tarantool / luajit

88%

tarantool/master: 93%

LAST BUILD ON BRANCH ligurio/lj-1054-incorrect-pc-value-predict_next

branch: ligurio/lj-1054-incorrect-pc-value-predict_next

CHANGE BRANCH

x

Reset

• ligurio/lj-1054-incorrect-pc-value-predict_next
• ligurio/code-coverage
• ligurio/lj-549-fix-embedded-bytecode-loader
• ligurio/support-diff-cover
• tarantool/release/2.10
• tarantool/release/2.11
• tarantool/master
• imun/lj-802-panic-at-mcode-protfail
• skaplun/gh-8825-mips-ppc-refactoring
• fckxorg/gh-8700-sysprof-parser-refactoring
• fckxorg/gh-5688-cli-for-memprof-parse
• skaplun/lj-9-pow-inconsistencies
• skaplun/lj-1046-fix-bc-varg-recording
• fckxorg/gh-5688-cli-for-memprof-parse-tnt
• skaplun/fix-binary-number-parsing
• imun/tarantool-release-2.11
• imun/tarantool-release-2.10
• imun/tarantool-master
• skaplun/lj-1025-tsetm-maxslot
• skaplun/fix-flaky-unit-jit-parse
• skaplun/lj-1033-fix-parsing-predict-next
• fckxorg/memprof-parser-refactoring
• skaplun/lj-980-load-fwd-after-table-rehash
• skaplun/lj-994-load-fwd-instable-types-tdup
• skaplun/lj-1052-unsink-with-irfl-tab-nomm
• ligurio/lj-881-fix-concat
• skaplun/gh-noticket-fix-flaky-mips-spare-exit
• fckxorg/lj-1004-oom-error-frame
• fckxorg/generalized-debugger
• ligurio/lj-611-always-snapshot-functions-for-non-base-frames
• fckxorg/lj-624-jloop-snapshot-pc
• fckxorg/gh-6323-fix-curL
• fckxorg/mark-conv-non-weak
• fckxorg/lj-595-fix-clang-build
• ligurio/gh-xxxx-spellchecking
• skaplun/lj-1016-1031-asm-head-side
• ligurio/code-generation-jit.bcsave
• ligurio/lj-720-throw-any-errors-before-stack-changes-in-trace-stitching
• ligurio/enable_test_target
• skaplun/ffi-fixes
• skaplun/lj-1082-min-max-0-commutative
• skaplun/fix-ir-conv
• fckxorg/lj-690-concat-tail-call
• gdb-fix
• fckxorg/lj-946-print-errors-from-gc-fin
• fckxorg/lj-1004-fix-flaky
• skaplun/lj-783-fix-fold-x-0
• skaplun/lj-859-math-ceil-sign
• fckxorg/auto-pr
• skaplun/lj-1110-x64-return-dispatch
• skaplun/lj-1114-ffi-pragma-pack
• fckxorg/gh-8594-sysprof-ffunc-crash
• skaplun/lj-792-hrefk-table-clear
• skaplun/fix-jit-dump-ir-conv-flaky
• skaplun/lj-794-abc-fold-constants
• skaplun/lj-791-fold-bufhdr-append
• skaplun/lj-1069-newref-nan-key
• skaplun/lj-833-fold-conv-from-num
• fckxorg/lj-962-error-reporting-on-stack-overflow
• skaplun/lj-788-limit-exponents-range
• imun/disable-sysprof-tests-for-tarantool
• fckxorg/profile-parsers-refactoring
• imun/sysprof-ptrace-ffunc-test
• skaplun/lj-784-cse-ref-base-over-retf
• fckxorg/profile-parsers-refactoring-WIP
• fckxorg/sysprof-libunwind
• fckxorg/gh-8140-crash-in-allocator
• fckxorg/lj-866-allow-building-with-unwinding-disabled
• skaplun/lj-1128-double-ir-newref-on-restore-sunk
• fckxorg/lj-913-avoid-assertion-stkov-from-stitched-trace
• fckxorg/fix-argv-handling
• fckxorg/integration-testing
• imun/fix-test-for-tarantool-searchers
• fckxorg/fixup-error-in-finalizer-tests
• skaplun/gh-9398-more-luajit-tests
• tarantool/release/3.0
• fckxorg/lj-840-fix-hrefk-optimization
• fckxorg/lj-839-concat-recording
• skaplun/lj-1134-hotside-jit-off
• skaplun/lj-994-instable-pri-types
• skaplun/lj-1132-bad-snap-refs
• skaplun/gh-noticket-fix-codespell
• skaplun/lj-1149-g-number-formating
• skaplun/lj-1147-fstore-null-meta
• skaplun/fix-ff-select-recording
• skaplun/gh-noticket-codespell-nd
• skaplun/lj-737-snap-usedef-upvalues
• skaplun/lj-611-always-snapshot-functions-for-non-base-frames
• imun/lj-549-make-gcc-7-happy
• fckxorg/lj-pr-720-errors-before-stitch
• ligurio/lj-1087-vm-handler-call
• skaplun/lj-noticket-test-cat-fix
