From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id 3126816EAA1D; Tue, 10 Mar 2026 12:59:51 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 3126816EAA1D DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1773136791; bh=xrzOn7QmLq93RVD2CgQtBb7fCMALvAVcAH0c1Q9a7G8=; h=Date:To:Cc:References:In-Reply-To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=B9e0DO14/+72/5gwBAVBfC318Dm7KYB4s7Z67zpnv4xj5YkxsAZJFK1T0+LpI0M/X KGK/RjhXQ1Vox7ltaSlcGr/8yfBxxl0Cg/4Pw3u+be0sfemuz7y+YlVmWoj6uZ8i11 6MUroANyGv2Vuo5Lzzzj2p8Co1fJP1PsWYnep4FU= Received: from send128.i.mail.ru (send128.i.mail.ru [89.221.237.223]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id C9C3516EAA1D for ; Tue, 10 Mar 2026 12:59:49 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org C9C3516EAA1D Received: by exim-smtp-695fc89d9f-fjgqs with esmtpa (envelope-from ) id 1vztsS-00000000PlS-2SKl; Tue, 10 Mar 2026 12:59:49 +0300 Content-Type: multipart/alternative; boundary="------------0Ie9XCXGzttCH0F9569lUuM7" Message-ID: Date: Tue, 10 Mar 2026 12:59:47 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: Sergey Kaplun Cc: tarantool-patches@dev.tarantool.org References: In-Reply-To: X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: B8F34718100C35BD X-77F55803: 4F1203BC0FB41BD91ABAE9865AC7DC889514E9E256EAD50689274261A8C811C4182A05F53808504004E800C39CE6AAEC3DE06ABAFEAF670509F7AE3F87F4288008AA67F76374782ECBBB4FF5790A3399 X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE71D44F6E7EB16B5A3EA1F7E6F0F101C67BD4B6F7A4D31EC0BCC500DACC3FED6E28638F802B75D45FF8AA50765F7900637AC83A81C8FD4AD23D82A6BABE6F325AC2E85FA5F3EDFCBAA7353EFBB553375665A08EF23E7B416AB7CE0D50C64282DB62D6074F400617D79EB2A08A2B1FB8456389733CBF5DBD5E913377AFFFEAFD269176DF2183F8FC7C0DEC8C2C8BCD2534D8941B15DA834481FCF19DD082D7633A0EF3E4896CB9E6436389733CBF5DBD5E9D5E8D9A59859A8B6A50BD5087FBFCDAACC7F00164DA146DA6F5DAA56C3B73B237318B6A418E8EAB86D1867E19FE14079C09775C1D3CA48CF3D321E7403792E342EB15956EA79C166A417C69337E82CC275ECD9A6C639B01B78DA827A17800CE7D699F3A2029486C7731C566533BA786AA5CC5B56E945C8DA X-C1DE0DAB: 0D63561A33F958A51DA3B41AEC1E12735002B1117B3ED696BD310316912D1E6FD57BAD45EC4C5DE1823CB91A9FED034534781492E4B8EEAD21D4E6D365FE45D1BDAD6C7F3747799A X-C8649E89: 1C3962B70DF3F0AD73CAD6646DEDE191716CD42B3DD1D34CAB70F9BE574AE9C625B6776AC983F447FC0B9F89525902EE6F57B2FD27647F25E66C117BDB76D6595D7AC1AC299DF3F99FB3E0A32EBF17FEB503F8D8F92F755F19F4183E64BA7495AD27DB6940AF7449B8341EE9D5BE9A0A858CDE734D0066FAEA8DCBED17FCCCFB95CFE3D5851FB2548CD93680B12512CF4C41F94D744909CE2512F26BEC029E55448553D2254B8D95CD72808BE417F3B9E0E7457915DAA85F X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVdbVVJCphTR/42o5OxCL+xg= X-DA7885C5: EC2C3B979F783EE1F255D290C0D534F92B56C4D951C7BA753EE5EC98C55CB144CF9DB9D05DBC99735B1A4C17EAA7BC4BEF2421ABFA55128DAF83EF9164C44C7E X-Mailru-Sender: 689FA8AB762F7393DDD5FD59B456EAD202CE9C67A3C633704D7535B48930E2447DC4725B82AA9B0BEF86D5F70DA33880E41E8EF7A07863ECB274557F927329BE2DDF8182D28ACDB545BD1C3CC395C826B4A721A3011E896F X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH luajit 2/2] Fix edge cases when recording string.byte/sub. