aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorMike Pall <mike>2019-01-10 12:19:30 +0100
committerMike Pall <mike>2019-01-10 12:19:30 +0100
commit380e4409a70725df85034f02c968b6ebd7a5e513 (patch)
tree403ba18faeba7361d1496f6fb84152043ed47c37 /src
parent3404183e2387f48e3464bd79116d3e8021ca781e (diff)
downloadluajit-380e4409a70725df85034f02c968b6ebd7a5e513.tar.gz
luajit-380e4409a70725df85034f02c968b6ebd7a5e513.tar.bz2
luajit-380e4409a70725df85034f02c968b6ebd7a5e513.zip
Fix overflow of snapshot map offset.
Thanks to Yichun Zhang.
Diffstat (limited to 'src')
-rw-r--r--src/lj_jit.h10
-rw-r--r--src/lj_opt_loop.c8
-rw-r--r--src/lj_snap.c6
3 files changed, 12 insertions, 12 deletions
diff --git a/src/lj_jit.h b/src/lj_jit.h
index 3f38d289..0bc62583 100644
--- a/src/lj_jit.h
+++ b/src/lj_jit.h
@@ -163,7 +163,7 @@ typedef struct MCLink {
163 163
164/* Stack snapshot header. */ 164/* Stack snapshot header. */
165typedef struct SnapShot { 165typedef struct SnapShot {
166 uint16_t mapofs; /* Offset into snapshot map. */ 166 uint32_t mapofs; /* Offset into snapshot map. */
167 IRRef1 ref; /* First IR ref for this snapshot. */ 167 IRRef1 ref; /* First IR ref for this snapshot. */
168 uint8_t nslots; /* Number of valid slots. */ 168 uint8_t nslots; /* Number of valid slots. */
169 uint8_t topslot; /* Maximum frame extent. */ 169 uint8_t topslot; /* Maximum frame extent. */
@@ -217,14 +217,12 @@ typedef enum {
217/* Trace object. */ 217/* Trace object. */
218typedef struct GCtrace { 218typedef struct GCtrace {
219 GCHeader; 219 GCHeader;
220 uint8_t topslot; /* Top stack slot already checked to be allocated. */ 220 uint16_t nsnap; /* Number of snapshots. */
221 uint8_t linktype; /* Type of link. */
222 IRRef nins; /* Next IR instruction. Biased with REF_BIAS. */ 221 IRRef nins; /* Next IR instruction. Biased with REF_BIAS. */
223 GCRef gclist; 222 GCRef gclist;
224 IRIns *ir; /* IR instructions/constants. Biased with REF_BIAS. */ 223 IRIns *ir; /* IR instructions/constants. Biased with REF_BIAS. */
225 IRRef nk; /* Lowest IR constant. Biased with REF_BIAS. */ 224 IRRef nk; /* Lowest IR constant. Biased with REF_BIAS. */
226 uint16_t nsnap; /* Number of snapshots. */ 225 uint32_t nsnapmap; /* Number of snapshot map elements. */
227 uint16_t nsnapmap; /* Number of snapshot map elements. */
228 SnapShot *snap; /* Snapshot array. */ 226 SnapShot *snap; /* Snapshot array. */
229 SnapEntry *snapmap; /* Snapshot map. */ 227 SnapEntry *snapmap; /* Snapshot map. */
230 GCRef startpt; /* Starting prototype. */ 228 GCRef startpt; /* Starting prototype. */
@@ -241,6 +239,8 @@ typedef struct GCtrace {
241 TraceNo1 nextroot; /* Next root trace for same prototype. */ 239 TraceNo1 nextroot; /* Next root trace for same prototype. */
242 TraceNo1 nextside; /* Next side trace of same root trace. */ 240 TraceNo1 nextside; /* Next side trace of same root trace. */
243 uint8_t sinktags; /* Trace has SINK tags. */ 241 uint8_t sinktags; /* Trace has SINK tags. */
242 uint8_t topslot; /* Top stack slot already checked to be allocated. */
243 uint8_t linktype; /* Type of link. */
244 uint8_t unused1; 244 uint8_t unused1;
245#ifdef LUAJIT_USE_GDBJIT 245#ifdef LUAJIT_USE_GDBJIT
246 void *gdbjit_entry; /* GDB JIT entry. */ 246 void *gdbjit_entry; /* GDB JIT entry. */
diff --git a/src/lj_opt_loop.c b/src/lj_opt_loop.c
index 36317b34..cc881110 100644
--- a/src/lj_opt_loop.c
+++ b/src/lj_opt_loop.c
@@ -223,7 +223,7 @@ static void loop_subst_snap(jit_State *J, SnapShot *osnap,
223 } 223 }
224 J->guardemit.irt = 0; 224 J->guardemit.irt = 0;
225 /* Setup new snapshot. */ 225 /* Setup new snapshot. */
226 snap->mapofs = (uint16_t)nmapofs; 226 snap->mapofs = (uint32_t)nmapofs;