• imun/enable-tarantool-cli-tests-in-lua-Harness
• ligurio/lj-865-fix_generation_of_mach-o_object_files
• fckxorg/integration-testing-3.0
• fckxorg/lj-720-errors-before-stitch
• fckxorg/lj-1117-fuse-loads
• skaplun/lj-1172-debug-handling-ref
• skaplun/lj-1164-record-meta-concat-varg-pcall
• skaplun/lj-1173-frame-limit-lower-frame
• mkokryashkin/test
• ligurio/lj-1168-heap-use-after-free-on-access-to-CTState-finalizer
• ligurio/fix-gh-actions-warnings
• fckxorg/profile-parsers-refactoring-p1
• mkokryashkin/integration-testing-3.0
• mkokryashkin/integration-testing-2.11
• ligurio/lj-736-prevent-loop-in-snap_usedef
• skaplun/lj-1169-down-rec-side
• skaplun/lj-1134-fix-link-nointegration
• ligurio/fix-cmake-warnings
• mkokryashkin/profile-parsers-refactoring-p2
• ligurio/skaplun/gh-9656-gcc-asan-build
• skaplun/lj-1166-errors-stitching
• skaplun/lj-noticket-fix-slots-overflow-for-varg-record
• tarantool/release/3.1
• skaplun/lj-1133-fwd-href-hrefk-alias
• skaplun/gh-8473-ubsan
• skaplun/lj-1094-ir-chain-dce
• skaplun/lj-861-1005-ffi-fixes
• ligurio/fix-_TARANTOOL
• mandesero/dlmalloc-instr
• mandesero/dlmalloc-instr-nointegration
• mandesero/lj-3705-turn-off-strcmp-opt-in-debug
• skaplun/lj-928-1193-sanitizer-fixes
• skaplun/lj-567-1176-print-nyi-names
• skaplun/fix-build-dir
• tarantool/archive/2.10
• tarantool/archive/3.0
• ligurio/gh-1181-64bit-non-FAT-Mach-O-object-files
• ligurio/lj-1168-heap-use-after-free-on-access-to-CTState-finalizer-nointegration
• mandesero/lj-10231-ASAN-and-LJ-allocator
• elhimov/gh-4808-display-fast-function-name
• skaplun/gh-9398-more-luajit-tests-p2
• skaplun/lj-1232-fix-enum-tostring
• experimental/no-shrink-cdata-fin-table
• ligurio/gh-xxxx-update-ubsan-supp
• skaplun/lj-1234-err-in-record-concat
• skaplun/lj-1224-fix-jit-cdata-arith
• skaplun/lj-1203-limit-format-elements
• skaplun/lj-1262-fix-limit-narrow-conv-backprop
• tarantool/release/3.2
• tarantool/archive/3.1
• experimental/mremap-always-nomove
• skaplun/lj-1247-fin-tab-rehashing-on-trace
• skaplun/follow-up-fix-gh-9398-p2
• skaplun/fix-stack-alloc-on-trace
• skaplun/lj-382-clear-stack-after-jit-status
• skaplun/lj-522-fix-dlerror-return-null
• skaplun/lj-1079-fix-64-bitshift-folds
• skaplun/shrink-test-env
• skaplun/lj-1083-missing-tostring-coercion-in-select
• skaplun/lj-1244-missing-phi-carg
• skaplun/fix-getmetrics-lapi-test
• skaplun/gh-noticket-fix-macos-c-tests
• skaplun/lj-noticket-err-concat-oom
• ligurio/gh-1279-recording-getmetatable
• skaplun/lj-1252-missing-bit64-coercion
• skaplun/fix-test-complex-double

Build # 6109128487

Build Type

push

github

Committed by igormunkin

Commit Message

Fix predict_next() in parser (again).

Reported by Sergey Bronnikov.

(cherry picked from commit 309fb42b8)

The following Lua snippet triggers out-of-boundary access to a stack:

```
a, b, c = 1, 2, 3
local d
for _ in nil do end
```

During the execution of this snippet with LuaJIT instrumented by ASAN,
it leads to a heap-based buffer overflow.

In function `predict_next()` variable `exprpc` looks forward and expects
extra bytecodes on the stack. However, `KPRI` is merged to `KNIL` and
there is no new bytecode to add, so `exprpc == fs->bclim`, and it leads
to out-of-boundary access. Issue has been fixed by an early return when
`pc >= fs->bclim`.

Sergey Bronnikov:
* added the description and the test for the problem

Part of tarantool/tarantool#8825

Run Details

5335 of 5969 branches covered (0.0%)

Branch coverage included in aggregate %.

20459 of 23287 relevant lines covered (87.86%)

1285815.48 hits per line