tarantool / luajit

93%

tarantool/master: 93%

LAST BUILD ON BRANCH skaplun/lj-1152-stack-buffer-overflow-on-error

branch: skaplun/lj-1152-stack-buffer-overflow-on-error

CHANGE BRANCH

x

Reset

• skaplun/lj-1152-stack-buffer-overflow-on-error
• elhimov/gh-4808-display-fast-function-name
• experimental/mremap-always-nomove
• experimental/no-shrink-cdata-fin-table
• experimental/riscv-64
• fckxorg/auto-pr
• fckxorg/fix-argv-handling
• fckxorg/fixup-error-in-finalizer-tests
• fckxorg/generalized-debugger
• fckxorg/gh-5688-cli-for-memprof-parse
• fckxorg/gh-5688-cli-for-memprof-parse-tnt
• fckxorg/gh-6323-fix-curL
• fckxorg/gh-8140-crash-in-allocator
• fckxorg/gh-8594-sysprof-ffunc-crash
• fckxorg/gh-8700-sysprof-parser-refactoring
• fckxorg/integration-testing
• fckxorg/integration-testing-3.0
• fckxorg/lj-1004-fix-flaky
• fckxorg/lj-1004-oom-error-frame
• fckxorg/lj-1117-fuse-loads
• fckxorg/lj-595-fix-clang-build
• fckxorg/lj-624-jloop-snapshot-pc
• fckxorg/lj-690-concat-tail-call
• fckxorg/lj-720-errors-before-stitch
• fckxorg/lj-839-concat-recording
• fckxorg/lj-840-fix-hrefk-optimization
• fckxorg/lj-866-allow-building-with-unwinding-disabled
• fckxorg/lj-913-avoid-assertion-stkov-from-stitched-trace
• fckxorg/lj-946-print-errors-from-gc-fin
• fckxorg/lj-962-error-reporting-on-stack-overflow
• fckxorg/lj-pr-720-errors-before-stitch
• fckxorg/mark-conv-non-weak
• fckxorg/memprof-parser-refactoring
• fckxorg/profile-parsers-refactoring
• fckxorg/profile-parsers-refactoring-WIP
• fckxorg/profile-parsers-refactoring-p1
• fckxorg/sysprof-libunwind
• gdb-fix
• imun/disable-sysprof-tests-for-tarantool
• imun/enable-tarantool-cli-tests-in-lua-Harness
• imun/fix-test-for-tarantool-searchers
• imun/lj-549-make-gcc-7-happy
• imun/lj-802-panic-at-mcode-protfail
• imun/sysprof-ptrace-ffunc-test
• imun/tarantool-master
• imun/tarantool-release-2.10
• imun/tarantool-release-2.11
• ligurio/code-coverage
• ligurio/code-generation-jit.bcsave
• ligurio/enable_test_target
• ligurio/fix-_TARANTOOL
• ligurio/fix-cmake-warnings
• ligurio/fix-gh-actions-warnings
• ligurio/gh-11229-misc.sysprof.report
• ligurio/gh-1181-64bit-non-FAT-Mach-O-object-files
• ligurio/gh-1279-recording-getmetatable
• ligurio/gh-xxxx-close-file-profiler
• ligurio/gh-xxxx-define-unused
• ligurio/gh-xxxx-fix-msg-stop-sysprof
• ligurio/gh-xxxx-fix-stack-checks-in-vararg-calls
• ligurio/gh-xxxx-fix-sysprof-opts-processing
• ligurio/gh-xxxx-set-max-length
• ligurio/gh-xxxx-skip-sysprof-tests
• ligurio/gh-xxxx-spellchecking
• ligurio/gh-xxxx-update-ubsan-supp
• ligurio/lj-1054-incorrect-pc-value-predict_next
• ligurio/lj-1087-vm-handler-call
• ligurio/lj-1168-heap-use-after-free-on-access-to-CTState-finalizer
• ligurio/lj-1168-heap-use-after-free-on-access-to-CTState-finalizer-nointegration
• ligurio/lj-549-fix-embedded-bytecode-loader
• ligurio/lj-611-always-snapshot-functions-for-non-base-frames
• ligurio/lj-720-throw-any-errors-before-stack-changes-in-trace-stitching
