From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <tarantool-patches-bounces@dev.tarantool.org>
Received: from [87.239.111.99] (localhost [127.0.0.1])
	by dev.tarantool.org (Postfix) with ESMTP id 5333DA4A123;
	Wed, 31 Jan 2024 12:50:52 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 5333DA4A123
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev;
	t=1706694652; bh=cuMCj2ALPRTealBk22hQHRAL3VbyuwS9vMhFRIJmxNs=;
	h=Date:To:References:In-Reply-To:Subject:List-Id:List-Unsubscribe:
	 List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc:
	 From;
	b=p1kSltaGm9dyKr1HDI+dU2b5I45LfyOinNgJMpGX3jEPIlIZI8QOkWEP5F3DGPoD5
	 SPVfm18Q/wHVhHGaSCd4CtJheZNON9HpNYrO2zs2MS5LVp1RbzDP5c4cG96BnCWJY2
	 L6OC/aa7647JwOzXy/Dfh0uLUKleDI/953XQTAk0=
Received: from smtp36.i.mail.ru (smtp36.i.mail.ru [95.163.41.77])
 (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256)
 (No client certificate requested)
 by dev.tarantool.org (Postfix) with ESMTPS id 9ED15A4A11C
 for <tarantool-patches@dev.tarantool.org>;
 Wed, 31 Jan 2024 12:50:50 +0300 (MSK)
DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 9ED15A4A11C
Received: by smtp36.i.mail.ru with esmtpa (envelope-from
 <skaplun@tarantool.org>)
 id 1rV7F3-00000005KS6-3l5P; Wed, 31 Jan 2024 12:50:50 +0300
Date: Wed, 31 Jan 2024 12:46:56 +0300
To: Maxim Kokryashkin <m.kokryashkin@tarantool.org>
Message-ID: <ZboXEMQI-YNrl1iR@root>
References: <20240130150437.17133-1-skaplun@tarantool.org>
 <fptcemlt3suhw35aqvpcfcz535zilmzardo4nqs4abvf2zptbt@6afg5ca3uf3q>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <fptcemlt3suhw35aqvpcfcz535zilmzardo4nqs4abvf2zptbt@6afg5ca3uf3q>
X-Mailru-Src: smtp
X-4EC0790: 10
X-7564579A: EEAE043A70213CC8
X-77F55803: 4F1203BC0FB41BD9DF1FFD52FB7F4A9544A615B89DCAEEF677ABEFE9070A2D4B00894C459B0CD1B9C68D60AECD932590FC043686C24B6C82A873E67F871C72969BBAECB6522378B1768ACFD3FE3A7A49
X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7227E4400968B082FEA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637328FC23D015AFE6E8638F802B75D45FF36EB9D2243A4F8B5A6FCA7DBDB1FC311F39EFFDF887939037866D6147AF826D889152EAD6E9CAE54A2AB016C63FE4D2DD532B927C8A8E4D4CC7F00164DA146DAFE8445B8C89999728AA50765F7900637DCE3DBD6F8E38AFD389733CBF5DBD5E9C8A9BA7A39EFB766F5D81C698A659EA7CC7F00164DA146DA9985D098DBDEAEC8B861051D4BA689FCF6B57BC7E6449061A352F6E88A58FB86F5D81C698A659EA73AA81AA40904B5D9A18204E546F3947CF8BD4E506CFA3D88C0837EA9F3D197644AD6D5ED66289B523666184CF4C3C14F6136E347CC761E07725E5C173C3A84C3D8561A2FEC730ACEBA3038C0950A5D36B5C8C57E37DE458B330BD67F2E7D9AF16D1867E19FE14079C09775C1D3CA48CF17B107DEF921CE791DD303D21008E298D5E8D9A59859A8B6B372FE9A2E580EFC725E5C173C3A84C3483320834B361D1F089D37D7C0E48F6C5571747095F342E88FB05168BE4CE3AF
X-C1DE0DAB: 0D63561A33F958A5A915BCC170F481C15002B1117B3ED69653C913EAA281719422DFD5397F446790823CB91A9FED034534781492E4B8EEADA333A05395E4745BBDAD6C7F3747799A
X-C8649E89: 1C3962B70DF3F0ADBF74143AD284FC7177DD89D51EBB7742424CF958EAFF5D571004E42C50DC4CA955A7F0CF078B5EC49A30900B95165D34738A88CA0C70A558D09C00FCC2A9E0C84AC6F608276818745E17965DEB978B3E7836950343D3BB881D7E09C32AA3244C52796FD2AD4EEBA52887F5EA2DDCF344B1B8EDA82516E74AEA455F16B58544A2557BDE0DD54B3590A5AE236DF995FB59829709634694AABAED6A17656DB59BCAD427812AF56FC65B
X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu530nj6fImhcD4MUrOEAnl0W826KZ9Q+tr5ycPtXkTV4k65bRjmOUUP8cvGozZ33TWg5HZplvhhXbhDGzqmQDTd6OAevLeAnq3Ra9uf7zvY2zzsIhlcp/Y7m53TZgf2aB4JOg4gkr2biojHUK3TkZYwr/e+IaVDBpIrQ==
X-Mailru-Sender: 11C2EC085EDE56FAC07928AF2646A7695EE2F0915F6DDFD6D27678DDAA80631497EFD9E8015D245BB7CBEF92542CD7C88B0A2698F12F5C9EC77752E0C033A69E86920BD37369036789A8C6A0E60D2BB63A5DB60FBEB33A8A0DA7A0AF5A3A8387
X-Mras: Ok
Subject: Re: [Tarantool-patches] [PATCH luajit] Fix zero stripping in %g
 number formatting.
X-BeenThere: tarantool-patches@dev.tarantool.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Tarantool development patches <tarantool-patches.dev.tarantool.org>
List-Unsubscribe: <https://lists.tarantool.org/mailman/options/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=unsubscribe>
List-Archive: <https://lists.tarantool.org/pipermail/tarantool-patches/>
List-Post: <mailto:tarantool-patches@dev.tarantool.org>
List-Help: <mailto:tarantool-patches-request@dev.tarantool.org?subject=help>
List-Subscribe: <https://lists.tarantool.org/mailman/listinfo/tarantool-patches>, 
 <mailto:tarantool-patches-request@dev.tarantool.org?subject=subscribe>
From: Sergey Kaplun via Tarantool-patches <tarantool-patches@dev.tarantool.org>
Reply-To: Sergey Kaplun <skaplun@tarantool.org>
Cc: tarantool-patches@dev.tarantool.org
Errors-To: tarantool-patches-bounces@dev.tarantool.org
Sender: "Tarantool-patches" <tarantool-patches-bounces@dev.tarantool.org>

