tarantool / luajit

93%

tarantool/master: 93%

LAST BUILD ON BRANCH ligurio/lj-1168-heap-use-after-free-on-access-to-CTState-finalizer-nointegration

branch: ligurio/lj-1168-heap-use-after-free-on-access-to-CTState-finalizer-nointegration

CHANGE BRANCH

x

Reset

• ligurio/lj-1168-heap-use-after-free-on-access-to-CTState-finalizer-nointegration
• elhimov/gh-4808-display-fast-function-name
• elhimov/gh-noticket-gdb-gctop
• experimental/mremap-always-nomove
• experimental/no-shrink-cdata-fin-table
• experimental/riscv-64
• fckxorg/auto-pr
• fckxorg/fix-argv-handling
• fckxorg/fixup-error-in-finalizer-tests
• fckxorg/generalized-debugger
• fckxorg/gh-5688-cli-for-memprof-parse
• fckxorg/gh-5688-cli-for-memprof-parse-tnt
• fckxorg/gh-6323-fix-curL
• fckxorg/gh-8140-crash-in-allocator
• fckxorg/gh-8594-sysprof-ffunc-crash
• fckxorg/gh-8700-sysprof-parser-refactoring
• fckxorg/integration-testing
• fckxorg/integration-testing-3.0
• fckxorg/lj-1004-fix-flaky
• fckxorg/lj-1004-oom-error-frame
• fckxorg/lj-1117-fuse-loads
• fckxorg/lj-595-fix-clang-build
• fckxorg/lj-624-jloop-snapshot-pc
• fckxorg/lj-690-concat-tail-call
• fckxorg/lj-720-errors-before-stitch
• fckxorg/lj-839-concat-recording
• fckxorg/lj-840-fix-hrefk-optimization
• fckxorg/lj-866-allow-building-with-unwinding-disabled
• fckxorg/lj-913-avoid-assertion-stkov-from-stitched-trace
• fckxorg/lj-946-print-errors-from-gc-fin
• fckxorg/lj-962-error-reporting-on-stack-overflow
• fckxorg/lj-pr-720-errors-before-stitch
• fckxorg/mark-conv-non-weak
• fckxorg/memprof-parser-refactoring
• fckxorg/profile-parsers-refactoring
• fckxorg/profile-parsers-refactoring-WIP
• fckxorg/profile-parsers-refactoring-p1
• fckxorg/sysprof-libunwind
• gdb-fix
• imun/disable-sysprof-tests-for-tarantool
• imun/enable-tarantool-cli-tests-in-lua-Harness
• imun/fix-test-for-tarantool-searchers
• imun/lj-549-make-gcc-7-happy
• imun/lj-802-panic-at-mcode-protfail
• imun/sysprof-ptrace-ffunc-test
• imun/tarantool-master
• imun/tarantool-release-2.10
• imun/tarantool-release-2.11
• ligurio/code-coverage
• ligurio/code-generation-jit.bcsave
• ligurio/enable_test_target
• ligurio/fix-_TARANTOOL
• ligurio/fix-cmake-warnings
• ligurio/fix-gh-actions-warnings
• ligurio/gh-11229-misc.sysprof.report
• ligurio/gh-1181-64bit-non-FAT-Mach-O-object-files
• ligurio/gh-12215-profilers-flags
• ligurio/gh-1279-recording-getmetatable
• ligurio/gh-xxxx-close-file-profiler
• ligurio/gh-xxxx-define-unused
• ligurio/gh-xxxx-fix-msg-stop-sysprof
• ligurio/gh-xxxx-fix-stack-checks-in-vararg-calls
• ligurio/gh-xxxx-fix-sysprof-opts-processing
• ligurio/gh-xxxx-set-max-length
• ligurio/gh-xxxx-skip-sysprof-tests
• ligurio/gh-xxxx-spellchecking
• ligurio/gh-xxxx-update-ubsan-supp
• ligurio/lj-1054-incorrect-pc-value-predict_next
• ligurio/lj-1087-vm-handler-call
• ligurio/lj-1168-heap-use-after-free-on-access-to-CTState-finalizer
• ligurio/lj-1450-unpack-ub
• ligurio/lj-1454-ub-os-time
• ligurio/lj-1458-ub-lj_tab_new
• ligurio/lj-549-fix-embedded-bytecode-loader
• ligurio/lj-611-always-snapshot-functions-for-non-base-frames
• ligurio/lj-720-throw-any-errors-before-stack-changes-in-trace-stitching
• ligurio/lj-736-prevent-loop-in-snap_usedef
• ligurio/lj-865-fix_generation_of_mach-o_object_files
• ligurio/lj-881-fix-concat
• ligurio/skaplun/gh-9656-gcc-asan-build
• ligurio/support-diff-cover
• locker/ci-drop-centos-7-workflow
• mandesero/dlmalloc-instr
• mandesero/dlmalloc-instr-nointegration
• mandesero/lj-10231-ASAN-and-LJ-allocator
• mandesero/lj-3705-turn-off-strcmp-opt-in-debug
• mandesero/msan-supporting
• mkokryashkin/integration-testing-2.11
• mkokryashkin/integration-testing-3.0
