Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Segmentation fault during on-trace exception handling #1034

Closed
mkokryashkin opened this issue Jul 18, 2023 · 1 comment
Closed

Segmentation fault during on-trace exception handling #1034

mkokryashkin opened this issue Jul 18, 2023 · 1 comment
Labels
2.1 bug

Comments

@mkokryashkin
Copy link

On the LuaJIT 2.1 branch (8635cba at the moment), if one makes a build like this:

make -j CCDEBUG=" -g -ggdb3"

And then runs the following script:

function on_gc(t)
end;
function test_finalizers()
    local result = {}
    local i = 1
    local ffi = require('ffi')
    while true do
        result[i] = ffi.gc(ffi.cast('void *', 0), on_gc)
        i = i + 1
    end
    return "done"
end;
local ok, err = pcall(test_finalizers)
print(ok, err)
local ok, err = pcall(test_finalizers)
print(ok, err)

It results in a successfully handled pcall for the first case, and a segmentation fault for the second case:

false   test.lua:8: table overflow
[1]    416059 segmentation fault (core dumped)  ./src/luajit test.lua

Backtrace:

#0  0x000055555555e39d in err_msgv (L=L@entry=0x7ffff7c86380, em=em@entry=LJ_ERR_TABOV)
    at lj_err.c:878
#1  0x000055555555e40b in lj_err_msg (L=L@entry=0x7ffff7c86380, em=em@entry=LJ_ERR_TABOV)
    at lj_err.c:888
#2  0x0000555555581fdf in lj_tab_resize (L=0x7ffff7c86380, t=0x7ffff7c92e70, asize=0,
    hbits=<optimized out>) at lj_tab.c:239
#3  0x000055555558219c in rehashtab (L=<optimized out>, t=<optimized out>, ek=<optimized out>)
    at lj_tab.c:367
#4  0x0000555555581b1e in lj_tab_newkey (L=0x7ffff7c86380, t=0x7ffff7c92e70,
    key=0x7fffffffe228) at lj_tab.c:452
#5  0x0000555555581a65 in lj_tab_set (L=<optimized out>, t=<optimized out>,
    key=<optimized out>) at lj_tab.c:566
#6  0x00005555555a275c in lj_cdata_setfin (L=<optimized out>, cd=0x7ffe77c81928,
    obj=0x7ffff7c90020, it=4294967287) at lj_cdata.c:95
#7  0x0000555540abfed2 in ?? ()
#8  0x00007ffff7c86380 in ?? ()
#9  0x00007ffff7c86550 in ?? ()
#10 0x00007ffe77c81928 in ?? ()
#11 0x00007ffff7c90020 in ?? ()
#12 0x00007ffff7c94240 in ?? ()
#13 0x00007ffff7c86380 in ?? ()
#14 0x0000000000000000 in ?? ()

The issue seems to be the same as in #1004 -- a frame fix is required, but now for err_msgv. Proposed fix:

diff --git a/src/lj_err.c b/src/lj_err.c
index 3ee70b86..9652ef35 100644
--- a/src/lj_err.c
+++ b/src/lj_err.c
@@ -875,6 +875,10 @@ LJ_NORET LJ_NOINLINE static void err_msgv(lua_State *L, ErrMsg em, ...)
   const char *msg;
   va_list argp;
   va_start(argp, em);
+  if (LJ_HASJIT) {
+    TValue *base = tvref(G(L)->jit_base);
+    if (base) L->base = base;
+  }
   if (curr_funcisL(L)) L->top = curr_topL(L);
   msg = lj_strfmt_pushvf(L, err2msg(em), argp);
   va_end(argp);

After its application the result is correct:

false   test.lua:8: table overflow
false   test.lua:4: table overflow

However, there are other places in src/lj_err.c where the same issue is possible -- lj_err_optype and lj_err_optype_call at least, and maybe I've missed some others. So, it comes to mind that a better fix would possibly be a more general frame fix up, so we won't encounter this kind of issue again.
MikePall pushed a commit that referenced this issue Aug 13, 2023
Fix frame for more types of on-trace error messages.
d5bbf9c 
Thanks to Maxim Kokryashkin. #1034
@MikePall MikePall changed the title [Linux/x86] Segmentation fault during on-trace exception handling Segmentation fault during on-trace exception handling Aug 13, 2023
@MikePall
Copy link
Member

Fixed. Thanks!

mkokryashkin pushed a commit to tarantool/luajit that referenced this issue Sep 5, 2023
@mkokryashkin
Fix frame for more types of on-trace error messages.
af66f4e 
Thanks to Maxim Kokryashkin. LuaJIT#1034

(cherry-picked from commit d5bbf9c)

This patch fixes the same issue with frame, as the previous
one, but now for the table overflow error in the `err_msgv`
function. The test for the problem uses the table of GC
finalizers, although they are not required to reproduce the
issue. They only used to make the test as simple as possible.

Resolves tarantool/tarantool#562
Resolves tarantool/tarantool#8652
Part of tarantool/tarantool#8825
mkokryashkin pushed a commit to tarantool/luajit that referenced this issue Sep 5, 2023
@mkokryashkin
Fix frame for more types of on-trace error messages.
71ea44c 
Thanks to Maxim Kokryashkin. LuaJIT#1034

(cherry-picked from commit d5bbf9c)

This patch fixes the same issue with frame, as the previous
one, but now for the table overflow error in the `err_msgv`
function. The test for the problem uses the table of GC
finalizers, although they are not required to reproduce the
issue. They only used to make the test as simple as possible.

Resolves tarantool/tarantool#562
Part of tarantool/tarantool#8825
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.1 bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MikePall @mkokryashkin