• ligurio/lj-736-prevent-loop-in-snap_usedef
• ligurio/lj-865-fix_generation_of_mach-o_object_files
• ligurio/lj-881-fix-concat
• ligurio/skaplun/gh-9656-gcc-asan-build
• ligurio/support-diff-cover
• locker/ci-drop-centos-7-workflow
• mandesero/dlmalloc-instr
• mandesero/dlmalloc-instr-nointegration
• mandesero/lj-10231-ASAN-and-LJ-allocator
• mandesero/lj-3705-turn-off-strcmp-opt-in-debug
• mkokryashkin/integration-testing-2.11
• mkokryashkin/integration-testing-3.0
• mkokryashkin/profile-parsers-refactoring-p2
• mkokryashkin/test
• skaplun/ffi-fixes
• skaplun/fix-binary-number-parsing
• skaplun/fix-bit-shift-dualnum
• skaplun/fix-build-dir
• skaplun/fix-ff-select-recording
• skaplun/fix-flake8-7.2.0
• skaplun/fix-flaky-unit-jit-parse
• skaplun/fix-getmetrics-lapi-test
• skaplun/fix-ir-conv
• skaplun/fix-jit-dump-ir-conv-flaky
• skaplun/fix-luajit-tests-centos7
• skaplun/fix-luajit-tests-tablebump
• skaplun/fix-recording-bc-varg-used-in-select
• skaplun/fix-stack-alloc-on-trace
• skaplun/fix-test-complex-double
• skaplun/follow-up-fix-gh-9398-p2
• skaplun/gh-11300-use-perftools-flag
• skaplun/gh-8473-ubsan
• skaplun/gh-8825-mips-ppc-refactoring
• skaplun/gh-9398-more-luajit-tests
• skaplun/gh-9398-more-luajit-tests-p2
• skaplun/gh-no-ticket-codespell-2.3.0-fixes
• skaplun/gh-noticket-codespell-nd
• skaplun/gh-noticket-disable-ecosystem-intergration
• skaplun/gh-noticket-fix-alpine-build
• skaplun/gh-noticket-fix-codespell
• skaplun/gh-noticket-fix-flaky-mips-spare-exit
• skaplun/gh-noticket-fix-flaky-test
• skaplun/gh-noticket-fix-gc-finalizer-pressure
• skaplun/gh-noticket-fix-glibc-versions
• skaplun/gh-noticket-fix-macos-c-tests
• skaplun/gh-noticket-fix-mips64-flaky-test
• skaplun/gh-noticket-justtest-integration
• skaplun/lj-1016-1031-asm-head-side
• skaplun/lj-1025-tsetm-maxslot
• skaplun/lj-1033-fix-parsing-predict-next
• skaplun/lj-1046-fix-bc-varg-recording
• skaplun/lj-1052-unsink-with-irfl-tab-nomm
• skaplun/lj-1069-newref-nan-key
• skaplun/lj-1079-fix-64-bitshift-folds
• skaplun/lj-1082-min-max-0-commutative
• skaplun/lj-1083-missing-tostring-coercion-in-select
• skaplun/lj-1094-ir-chain-dce
• skaplun/lj-1110-x64-return-dispatch
• skaplun/lj-1114-ffi-pragma-pack
• skaplun/lj-1116-redzones-checks
• skaplun/lj-1117-loads-fusion
• skaplun/lj-1128-double-ir-newref-on-restore-sunk
• skaplun/lj-1132-bad-snap-refs
• skaplun/lj-1133-fwd-href-hrefk-alias
• skaplun/lj-1134-fix-link-nointegration
• skaplun/lj-1134-hotside-jit-off
• skaplun/lj-1147-fstore-null-meta
• skaplun/lj-1149-g-number-formating
• skaplun/lj-1164-record-meta-concat-varg-pcall
• skaplun/lj-1166-errors-stitching
• skaplun/lj-1169-down-rec-side
• skaplun/lj-1172-debug-handling-ref
• skaplun/lj-1173-frame-limit-lower-frame
• skaplun/lj-1194-abc-hoisting
• skaplun/lj-1203-limit-format-elements
• skaplun/lj-1224-fix-jit-cdata-arith
• skaplun/lj-1226-fix-predict-next
• skaplun/lj-1232-fix-enum-tostring
• skaplun/lj-1234-err-in-record-concat