Hi, Maxim!
Thanks for the review!
Fixed your comments and force-pushed the branch.

On 31.01.24, Maxim Kokryashkin wrote:
> Hi, Sergey!
> Thanks for the patch!
> LGTM, except for two nits regarding the commit message,
> and two nits regarding the test case comment.
> On Tue, Jan 30, 2024 at 06:04:37PM +0300, Sergey Kaplun wrote:
> > From: Mike Pall <mike>
> >
> > Reported by pwnhacker0x18.
> >
> > (cherry picked from commit 343ce0edaf3906a62022936175b2f5410024cbfc)
> >
> > In the situation when the precision (`prec`) and amount of digits
> > (`hilen`) for the decimal representation are the same and `ndhi` == 0,
> > the `ndlo` part will become 64 (the size of the `nd` stack buffer), and
> Typo: s/will become/becomes/
> > the overflow occurs.
> >
> > This patch adds the corresponding mask (0x3f == 63) for the `ndlo`
> > incrementation result.
> Please mention that all of this happens in the `lj_strfmt_wfnum`
> function in the commit message.

Fixed!
The new commit message is the following:

| Fix zero stripping in %g number formatting.
|
| Reported by pwnhacker0x18.
|
| (cherry picked from commit 343ce0edaf3906a62022936175b2f5410024cbfc)
|
| LuaJIT uses `lj_strfmt_wfnum()` for number formatting. In the situation
| when the precision (`prec`) and amount of digits (`hilen`) for the
| decimal representation are the same and `ndhi` == 0, the `ndlo` part
| becomes 64 (the size of the `nd` stack buffer), and the overflow occurs.
|
| This patch adds the corresponding mask (0x3f == 63) for the `ndlo`
| incrementation result.
|
| Sergey Kaplun:
| * added the description and the test for the problem
|
| Part of tarantool/tarantool#9595

> >
> > Sergey Kaplun:
> > * added the description and the test for the problem
> >
> > Part of tarantool/tarantool#9595
> > ---
> >
> > Branch: https://github.com/tarantool/luajit/tree/skaplun/lj-1149-g-number-formating
> > Tarantool PR: https://github.com/tarantool/tarantool/pull/9633
> >
> > The test <app-tap/gh-2717-no-quit-sigint.test.lua> fails on M1 with the
> > timeout (see the example [1]). This fail is patch-unrelated, since I've
> > obscured this failure even for the branch without sources changes (tests
> > only).
> >
> > Related Issues:
> > * https://github.com/LuaJIT/LuaJIT/issues/1149
> > * https://github.com/tarantool/tarantool/issues/9595
> >
> > [1]: https://github.com/tarantool/luajit/actions/runs/7712549489/job/21020513973#step:8:5522
> >
> > Duration of failed tests (seconds):
> > * 60.54 app-tap/gh-2717-no-quit-sigint.test.lua
> >

<snipped>

> > +-- XXX: The test shows stack-buffer-overflow only under ASAN.
> > +-- The number value for the test is with the same precision
> Typo: s/is with/has/
> > +-- (`prec` = 5) and amount of digits (`hilen` = 5) for the decimal
> > +-- representation. Hence, with `ndhi` == 0, the `ndlo` part will
> > +-- become 64 (the size of the `nd` stack buffer), and the overflow
> Typo: s/will become/becomes/

Fixed! See the iterative patch below.

===================================================================
diff --git a/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua b/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua
index 040fd5de..b10d7b2a 100644
--- a/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua
+++ b/test/tarantool-tests/lj-1149-g-number-formating-bufov.test.lua
@@ -8,10 +8,10 @@ local test = tap.test('lj-1149-g-number-formating-bufov')
 test:plan(1)
 
 -- XXX: The test shows stack-buffer-overflow only under ASAN.
--- The number value for the test is with the same precision
+-- The number value for the test has the same precision
 -- (`prec` = 5) and amount of digits (`hilen` = 5) for the decimal
--- representation. Hence, with `ndhi` == 0, the `ndlo` part will
--- become 64 (the size of the `nd` stack buffer), and the overflow
+-- representation. Hence, with `ndhi` == 0, the `ndlo` part
+-- becomes 64 (the size of the `nd` stack buffer), and the overflow
 -- occurs.
 -- See details in the <src/lj_strfmt_num.c>:`lj_strfmt_wfnum()`.
 test:is(string.format('%7g', 0x1.144399609d407p+401), '5.5733e+120',
===================================================================

> > +-- occurs.
> > +-- See details in the <src/lj_strfmt_num.c>:`lj_strfmt_wfnum()`.
> > +test:is(string.format('%7g', 0x1.144399609d407p+401), '5.5733e+120',
> > +        'correct format %7g result')
> > +
> > +test:done(true)
> > --
> > 2.43.0
> >

-- 
Best regards,
Sergey Kaplun