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Bronnikov via Tarantool-patches Reply-To: Sergey Bronnikov Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" This is a multi-part message in MIME format. --------------0Ie9XCXGzttCH0F9569lUuM7 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi, Sergey, thanks for the patch! LGTM Sergey On 3/6/26 16:42, Sergey Kaplun wrote: > From: Mike Pall > > Thanks to Sergey Kaplun. > > (cherry picked from commit 89f268b3f745dba80da6350d3cbbb0964f3fdbee) > > It is possible that the `len` (`end - start`) will underflow and become > positive in the `recff_string_range()` when the `end` is negative. For > `string.sub()` this is not crucial, since the trace will be valid > anyway. But for `string.byte()` it may lead to the assertion failure in > the `rec_check_slots()`. > > This patch fixes those underflows by the correct comparison. > > Sergey Kaplun: > * added the description and the test for the problem > > Part of tarantool/tarantool#12134 > --- > src/lj_ffrecord.c | 6 ++--- > .../lj-1443-stirng-byte-underflow.test.lua | 25 +++++++++++++++++++ > 2 files changed, 28 insertions(+), 3 deletions(-) > create mode 100644 test/tarantool-tests/lj-1443-stirng-byte-underflow.test.lua > > diff --git a/src/lj_ffrecord.c b/src/lj_ffrecord.c > index d888e83e..aad1bd87 100644 > --- a/src/lj_ffrecord.c > +++ b/src/lj_ffrecord.c > @@ -810,7 +810,7 @@ static void LJ_FASTCALL recff_string_range(jit_State *J, RecordFFData *rd) > } > trstart = recff_string_start(J, str, &start, trstart, trlen, tr0); > if (rd->data) { /* Return string.sub result. */ > - if (end - start >= 0) { > + if (start <= end) { > /* Also handle empty range here, to avoid extra traces. */ > TRef trptr, trslen = emitir(IRTGI(IR_SUBOV), trend, trstart); > emitir(IRTGI(IR_GE), trslen, tr0); > @@ -821,8 +821,8 @@ static void LJ_FASTCALL recff_string_range(jit_State *J, RecordFFData *rd) > J->base[0] = lj_ir_kstr(J, &J2G(J)->strempty); > } > } else { /* Return string.byte result(s). */ > - ptrdiff_t i, len = end - start; > - if (len > 0) { > + if (start < end) { > + ptrdiff_t i, len = end - start; > TRef trslen = emitir(IRTGI(IR_SUBOV), trend, trstart); > emitir(IRTGI(IR_EQ), trslen, lj_ir_kint(J, (int32_t)len)); > if (J->baseslot + len > LJ_MAX_JSLOTS) > diff --git a/test/tarantool-tests/lj-1443-stirng-byte-underflow.test.lua b/test/tarantool-tests/lj-1443-stirng-byte-underflow.test.lua > new file mode 100644 > index 00000000..9f91718c > --- /dev/null > +++ b/test/tarantool-tests/lj-1443-stirng-byte-underflow.test.lua > @@ -0,0 +1,25 @@ > +local tap = require('tap') > + > +-- The test file to demonstrate integer underflow during recording > +-- for the `string.byte()` built-in. > +-- See alsohttps://github.com/LuaJIT/LuaJIT/issues/1443. > + > +local test = tap.test('lj-1443-stirng-byte-underflow'):skipcond({ > + ['Test requires JIT enabled'] = not jit.status(), > +}) > + > +test:plan(1) > + > +jit.opt.start('hotloop=1') > + > +local result > +local str = 'xxx' > +for _ = 1, 4 do > + -- Failed assertion in `rec_check_slots()` due to incorrect > + -- number of results after underflow. > + result = (str):byte(0X7FFFFFFF, -0X7FFFFFFF) > +end > + > +test:is(result, nil, 'correct result on trace') > + > +test:done(true) --------------0Ie9XCXGzttCH0F9569lUuM7 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