• skaplun/lj-1244-missing-phi-carg
• skaplun/lj-1247-fin-tab-rehashing-on-trace
• skaplun/lj-1248-close-state-early-OOM
• skaplun/lj-1249-loadfile-fd-leak
• skaplun/lj-1252-missing-bit64-coercion
• skaplun/lj-1262-fix-limit-narrow-conv-backprop
• skaplun/lj-1295-bad-renames-for-sunk-values
• skaplun/lj-1298-oom-on-concat-recording
• skaplun/lj-1329-getfenv-setfenv-negative
• skaplun/lj-1345-flushing-trace-twice
• skaplun/lj-1358-jslot-overflow-uprecursion
• skaplun/lj-382-clear-stack-after-jit-status
• skaplun/lj-522-fix-dlerror-return-null
• skaplun/lj-567-1176-print-nyi-names
• skaplun/lj-611-always-snapshot-functions-for-non-base-frames
• skaplun/lj-737-snap-usedef-upvalues
• skaplun/lj-783-fix-fold-x-0
• skaplun/lj-784-cse-ref-base-over-retf
• skaplun/lj-788-limit-exponents-range
• skaplun/lj-791-fold-bufhdr-append
• skaplun/lj-792-hrefk-table-clear
• skaplun/lj-794-abc-fold-constants
• skaplun/lj-833-fold-conv-from-num
• skaplun/lj-859-math-ceil-sign
• skaplun/lj-861-1005-ffi-fixes
• skaplun/lj-9-pow-inconsistencies
• skaplun/lj-903-arm64-unused-number-sload-typecheck
• skaplun/lj-917-arm64-sload-typecheck-conversion
• skaplun/lj-918-fma-optimization
• skaplun/lj-928-1193-sanitizer-fixes
• skaplun/lj-980-load-fwd-after-table-rehash
• skaplun/lj-994-instable-pri-types
• skaplun/lj-994-load-fwd-instable-types-tdup
• skaplun/lj-noticket-err-concat-oom
• skaplun/lj-noticket-fix-slots-overflow-for-varg-record
• skaplun/lj-noticket-test-cat-fix
• skaplun/shrink-test-env
• skaplun/tarantool-integration-branch-revision
• skaplun/test-integrational-ci-3.2
• tarantool/archive/2.10
• tarantool/archive/3.0
• tarantool/archive/3.1
• tarantool/master
• tarantool/release/2.10
• tarantool/release/2.11
• tarantool/release/3.0
• tarantool/release/3.1
• tarantool/release/3.2
• tarantool/release/3.3
• tarantool/release/3.4

Build # 15492086894

Build Type

push

github

Committed by Buristan

Commit Message

Rework stack overflow handling.

Reported by pwnhacker0x18. Fixed by Peter Cawley.

(cherry picked from commit defe61a56)

In case of the Lua stack overflow error, LuaJIT restores the `L->top`
value and pushes the error message above. It is possible that the
restored value is greater than `L->maxstack`, so pushing the error
message causes dirty write out-of-bounds.

This patch prevents it by overwriting stack overflow handling machinery.
Now, in the aforementioned case, the last frame is replaced with a dummy
frame to avoid dirty writes. In some cases, there may not be enough
space on the stack to invoke the error handler. See the related changes
in the <test/LuaJIT-tests/lang/stackov.lua>.

Sergey Kaplun:
* added the description and the test for the problem

Part of tarantool/tarantool#11278

Run Details

5710 of 6045 branches covered (94.46%)

Branch coverage included in aggregate %.

29 of 31 new or added lines in 2 files covered. (93.55%)

21793 of 23506 relevant lines covered (92.71%)

3834446.44 hits per line