• mkokryashkin/profile-parsers-refactoring-p2
• mkokryashkin/test
• skaplun/actions-checkout-bump
• skaplun/ci-perf-install-conditionally-lua-cjson
• skaplun/disable-lj-1196-tarantool
• skaplun/ffi-c-call-conventions
• skaplun/ffi-fixes
• skaplun/fix-binary-number-parsing
• skaplun/fix-bit-shift-dualnum
• skaplun/fix-build-dir
• skaplun/fix-ff-select-recording
• skaplun/fix-flake8-7.2.0
• skaplun/fix-flaky-sysprof
• skaplun/fix-flaky-unit-jit-parse
• skaplun/fix-getmetrics-lapi-test
• skaplun/fix-ir-conv
• skaplun/fix-jit-dump-ir-conv-flaky
• skaplun/fix-luajit-tests-centos7
• skaplun/fix-luajit-tests-tablebump
• skaplun/fix-macos-xcode
• skaplun/fix-old-cmakes
• skaplun/fix-recording-bc-varg-used-in-select
• skaplun/fix-stack-alloc-on-trace
• skaplun/fix-test-complex-double
• skaplun/follow-up-fix-gh-9398-p2
• skaplun/gh-11185-stream-trace-assert
• skaplun/gh-11220-tarantool-integration
• skaplun/gh-11300-use-perftools-flag
• skaplun/gh-4808-gco-func-proto-bytecode
• skaplun/gh-8473-ubsan
• skaplun/gh-8825-mips-ppc-refactoring
• skaplun/gh-9398-more-luajit-tests
• skaplun/gh-9398-more-luajit-tests-p2
• skaplun/gh-no-ticket-codespell-2.3.0-fixes
• skaplun/gh-noticket-codespell-nd
• skaplun/gh-noticket-disable-ecosystem-intergration
• skaplun/gh-noticket-fix-alpine-build
• skaplun/gh-noticket-fix-codespell
• skaplun/gh-noticket-fix-flaky-mips-spare-exit
• skaplun/gh-noticket-fix-flaky-test
• skaplun/gh-noticket-fix-gc-finalizer-pressure
• skaplun/gh-noticket-fix-glibc-versions
• skaplun/gh-noticket-fix-macos-c-tests
• skaplun/gh-noticket-fix-mips64-flaky-test
• skaplun/gh-noticket-fix-tests-old-gcc
• skaplun/gh-noticket-justtest-integration
• skaplun/lj-1016-1031-asm-head-side
• skaplun/lj-1025-tsetm-maxslot
• skaplun/lj-1026-arm64-invalid-hrefk-offset-check
• skaplun/lj-1026-fix-ra-hrefk
• skaplun/lj-1028-ldr-fusion-to-ldp-negative-offset
• skaplun/lj-1033-fix-parsing-predict-next
• skaplun/lj-1046-fix-bc-varg-recording
• skaplun/lj-1052-unsink-with-irfl-tab-nomm
• skaplun/lj-1056-arm64-ldp-sdp-misaligned-fusing
• skaplun/lj-1057-arm64-stp-fusing-across-tbar
• skaplun/lj-1062-random-ra
• skaplun/lj-1066-err-coroutine-resume
• skaplun/lj-1069-newref-nan-key
• skaplun/lj-1075-arm64-incorrect-ldp-stp-fusion
• skaplun/lj-1079-fix-64-bitshift-folds
• skaplun/lj-1082-min-max-0-commutative
• skaplun/lj-1083-missing-tostring-coercion-in-select
• skaplun/lj-1094-ir-chain-dce
• skaplun/lj-1110-x64-return-dispatch
• skaplun/lj-1114-ffi-pragma-pack
• skaplun/lj-1115-invalid-scev-entry-lower-frame
• skaplun/lj-1116-redzones-checks
• skaplun/lj-1117-loads-fusion
• skaplun/lj-1128-double-ir-newref-on-restore-sunk
• skaplun/lj-1132-bad-snap-refs
• skaplun/lj-1133-fwd-href-hrefk-alias
• skaplun/lj-1134-fix-link-nointegration
• skaplun/lj-1134-hotside-jit-off
• skaplun/lj-1147-fstore-null-meta
• skaplun/lj-1149-g-number-formating
• skaplun/lj-1152-stack-buffer-overflow-on-error
• skaplun/lj-1164-record-meta-concat-varg-pcall
• skaplun/lj-1166-errors-stitching
• skaplun/lj-1169-down-rec-side
• skaplun/lj-1172-debug-handling-ref
• skaplun/lj-1173-frame-limit-lower-frame
• skaplun/lj-1194-abc-hoisting
• skaplun/lj-1196-partial-snap-restore
• skaplun/lj-1203-limit-format-elements
• skaplun/lj-1224-fix-jit-cdata-arith
• skaplun/lj-1226-fix-predict-next
• skaplun/lj-1232-fix-enum-tostring
• skaplun/lj-1234-err-in-record-concat
• skaplun/lj-1244-missing-phi-carg
• skaplun/lj-1247-fin-tab-rehashing-on-trace
• skaplun/lj-1248-close-state-early-OOM
• skaplun/lj-1249-loadfile-fd-leak
• skaplun/lj-1252-missing-bit64-coercion
• skaplun/lj-1262-fix-limit-narrow-conv-backprop
• skaplun/lj-1295-bad-renames-for-sunk-values
