Wed, 25 Oct 2023 13:47:42 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 05C9C65341F
Received: by smtpng1.m.smailru.net with esmtpa (envelope-from
 <skaplun@tarantool.org>)
 id 1qvbQK-0002cJ-Q3; Wed, 25 Oct 2023 13:47:41 +0300
Date: Wed, 25 Oct 2023 13:43:10 +0300
To: Maxim Kokryashkin <m.kokryashkin@tarantool.org>
Message-ID: <ZTjxPhfvNzOjOZUG@root>
References: <cover.1698049570.git.skaplun@tarantool.org>
 <b2a4449e7ed71582c36672e85d467df867d695f4.1698049570.git.skaplun@tarantool.org>
 <yygwvoeqyhgp2oru2xxqdpqlsdvxdf2dwmjfujxomfqc2n7243@hhkhi4ok6fif>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <yygwvoeqyhgp2oru2xxqdpqlsdvxdf2dwmjfujxomfqc2n7243@hhkhi4ok6fif>
X-Mailru-Src: smtp
X-4EC0790: 10
X-7564579A: EEAE043A70213CC8
X-77F55803: 4F1203BC0FB41BD96DD1678B4DC47D344C796B53B5200C120A455E3A932C0172182A05F5380850404C228DA9ACA6FE2741F5724FC52BAE4CDA38EDA0F225FEF248B73C33D5B1C500093ADA5EE0804A4F
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE76ABD3380F320B62CEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637578F58D66D7052C48638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D81A3F80874A580E7F47F312908F4B9869117882F4460429724CE54428C33FAD305F5C1EE8F4F765FC2EE5AD8F952D28FBA471835C12D1D9774AD6D5ED66289B52BA9C0B312567BB23117882F446042972877693876707352033AC447995A7AD18618001F51B5FD3F9D2E47CDBA5A96583BA9C0B312567BB231DD303D21008E29813377AFFFEAFD269176DF2183F8FC7C0406C186E56A1B26068655334FD4449CB33AC447995A7AD1857739F23D657EF2BD5E8D9A59859A8B65D673F6B91EFC66D089D37D7C0E48F6C5571747095F342E88FB05168BE4CE3AF
X-C1DE0DAB: 0D63561A33F958A525DF5B5C95CE1ABA48F198DA8A099E6E75F8590D69AC9AAFF87CCE6106E1FC07E67D4AC08A07B9B064E7220B7C550592CB5012B2E24CD356
X-C8649E89: 1C3962B70DF3F0ADBF74143AD284FC7177DD89D51EBB7742424CF958EAFF5D571004E42C50DC4CA955A7F0CF078B5EC49A30900B95165D34CC972AA0E2E780C448AC662735F68A71BE5450F6EB5C9F5886F0CE62E0779F98E856B88A88DB8B571D7E09C32AA3244CE6D02912FAEC21A59D3AC4E26B1A40686C2483212766842285A42E4C463514DC5DA084F8E80FEBD3202CD0F03380D9577A83BD0C44CE203720ABEDE4BBDD9CDD
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2bioj7UiV2qa299r16M2Afncn2g==
X-DA7885C5: F723E16C3441F5C7247634CC7464F86C5FFE986CA60234B303FF0FFEB05C36ED262E2D401490A4A0DB037EFA58388B346E8BC1A9835FDE71
X-Mailru-Sender: 689FA8AB762F73930F533AC2B33E986B47F13FBF458C36FA801435B603F8001D0FBE9A32752B8C9C2AA642CC12EC09F1FB559BB5D741EB962F61BD320559CF1EFD657A8799238ED55FEEDEB644C299C0ED14614B50AE0675
X-Mras: Ok
Subject: Re: [Tarantool-patches] [PATCH luajit 4/6] FFI: Fix dangling
 reference to CType.
X-BeenThere: tarantool-patches@dev.tarantool.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
From: Sergey Kaplun via Tarantool-patches <tarantool-patches@dev.tarantool.org>
Reply-To: Sergey Kaplun <skaplun@tarantool.org>
Cc: tarantool-patches@dev.tarantool.org
Errors-To: tarantool-patches-bounces@dev.tarantool.org
Sender: "Tarantool-patches" <tarantool-patches-bounces@dev.tarantool.org>

Hi, Maxim!
Thanks for the review!
See my answers below.

