10989164176

Committed 23 Sep 2024 06:53AM UTC coverage: 92.701% (-0.1%) from 92.796%

Build # 10989164176

Build Type

push

github

Committed by

Buristan

Commit Message

Fix limit check in narrow_conv_backprop().

Thanks to Sergey Kaplun.

(cherry picked from commit e45fd4cb7)

The function `narrow_conv_backprop()` does not include a limit check for
the stack pointer (`nc->sp`), even though its value may change after
several recursive calls. As a result, it leads to stack-buffer-overflow
during the instruction narrowing. This patch adds the missing check.

Sergey Kaplun:
* added the description and the test for the problem

Part of tarantool/tarantool#10199

Run Details

5671 of 6025 branches covered (94.12%)

Branch coverage included in aggregate %.

1 of 1 new or added line in 1 file covered. (100.0%)

25 existing lines in 5 files now uncovered.

21635 of 23431 relevant lines covered (92.33%)

2953660.92 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

92.5

/src/lj_vmmath.c

/*
** Math helper functions for assembler VM.
** Copyright (C) 2005-2017 Mike Pall. See Copyright Notice in luajit.h
*/

#define lj_vmmath_c
#define LUA_CORE

#include <errno.h>
#include <math.h>

#include "lj_obj.h"
#include "lj_ir.h"
#include "lj_vm.h"

/* -- Wrapper functions --------------------------------------------------- */

#if LJ_TARGET_X86 && __ELF__ && __PIC__
/* Wrapper functions to deal with the ELF/x86 PIC disaster. */
LJ_FUNCA double lj_wrap_log(double x) { return log(x); }
LJ_FUNCA double lj_wrap_log10(double x) { return log10(x); }
LJ_FUNCA double lj_wrap_exp(double x) { return exp(x); }
LJ_FUNCA double lj_wrap_sin(double x) { return sin(x); }
LJ_FUNCA double lj_wrap_cos(double x) { return cos(x); }
LJ_FUNCA double lj_wrap_tan(double x) { return tan(x); }
LJ_FUNCA double lj_wrap_asin(double x) { return asin(x); }
LJ_FUNCA double lj_wrap_acos(double x) { return acos(x); }
LJ_FUNCA double lj_wrap_atan(double x) { return atan(x); }
LJ_FUNCA double lj_wrap_sinh(double x) { return sinh(x); }
LJ_FUNCA double lj_wrap_cosh(double x) { return cosh(x); }
LJ_FUNCA double lj_wrap_tanh(double x) { return tanh(x); }
LJ_FUNCA double lj_wrap_atan2(double x, double y) { return atan2(x, y); }
LJ_FUNCA double lj_wrap_pow(double x, double y) { return pow(x, y); }
LJ_FUNCA double lj_wrap_fmod(double x, double y) { return fmod(x, y); }
#endif

/* -- Helper functions ---------------------------------------------------- */

double lj_vm_foldarith(double x, double y, int op)
{
  switch (op) {
  case IR_ADD - IR_ADD: return x+y; break;
  case IR_SUB - IR_ADD: return x-y; break;
  case IR_MUL - IR_ADD: return x*y; break;
  case IR_DIV - IR_ADD: return x/y; break;
  case IR_MOD - IR_ADD: return x-lj_vm_floor(x/y)*y; break;
  case IR_POW - IR_ADD: return pow(x, y); break;
  case IR_NEG - IR_ADD: return -x; break;
  case IR_ABS - IR_ADD: return fabs(x); break;
#if LJ_HASJIT
  case IR_LDEXP - IR_ADD: return ldexp(x, (int)y); break;
  case IR_MIN - IR_ADD: return x < y ? x : y; break;
  case IR_MAX - IR_ADD: return x > y ? x : y; break;
#endif
  default: return x;
  }
}

/* -- Helper functions for generated machine code ------------------------- */

#if (LJ_HASJIT && !(LJ_TARGET_ARM || LJ_TARGET_ARM64 || LJ_TARGET_PPC)) || LJ_TARGET_MIPS
int32_t LJ_FASTCALL lj_vm_modi(int32_t a, int32_t b)
{
  uint32_t y, ua, ub;
  /* This must be checked before using this function. */
  lj_assertX(b != 0, "modulo with zero divisor");
  ua = a < 0 ? ~(uint32_t)a+1u : (uint32_t)a;
  ub = b < 0 ? ~(uint32_t)b+1u : (uint32_t)b;
  y = ua % ub;
  if (y != 0 && (a^b) < 0) y = y - ub;
  if (((int32_t)y^b) < 0) y = ~y+1u;
  return (int32_t)y;
}
#endif

#if LJ_HASJIT

#ifdef LUAJIT_NO_LOG2
double lj_vm_log2(double a)
{
  return log(a) * 1.4426950408889634074;
}
#endif

/* Computes fpm(x) for extended math functions. */
double lj_vm_foldfpm(double x, int fpm)
{
  switch (fpm) {
  case IRFPM_FLOOR: return lj_vm_floor(x);
  case IRFPM_CEIL: return lj_vm_ceil(x);
  case IRFPM_TRUNC: return lj_vm_trunc(x);
  case IRFPM_SQRT: return sqrt(x);
  case IRFPM_LOG: return log(x);
  case IRFPM_LOG2: return lj_vm_log2(x);
  default: lj_assertX(0, "bad fpm %d", fpm);
  }
  return 0;
}