• skaplun/lj-1298-oom-on-concat-recording
• skaplun/lj-1329-getfenv-setfenv-negative
• skaplun/lj-1345-flushing-trace-twice
• skaplun/lj-1353-loadfile-err-use-after-free
• skaplun/lj-1358-jslot-overflow-uprecursion
• skaplun/lj-1359-bad-pc-on-snap-restore-stackov
• skaplun/lj-1360-dangling-ctype-ref-on-ccall
• skaplun/lj-1369-stackov-invalid-bc
• skaplun/lj-1376-undefined-mul-test-flag
• skaplun/lj-1381-fix-errmsg-in-err-handler
• skaplun/lj-1403-vmevent-crash-on-stkov
• skaplun/lj-1405-dangling-cts-L
• skaplun/lj-1407-ir-string-builtin
• skaplun/lj-1413-missing-conv-fori
• skaplun/lj-1418-1422-dualnum-narrowing-0
• skaplun/lj-1425-pcall-snap-purge
• skaplun/lj-1428-mips64-bus-error-stitch
• skaplun/lj-1429-1434-recording-interference
• skaplun/lj-1430-alloc-limit
• skaplun/lj-1432-1433-bad-for-loops
• skaplun/lj-1441-record-constructor-metamethod
• skaplun/lj-1463-ipairs-aux-consistency
• skaplun/lj-382-clear-stack-after-jit-status
• skaplun/lj-522-fix-dlerror-return-null
• skaplun/lj-567-1176-print-nyi-names
• skaplun/lj-611-always-snapshot-functions-for-non-base-frames
• skaplun/lj-737-snap-usedef-upvalues
• skaplun/lj-783-fix-fold-x-0
• skaplun/lj-784-cse-ref-base-over-retf
• skaplun/lj-788-limit-exponents-range
• skaplun/lj-791-fold-bufhdr-append
• skaplun/lj-792-hrefk-table-clear
• skaplun/lj-794-abc-fold-constants
• skaplun/lj-833-fold-conv-from-num
• skaplun/lj-859-math-ceil-sign
• skaplun/lj-861-1005-ffi-fixes
• skaplun/lj-9-pow-inconsistencies
• skaplun/lj-903-arm64-unused-number-sload-typecheck
• skaplun/lj-917-arm64-sload-typecheck-conversion
• skaplun/lj-918-fma-optimization
• skaplun/lj-928-1193-sanitizer-fixes
• skaplun/lj-980-load-fwd-after-table-rehash
• skaplun/lj-994-instable-pri-types
• skaplun/lj-994-load-fwd-instable-types-tdup
• skaplun/lj-noticket-err-concat-oom
• skaplun/lj-noticket-fix-slots-overflow-for-varg-record
• skaplun/lj-noticket-test-cat-fix
• skaplun/luajit-performance-tests
• skaplun/shrink-test-env
• skaplun/tarantool-integration-branch-revision
• skaplun/test-integrational-ci-3.2
• skaplun/test-perf-ci
• skaplun/unified-debugger
• tarantool/archive/2.10
• tarantool/archive/3.0
• tarantool/archive/3.1
• tarantool/archive/3.2
• tarantool/archive/3.3
• tarantool/archive/3.4
• tarantool/archive/3.5
• tarantool/master
• tarantool/release/2.10
• tarantool/release/2.11
• tarantool/release/3.0
• tarantool/release/3.1
• tarantool/release/3.2
• tarantool/release/3.3
• tarantool/release/3.4
• tarantool/release/3.5
• tarantool/release/3.6
• tarantool/release/3.7

Build # 10400467713

Build Type

push

github

Committed by ligurio

Commit Message

FFI: Turn FFI finalizer table into a proper GC root.

Reported by Sergey Bronnikov.

(cherry picked from commit f5affaa6c)

Previous patch fixes the problem partially because the introduced
GC root may not exist at the start phase of the GC cycle (since it
isn't marked because it is not accessible from any GC root).
In that case, the cdata finalizer table will be collected at the
end of the cycle. Access to the cdata finalizer table exhibits
heap use after free. The patch turns the finalizer table into
a proper GC root. Note, that finalizer table is created on the
initialization of the main Lua State instead of loading the FFI
library.

Sergey Bronnikov:
* added the description and the tests for the problem

Part of tarantool/tarantool#10199

Coverage Stats

5673 of 6025 branches covered (94.16%)

Branch coverage included in aggregate %.

26 of 26 new or added lines in 5 files covered. (100.0%)

11 existing lines in 3 files now uncovered.

21641 of 23431 relevant lines covered (92.36%)

2952895.67 hits per line