On 25.10.23, Maxim Kokryashkin wrote:
> Hi, Sergey!
> Thanks for the patch!
> Please consider my comments below.
> On Mon, Oct 23, 2023 at 12:22:04PM +0300, Sergey Kaplun wrote:

<snipped>

> > diff --git a/test/tarantool-tests/fix-dangling-reference-to-ctype.test.lua b/test/tarantool-tests/fix-dangling-reference-to-ctype.test.lua
> > new file mode 100644
> > index 00000000..c0e2c07b
> > --- /dev/null
> > +++ b/test/tarantool-tests/fix-dangling-reference-to-ctype.test.lua
> > @@ -0,0 +1,59 @@
> > +local tap = require('tap')
> > +local ffi = require('ffi')
> > +local test = tap.test('fix-dangling-reference-to-ctype'):skipcond({
> > +  -- luacheck: no global
> > +  ['Impossible to predict the value of cts->top'] = _TARANTOOL,
> > +})
> > +
> > +test:plan(1)
> > +
> > +-- This test demonstrates LuaJIT's incorrect behaviour when the
> > +-- reallocation of `cts->tab` strikes during the conversion of a
> > +-- TValue (cdata function pointer) to a C type.
> > +-- The test fails under ASAN.
> Let's change the last sentence to 'Before the patch the test fails only
> under ASAN' because now it is a bit misleading. 

Reworded, thanks!

> > +
> > +-- XXX: Just some C functions to be casted. There is no need to
> > +-- declare their prototypes correctly.
> > +ffi.cdef[[
> > +  int malloc(void);
> > +  int fprintf(void);
> > +  int printf(void);
> > +  int memset(void);
> > +  int memcpy(void);
> > +  int memmove(void);
> > +  int getppid(void);
> > +]]
> > +
> > +-- XXX: structure to set `cts->top` to 110.
> > +local _ = ffi.new('struct {int a; long b; float c; double d;}', 0)
> > +
> > +-- Anchor table to prevent cdata objects from being collected.
> > +local anchor = {}
> > +-- Each call to this function grows `cts->top` by 3.
> Please drop a comment, referring to a point in sources, so the size
> of the growth becomes obvious.

Added. See the iterative patch below.

> 
> > +local function save_new_func(func)
> > +  anchor[#anchor + 1] = ffi.cast('void (*)(void)', func)
> > +end
> > +
> > +save_new_func(ffi.C.malloc)  -- `cts->top` = 110
> > +save_new_func(ffi.C.fprintf) -- `cts->top` = 113
> > +save_new_func(ffi.C.printf)  -- `cts->top` = 116
> > +save_new_func(ffi.C.memset)  -- `cts->top` = 119
> > +save_new_func(ffi.C.memcpy)  -- `cts->top` = 122
> 
> Is it possible to bring us to this value of `cts->top`
> with a structure?

I haven't tried it, but this structure will be too big and hardly
maintained, so I prefer the following way. I suppose that there is no
need to comment this part, so the only comment I left is about the first
alignment.

> > +
> > +-- Assertions to check the `cts->top` value and step between
> > +-- calls.
> > +assert(ffi.typeinfo(122), 'cts->top >= 122')
> > +assert(not ffi.typeinfo(123), 'cts->top < 123')
> > +
> > +save_new_func(ffi.C.memmove) -- `cts->top` = 125
> > +
> > +assert(ffi.typeinfo(125), 'cts->top >= 125')
> > +assert(not ffi.typeinfo(126), 'cts->top < 126')
> > +
> > +-- Last call to grow `cts->top` up to 128, so this causes
> > +-- `cts->tab` reallocation.
> > +save_new_func(ffi.C.getppid) -- `cts->top` = 128
> 
> Should we add an extra assertion after reallocation?

Ignored, as you mentioned in the second letter.

> > +
> > +test:ok(true, 'no heap-use-after-free in lj_cconv_ct_tv')
> > +
> > +test:done(true)
> > -- 
> > 2.42.0
> > 

Branch is force pushed:
===================================================================
diff --git a/test/tarantool-tests/fix-dangling-reference-to-ctype.test.lua b/test/tarantool-tests/fix-dangling-reference-to-ctype.test.lua
index c0e2c07b..2ced5779 100644
--- a/test/tarantool-tests/fix-dangling-reference-to-ctype.test.lua
+++ b/test/tarantool-tests/fix-dangling-reference-to-ctype.test.lua
@@ -10,7 +10,7 @@ test:plan(1)
 -- This test demonstrates LuaJIT's incorrect behaviour when the
 -- reallocation of `cts->tab` strikes during the conversion of a
 -- TValue (cdata function pointer) to a C type.
--- The test fails under ASAN.
+-- Before the patch, the test failed only under ASAN.
 
 -- XXX: Just some C functions to be casted. There is no need to
 -- declare their prototypes correctly.
@@ -30,6 +30,9 @@ local _ = ffi.new('struct {int a; long b; float c; double d;}', 0)
 -- Anchor table to prevent cdata objects from being collected.
 local anchor = {}
 -- Each call to this function grows `cts->top` by 3.
+-- `lj_ctype_new()` and `lj_ctype_intern()` during the parsing of
+-- the `CType` declaration in the `ffi.cast()` plus
+-- `lj_ctype_intern()` during the conversion to another `CType`.
 local function save_new_func(func)
   anchor[#anchor + 1] = ffi.cast('void (*)(void)', func)
 end
===================================================================

-- 
Best regards,
Sergey Kaplun