Hi, Sergey,

thanks for the patch! LGTM

Sergey

On 3/6/26 16:42, Sergey Kaplun wrote:
From: Mike Pall <mike>

Thanks to Sergey Kaplun.

(cherry picked from commit 89f268b3f745dba80da6350d3cbbb0964f3fdbee)

It is possible that the `len` (`end - start`) will underflow and become
positive in the `recff_string_range()` when the `end` is negative. For
`string.sub()` this is not crucial, since the trace will be valid
anyway. But for `string.byte()` it may lead to the assertion failure in
the `rec_check_slots()`.

This patch fixes those underflows by the correct comparison.

Sergey Kaplun:
* added the description and the test for the problem

Part of tarantool/tarantool#12134
---
 src/lj_ffrecord.c                             |  6 ++---
 .../lj-1443-stirng-byte-underflow.test.lua    | 25 +++++++++++++++++++
 2 files changed, 28 insertions(+), 3 deletions(-)
 create mode 100644 test/tarantool-tests/lj-1443-stirng-byte-underflow.test.lua

diff --git a/src/lj_ffrecord.c b/src/lj_ffrecord.c
index d888e83e..aad1bd87 100644
--- a/src/lj_ffrecord.c
+++ b/src/lj_ffrecord.c
@@ -810,7 +810,7 @@ static void LJ_FASTCALL recff_string_range(jit_State *J, RecordFFData *rd)
   }
   trstart = recff_string_start(J, str, &start, trstart, trlen, tr0);
   if (rd->data) {  /* Return string.sub result. */
-    if (end - start >= 0) {
+    if (start <= end) {
       /* Also handle empty range here, to avoid extra traces. */
       TRef trptr, trslen = emitir(IRTGI(IR_SUBOV), trend, trstart);
       emitir(IRTGI(IR_GE), trslen, tr0);
@@ -821,8 +821,8 @@ static void LJ_FASTCALL recff_string_range(jit_State *J, RecordFFData *rd)
       J->base[0] = lj_ir_kstr(J, &J2G(J)->strempty);
     }
   } else {  /* Return string.byte result(s). */
-    ptrdiff_t i, len = end - start;
-    if (len > 0) {
+    if (start < end) {
+      ptrdiff_t i, len = end - start;
       TRef trslen = emitir(IRTGI(IR_SUBOV), trend, trstart);
       emitir(IRTGI(IR_EQ), trslen, lj_ir_kint(J, (int32_t)len));
       if (J->baseslot + len > LJ_MAX_JSLOTS)
diff --git a/test/tarantool-tests/lj-1443-stirng-byte-underflow.test.lua b/test/tarantool-tests/lj-1443-stirng-byte-underflow.test.lua
new file mode 100644
index 00000000..9f91718c
--- /dev/null
+++ b/test/tarantool-tests/lj-1443-stirng-byte-underflow.test.lua
@@ -0,0 +1,25 @@
+local tap = require('tap')
+
+-- The test file to demonstrate integer underflow during recording
+-- for the `string.byte()` built-in.
+-- See also https://github.com/LuaJIT/LuaJIT/issues/1443.
+
+local test = tap.test('lj-1443-stirng-byte-underflow'):skipcond({
+  ['Test requires JIT enabled'] = not jit.status(),
+})
+
+test:plan(1)
+
+jit.opt.start('hotloop=1')
+
+local result
+local str = 'xxx'
+for _ = 1, 4 do
+  -- Failed assertion in `rec_check_slots()` due to incorrect
+  -- number of results after underflow.
+  result = (str):byte(0X7FFFFFFF, -0X7FFFFFFF)
+end
+
+test:is(result, nil, 'correct result on trace')
+
+test:done(true)
--------------0Ie9XCXGzttCH0F9569lUuM7--