Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Dangling CType reference in carith_checkarg() #1108

Closed
Buristan opened this issue Oct 20, 2023 · 1 comment
Closed

Dangling CType reference in carith_checkarg() #1108

Buristan opened this issue Oct 20, 2023 · 1 comment
Labels
2.0 2.1 bug FFI

Comments

@Buristan
Copy link

This issue is the follow-up for the #920 (precisely for the commit cc96ab9): it fixes the issue for the reallocation during trace recording but not for the reallocation during the metamethod call.

Reproducer for the issue:

Build LuaJIT with -DLUAJIT_CTYPE_CHECK_ANCHOR:

src/luajit -e "
local ffi = require('ffi')
ffi.cdef[[
  int malloc(void);
  int fprintf(void);
  int printf(void);
  int memset(void);
  int memcpy(void);
  int memmove(void);
  int getppid(void);
]]

local cfunc_type = ffi.metatype(ffi.typeof('struct {int a;}'), {
  __add = function(o1, o2) return o1 end
})
local test = cfunc_type(1)

-- Align cts->top.
local _ = ffi.new('struct {int a; long b; float c;}', 0)

-- Anchor table to prevent cdata objects from being collected.
local anchor = {}
local function save_new_func(func)
  anchor[#anchor + 1] = ffi.cast('void (*)(void)', func)
end
save_new_func(ffi.C.fprintf)
save_new_func(ffi.C.printf)
save_new_func(ffi.C.memset)
save_new_func(ffi.C.memcpy)
save_new_func(ffi.C.memmove)
save_new_func(ffi.C.malloc)

assert(ffi.typeinfo(127), 'cts->top >= 127')
assert(not ffi.typeinfo(128), 'cts->top < 128')

local res = test + ffi.C.getppid
"
LuaJIT ASSERT lj_cconv.c:136: lj_cconv_ct_ct: bad size for number type
Aborted (core dumped)

The fix is the same:

diff --git a/src/lj_carith.c b/src/lj_carith.c
index df5f801e..b9679ba4 100644
--- a/src/lj_carith.c
+++ b/src/lj_carith.c
@@ -44,9 +44,14 @@ static int carith_checkarg(lua_State *L, CTState *cts, CDArith *ca)
         p = (uint8_t *)cdata_getptr(p, ct->size);
         if (ctype_isref(ct->info)) ct = ctype_rawchild(cts, ct);
       } else if (ctype_isfunc(ct->info)) {
+        CTypeID id0 = i ? ctype_typeid(cts, ca->ct[0]) : 0;
         p = (uint8_t *)*(void **)p;
         ct = ctype_get(cts,
           lj_ctype_intern(cts, CTINFO(CT_PTR, CTALIGN_PTR|id), CTSIZE_PTR));
+        if (i) {
+          /* cts->tab may have been reallocated. */
+          ca->ct[0] = ctype_get(cts, id0);
+        }
       }
       if (ctype_isenum(ct->info)) ct = ctype_child(cts, ct);
       ca->ct[i] = ct;
MikePall pushed a commit that referenced this issue Oct 21, 2023
FFI: Fix dangling reference to CType in carith_checkarg().
db944b2 
Reported by Sergey Kaplun. #1108
@MikePall
Copy link
Member

Fixed. Thanks!

Brugarolas pushed a commit to Brugarolas/luajit-experimental that referenced this issue Mar 19, 2024
@zhuizhuhaomeng
FFI: Fix dangling reference to CType in carith_checkarg().
928df17 
Reported by Sergey Kaplun. LuaJIT#1108
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
2.0 2.1 bug FFI
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MikePall @Buristan