227 snap->ref = (IRRef1)J->cur.nins; 227 snap->ref = (IRRef1)J->cur.nins;
228 snap->nslots = nslots; 228 snap->nslots = nslots;
229 snap->topslot = osnap->topslot; 229 snap->topslot = osnap->topslot;
@@ -251,7 +251,7 @@ static void loop_subst_snap(jit_State *J, SnapShot *osnap,
251 nmap += nn; 251 nmap += nn;
252 while (omap < nextmap) /* Copy PC + frame links. */ 252 while (omap < nextmap) /* Copy PC + frame links. */
253 *nmap++ = *omap++; 253 *nmap++ = *omap++;
254 J->cur.nsnapmap = (uint16_t)(nmap - J->cur.snapmap); 254 J->cur.nsnapmap = (uint32_t)(nmap - J->cur.snapmap);
255} 255}
256 256
257/* Unroll loop. */ 257/* Unroll loop. */
@@ -362,7 +362,7 @@ static void loop_unroll(jit_State *J)
362 } 362 }
363 } 363 }
364 if (!irt_isguard(J->guardemit)) /* Drop redundant snapshot. */ 364 if (!irt_isguard(J->guardemit)) /* Drop redundant snapshot. */
365 J->cur.nsnapmap = (uint16_t)J->cur.snap[--J->cur.nsnap].mapofs; 365 J->cur.nsnapmap = (uint32_t)J->cur.snap[--J->cur.nsnap].mapofs;
366 lua_assert(J->cur.nsnapmap <= J->sizesnapmap); 366 lua_assert(J->cur.nsnapmap <= J->sizesnapmap);
367 *psentinel = J->cur.snapmap[J->cur.snap[0].nent]; /* Restore PC. */ 367 *psentinel = J->cur.snapmap[J->cur.snap[0].nent]; /* Restore PC. */
368 368
@@ -376,7 +376,7 @@ static void loop_undo(jit_State *J, IRRef ins, SnapNo nsnap, MSize nsnapmap)
376 SnapShot *snap = &J->cur.snap[nsnap-1]; 376 SnapShot *snap = &J->cur.snap[nsnap-1];
377 SnapEntry *map = J->cur.snapmap; 377 SnapEntry *map = J->cur.snapmap;
378 map[snap->mapofs + snap->nent] = map[J->cur.snap[0].nent]; /* Restore PC. */ 378 map[snap->mapofs + snap->nent] = map[J->cur.snap[0].nent]; /* Restore PC. */
379 J->cur.nsnapmap = (uint16_t)nsnapmap; 379 J->cur.nsnapmap = (uint32_t)nsnapmap;
380 J->cur.nsnap = nsnap; 380 J->cur.nsnap = nsnap;
381 J->guardemit.irt = 0; 381 J->guardemit.irt = 0;
382 lj_ir_rollback(J, ins); 382 lj_ir_rollback(J, ins);
diff --git a/src/lj_snap.c b/src/lj_snap.c
index e891f7a9..73f25004 100644
--- a/src/lj_snap.c
+++ b/src/lj_snap.c
@@ -129,12 +129,12 @@ static void snapshot_stack(jit_State *J, SnapShot *snap, MSize nsnapmap)
129 p = &J->cur.snapmap[nsnapmap]; 129 p = &J->cur.snapmap[nsnapmap];
130 nent = snapshot_slots(J, p, nslots); 130 nent = snapshot_slots(J, p, nslots);
131 snap->topslot = (uint8_t)snapshot_framelinks(J, p + nent); 131 snap->topslot = (uint8_t)snapshot_framelinks(J, p + nent);
132 snap->mapofs = (uint16_t)nsnapmap; 132 snap->mapofs = (uint32_t)nsnapmap;
133 snap->ref = (IRRef1)J->cur.nins; 133 snap->ref = (IRRef1)J->cur.nins;
134 snap->nent = (uint8_t)nent; 134 snap->nent = (uint8_t)nent;
135 snap->nslots = (uint8_t)nslots; 135 snap->nslots = (uint8_t)nslots;
136 snap->count = 0; 136 snap->count = 0;
137 J->cur.nsnapmap = (uint16_t)(nsnapmap + nent + 1 + J->framedepth); 137 J->cur.nsnapmap = (uint32_t)(nsnapmap + nent + 1 + J->framedepth);
138} 138}
139 139
140/* Add or merge a snapshot. */ 140/* Add or merge a snapshot. */
@@ -294,7 +294,7 @@ void lj_snap_shrink(jit_State *J)
294 snap->nent = (uint8_t)m; 294 snap->nent = (uint8_t)m;
295 nlim = J->cur.nsnapmap - snap->mapofs - 1; 295 nlim = J->cur.nsnapmap - snap->mapofs - 1;
296 while (n <= nlim) map[m++] = map[n++]; /* Move PC + frame links down. */ 296 while (n <= nlim) map[m++] = map[n++]; /* Move PC + frame links down. */
297 J->cur.nsnapmap = (uint16_t)(snap->mapofs + m); /* Free up space in map. */ 297 J->cur.nsnapmap = (uint32_t)(snap->mapofs + m); /* Free up space in map. */
298} 298}
299 299
300/* -- Snapshot access ----------------------------------------------------- */ 300/* -- Snapshot access ----------------------------------------------------- */
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2026-01-13 00:16:31 +0000