#if LJ_HASFFI
int lj_vm_errno(void)
{
  return errno;
}
#endif

#endif

1	/*
2	** Math helper functions for assembler VM.
3	** Copyright (C) 2005-2017 Mike Pall. See Copyright Notice in luajit.h
4	*/
5
6	#define lj_vmmath_c
7	#define LUA_CORE
8
9	#include <errno.h>
10	#include <math.h>
11
12	#include "lj_obj.h"
13	#include "lj_ir.h"
14	#include "lj_vm.h"
15
16	/* -- Wrapper functions --------------------------------------------------- */
17
18	#if LJ_TARGET_X86 && __ELF__ && __PIC__
19	/* Wrapper functions to deal with the ELF/x86 PIC disaster. */
20	LJ_FUNCA double lj_wrap_log(double x) { return log(x); }
21	LJ_FUNCA double lj_wrap_log10(double x) { return log10(x); }
22	LJ_FUNCA double lj_wrap_exp(double x) { return exp(x); }
23	LJ_FUNCA double lj_wrap_sin(double x) { return sin(x); }
24	LJ_FUNCA double lj_wrap_cos(double x) { return cos(x); }
25	LJ_FUNCA double lj_wrap_tan(double x) { return tan(x); }
26	LJ_FUNCA double lj_wrap_asin(double x) { return asin(x); }
27	LJ_FUNCA double lj_wrap_acos(double x) { return acos(x); }
28	LJ_FUNCA double lj_wrap_atan(double x) { return atan(x); }
29	LJ_FUNCA double lj_wrap_sinh(double x) { return sinh(x); }
30	LJ_FUNCA double lj_wrap_cosh(double x) { return cosh(x); }
31	LJ_FUNCA double lj_wrap_tanh(double x) { return tanh(x); }
32	LJ_FUNCA double lj_wrap_atan2(double x, double y) { return atan2(x, y); }
33	LJ_FUNCA double lj_wrap_pow(double x, double y) { return pow(x, y); }
34	LJ_FUNCA double lj_wrap_fmod(double x, double y) { return fmod(x, y); }
35	#endif
36
37	/* -- Helper functions ---------------------------------------------------- */
38
39	double lj_vm_foldarith(double x, double y, int op)	40,943✔
40	{
41	switch (op) {	40,943✔
42	case IR_ADD - IR_ADD: return x+y; break;	27,349✔
43	case IR_SUB - IR_ADD: return x-y; break;	1,307✔
44	case IR_MUL - IR_ADD: return x*y; break;	295✔
45	case IR_DIV - IR_ADD: return x/y; break;	59✔
46	case IR_MOD - IR_ADD: return x-lj_vm_floor(x/y)*y; break;	19✔
47	case IR_POW - IR_ADD: return pow(x, y); break;	10,817✔
48	case IR_NEG - IR_ADD: return -x; break;	13✔
49	case IR_ABS - IR_ADD: return fabs(x); break;	4✔
50	#if LJ_HASJIT
51	case IR_LDEXP - IR_ADD: return ldexp(x, (int)y); break;	41✔
52	case IR_MIN - IR_ADD: return x < y ? x : y; break;	4✔
53	case IR_MAX - IR_ADD: return x > y ? x : y; break;	1,035✔
54	#endif
55	default: return x;
56	}
57	}
58
59	/* -- Helper functions for generated machine code ------------------------- */
60
61	#if (LJ_HASJIT && !(LJ_TARGET_ARM \|\| LJ_TARGET_ARM64 \|\| LJ_TARGET_PPC)) \|\| LJ_TARGET_MIPS
62	int32_t LJ_FASTCALL lj_vm_modi(int32_t a, int32_t b)	6,872✔
63	{
64	uint32_t y, ua, ub;	6,872✔
65	/* This must be checked before using this function. */
66	lj_assertX(b != 0, "modulo with zero divisor");	6,872✔
67	ua = a < 0 ? ~(uint32_t)a+1u : (uint32_t)a;	6,872✔
68	ub = b < 0 ? ~(uint32_t)b+1u : (uint32_t)b;	6,872✔
69	y = ua % ub;	6,872✔
70	if (y != 0 && (a^b) < 0) y = y - ub;	6,872✔
71	if (((int32_t)y^b) < 0) y = ~y+1u;	6,872✔
72	return (int32_t)y;	6,872✔
73	}
74	#endif
75
76	#if LJ_HASJIT
77
78	#ifdef LUAJIT_NO_LOG2
79	double lj_vm_log2(double a)
80	{
81	return log(a) * 1.4426950408889634074;
82	}
83	#endif
84
85	/* Computes fpm(x) for extended math functions. */
86	double lj_vm_foldfpm(double x, int fpm)	8✔
87	{
88	switch (fpm) {	8✔
89	case IRFPM_FLOOR: return lj_vm_floor(x);	4✔
90	case IRFPM_CEIL: return lj_vm_ceil(x);	3✔
91	case IRFPM_TRUNC: return lj_vm_trunc(x);	×
UNCOV 92	case IRFPM_SQRT: return sqrt(x);	×
93	case IRFPM_LOG: return log(x);	1✔
94	case IRFPM_LOG2: return lj_vm_log2(x);	×
95	default: lj_assertX(0, "bad fpm %d", fpm);
96	}
97	return 0;
98	}
99
100	#if LJ_HASFFI
101	int lj_vm_errno(void)	43✔
102	{
103	return errno;	43✔
104	}
105	#endif
106
107	#endif

tarantool / luajit / 10989164176

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous