gh-mirror/mikepaul-LuaJIT
1
0
Fork 0
mirror of https://github.com/LuaJIT/LuaJIT.git synced 2025-02-07 23:24:09 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix overflow of snapshot map offset.

Browse Source 
Thanks to Yichun Zhang.
This commit is contained in:
Mike Pall 2019-01-10 12:19:30 +01:00
parent 3404183e23
commit 380e4409a7
3 changed files with 12 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/lj_jit.h
View File

@ -163,7 +163,7 @@ typedef struct MCLink {
/* Stack snapshot header. */ /* Stack snapshot header. */
typedef struct SnapShot { typedef struct SnapShot {
uint16_t mapofs; /* Offset into snapshot map. */ uint32_t mapofs; /* Offset into snapshot map. */
IRRef1 ref; /* First IR ref for this snapshot. */ IRRef1 ref; /* First IR ref for this snapshot. */
uint8_t nslots; /* Number of valid slots. */ uint8_t nslots; /* Number of valid slots. */
uint8_t topslot; /* Maximum frame extent. */ uint8_t topslot; /* Maximum frame extent. */
@ -217,14 +217,12 @@ typedef enum {
/* Trace object. */ /* Trace object. */
typedef struct GCtrace { typedef struct GCtrace {
GCHeader; GCHeader;
uint8_t topslot; /* Top stack slot already checked to be allocated. */ uint16_t nsnap; /* Number of snapshots. */
uint8_t linktype; /* Type of link. */
IRRef nins; /* Next IR instruction. Biased with REF_BIAS. */ IRRef nins; /* Next IR instruction. Biased with REF_BIAS. */
GCRef gclist; GCRef gclist;
IRIns *ir; /* IR instructions/constants. Biased with REF_BIAS. */ IRIns *ir; /* IR instructions/constants. Biased with REF_BIAS. */
IRRef nk; /* Lowest IR constant. Biased with REF_BIAS. */ IRRef nk; /* Lowest IR constant. Biased with REF_BIAS. */
uint16_t nsnap; /* Number of snapshots. */ uint32_t nsnapmap; /* Number of snapshot map elements. */
uint16_t nsnapmap; /* Number of snapshot map elements. */
SnapShot *snap; /* Snapshot array. */ SnapShot *snap; /* Snapshot array. */
SnapEntry *snapmap; /* Snapshot map. */ SnapEntry *snapmap; /* Snapshot map. */
GCRef startpt; /* Starting prototype. */ GCRef startpt; /* Starting prototype. */
@ -241,6 +239,8 @@ typedef struct GCtrace {
TraceNo1 nextroot; /* Next root trace for same prototype. */ TraceNo1 nextroot; /* Next root trace for same prototype. */
TraceNo1 nextside; /* Next side trace of same root trace. */ TraceNo1 nextside; /* Next side trace of same root trace. */
uint8_t sinktags; /* Trace has SINK tags. */ uint8_t sinktags; /* Trace has SINK tags. */
uint8_t topslot; /* Top stack slot already checked to be allocated. */
uint8_t linktype; /* Type of link. */
uint8_t unused1; uint8_t unused1;
#ifdef LUAJIT_USE_GDBJIT #ifdef LUAJIT_USE_GDBJIT
void *gdbjit_entry; /* GDB JIT entry. */ void *gdbjit_entry; /* GDB JIT entry. */

8
src/lj_opt_loop.c
View File

@ -223,7 +223,7 @@ static void loop_subst_snap(jit_State *J, SnapShot *osnap,
} }
J->guardemit.irt = 0; J->guardemit.irt = 0;
/* Setup new snapshot. */ /* Setup new snapshot. */
snap->mapofs = (uint16_t)nmapofs; snap->mapofs = (uint32_t)nmapofs;
snap->ref = (IRRef1)J->cur.nins; snap->ref = (IRRef1)J->cur.nins;
snap->nslots = nslots; snap->nslots = nslots;
snap->topslot = osnap->topslot; snap->topslot = osnap->topslot;
@ -251,7 +251,7 @@ static void loop_subst_snap(jit_State *J, SnapShot *osnap,
nmap += nn; nmap += nn;
while (omap < nextmap) /* Copy PC + frame links. */ while (omap < nextmap) /* Copy PC + frame links. */
*nmap++ = *omap++; *nmap++ = *omap++;
J->cur.nsnapmap = (uint16_t)(nmap - J->cur.snapmap); J->cur.nsnapmap = (uint32_t)(nmap - J->cur.snapmap);
} }
/* Unroll loop. */ /* Unroll loop. */
@ -362,7 +362,7 @@ static void loop_unroll(jit_State *J)
} }
} }
if (!irt_isguard(J->guardemit)) /* Drop redundant snapshot. */ if (!irt_isguard(J->guardemit)) /* Drop redundant snapshot. */
J->cur.nsnapmap = (uint16_t)J->cur.snap[--J->cur.nsnap].mapofs; J->cur.nsnapmap = (uint32_t)J->cur.snap[--J->cur.nsnap].mapofs;
lua_assert(J->cur.nsnapmap <= J->sizesnapmap); lua_assert(J->cur.nsnapmap <= J->sizesnapmap);
*psentinel = J->cur.snapmap[J->cur.snap[0].nent]; /* Restore PC. */ *psentinel = J->cur.snapmap[J->cur.snap[0].nent]; /* Restore PC. */
@ -376,7 +376,7 @@ static void loop_undo(jit_State *J, IRRef ins, SnapNo nsnap, MSize nsnapmap)
SnapShot *snap = &J->cur.snap[nsnap-1]; SnapShot *snap = &J->cur.snap[nsnap-1];
SnapEntry *map = J->cur.snapmap; SnapEntry *map = J->cur.snapmap;
map[snap->mapofs + snap->nent] = map[J->cur.snap[0].nent]; /* Restore PC. */ map[snap->mapofs + snap->nent] = map[J->cur.snap[0].nent]; /* Restore PC. */
J->cur.nsnapmap = (uint16_t)nsnapmap; J->cur.nsnapmap = (uint32_t)nsnapmap;
J->cur.nsnap = nsnap; J->cur.nsnap = nsnap;
J->guardemit.irt = 0; J->guardemit.irt = 0;
lj_ir_rollback(J, ins); lj_ir_rollback(J, ins);

6
src/lj_snap.c
View File

@ -129,12 +129,12 @@ static void snapshot_stack(jit_State *J, SnapShot *snap, MSize nsnapmap)
p = &J->cur.snapmap[nsnapmap]; p = &J->cur.snapmap[nsnapmap];
nent = snapshot_slots(J, p, nslots); nent = snapshot_slots(J, p, nslots);
snap->topslot = (uint8_t)snapshot_framelinks(J, p + nent); snap->topslot = (uint8_t)snapshot_framelinks(J, p + nent);
snap->mapofs = (uint16_t)nsnapmap; snap->mapofs = (uint32_t)nsnapmap;
snap->ref = (IRRef1)J->cur.nins; snap->ref = (IRRef1)J->cur.nins;
snap->nent = (uint8_t)nent; snap->nent = (uint8_t)nent;
snap->nslots = (uint8_t)nslots; snap->nslots = (uint8_t)nslots;
snap->count = 0; snap->count = 0;
J->cur.nsnapmap = (uint16_t)(nsnapmap + nent + 1 + J->framedepth); J->cur.nsnapmap = (uint32_t)(nsnapmap + nent + 1 + J->framedepth);
} }
/* Add or merge a snapshot. */ /* Add or merge a snapshot. */
@ -294,7 +294,7 @@ void lj_snap_shrink(jit_State *J)
snap->nent = (uint8_t)m; snap->nent = (uint8_t)m;
nlim = J->cur.nsnapmap - snap->mapofs - 1; nlim = J->cur.nsnapmap - snap->mapofs - 1;
while (n <= nlim) map[m++] = map[n++]; /* Move PC + frame links down. */ while (n <= nlim) map[m++] = map[n++]; /* Move PC + frame links down. */
J->cur.nsnapmap = (uint16_t)(snap->mapofs + m); /* Free up space in map. */ J->cur.nsnapmap = (uint32_t)(snap->mapofs + m); /* Free up space in map. */
} }
/* -- Snapshot access ----------------------------------------------------- */ /* -- Snapshot access ----------------------------------------------------- */