Skip to content

Describe known issues #127

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Apr 22, 2025
Merged

Describe known issues #127

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2a9ff25
trophies: update
ligurio Feb 14, 2025
ad21c36
readme: add known issues
ligurio Mar 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions CITATION.cff
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,8 @@ abstract: >-
continuous fuzzing for Lua runtimes: PUC Rio Lua and LuaJIT.
It aims to make these open-source software more secure and
stable by combining modern fuzzing techniques with scalable,
distributed execution. As of August 2024, lua-c-api-tests has
helped identify and fix 5 bugs in PUC Rio Lua, 23 bugs in
distributed execution. As of April 2025, the project has
helped identify and fix 5 bugs in PUC Rio Lua, 26 bugs in
LuaJIT, and 4 bugs in Tarantool.
type: software
repository-code: "https://github.com/ligurio/lua-c-api-tests"
Expand Down
46 changes: 46 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,52 @@ cd build && RUNS=100000 ctest -R luaL_gsub_test --verbose
- [Lua 5.2 Reference Manual: 4 – The Application Program Interface](https://www.lua.org/manual/5.2/manual.html#4)
- [Lua 5.1 Reference Manual: 3 – The Application Program Interface](https://www.lua.org/manual/5.1/manual.html#3)

### Known Issues

Fuzzing can find a wide variety of problems, but not all problems
are considered bugs. Some problems are due to known limitations in
the implementation. This section contains a list of such
limitations in LuaJIT and PUC Rio Lua:

1. In LuaJIT, the build infrastructure includes a source code that
contains memory leaks and other problems. For example,
`src/host/buildvm.c` and `src/host/minilua.c`, these files are
only used during the LuaJIT build process, and they are not
a part of the LuaJIT itself. Memory leaks are suppressed in
AddressSanitizer with a function `__lsan_is_turned_off()` that
disallows leak checking for the program it is linked into.
1. In LuaJIT a function `lj_str_new()` may read past a buffer end
(so-called "dirty" read) and that's ok. Suppressed in
AddressSanitizer with `__attribute__((no_sanitize_address))`.
1. In LuaJIT, bytecode input is unsafe, see [LuaJIT#847][LuaJIT#847]
and [LuaJIT FAQ][LuaJIT FAQ]. The string "mode" controls
whether the chunk can be text or binary (that is, a precompiled
chunk). It may be the string "b" (only binary chunks),
"t" (only text chunks), or "bt" (both binary and text). The
default is "bt". PUC Rio Lua and LuaJIT both have bytecode and
Lua source code parsers. It is desired to test both
parsers; however, the LuaJIT bytecode parser failed with the
assertion: LuaJIT ASSERT `lj_bcread.c:123: bcread_byte: buffer
read overflow`, so with LuaJIT only text mode is used, and
therefore only the text parser is tested.
1. The `debug` library is defined as unsafe. There are tons of ways
to produce a crash with it. This library provides the functionality
of the debug interface to Lua programs. Several of its functions
violate basic assumptions about Lua code and therefore can
compromise otherwise secure code. See [LuaJIT#1264][LuaJIT#1264]
and [Lua 5.4 Reference Manual][refmanual54]. The `debug`
functions is not a subject of testing and these functions are
used carefully.
1. In LuaJIT there are a number of places with undefined behavior
("nonnull-attribute", "signed-integer-overflow", "bounds").
These problems remain unfixed and suppressed in
UndefinedBehavior Sanitizer.

[LuaJIT#847]: https://github.com/LuaJIT/LuaJIT/issues/847
[LuaJIT#1264]: https://github.com/LuaJIT/LuaJIT/issues/1264
[LuaJIT FAQ]: https://luajit.org/faq.html#sandbox
[refmanual54]: https://www.lua.org/manual/5.4/manual.html#6.10

### License

Copyright (C) 2022-2025 [Sergey Bronnikov](https://bronevichok.ru/),
Expand Down
16 changes: 14 additions & 2 deletions TROPHIES.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,10 +10,16 @@
https://marc.info/?l=lua-l&m=170274071304413&w=2
https://github.com/lua/lua/commit/5853c37a83ec66ccb45094f9aeac23dfdbcde671
1. "heap-use-after-free" issue in `luaV_finishget`,
https://groups.google.com/g/lua-l/c/s2hBcf8aLIU
https://groups.google.com/g/lua-l/c/s2hBcf8aLIU,
https://oss-fuzz.com/testcase-detail/5350818532360192,
https://github.com/lua/lua/commit/88a50ffa715483e7187c0d7d6caaf708ebacf756
1. Assertion in `luaK_codeABCk`,
https://groups.google.com/g/lua-l/c/H0Iq-eAig94
https://groups.google.com/g/lua-l/c/H0Iq-eAig94,
https://oss-fuzz.com/testcase-detail/5166379907481600
1. An assertion is triggered in `lgc.c:freeobj()`,
https://groups.google.com/g/lua-l/c/CCpPLX1ug3A,
https://oss-fuzz.com/testcase-detail/6073198411579392,
https://github.com/lua/lua/commit/f9e35627ed26dff4114a1d01ff113d8b4cc91ab5

### LuaJIT

Expand Down Expand Up @@ -72,6 +78,12 @@
https://github.com/LuaJIT/LuaJIT/issues/1164
1. Incorrect narrowing for huge numbers,
https://github.com/LuaJIT/LuaJIT/issues/1236
1. Assertion failure when flushing already flushed trace,
https://github.com/LuaJIT/LuaJIT/issues/1345
1. Read from already collected string data in case of the error in loadfile,
https://github.com/LuaJIT/LuaJIT/issues/1353
1. JIT slots overflow for side-trace after up-recursion,
https://github.com/LuaJIT/LuaJIT/issues/1358

### Tarantool

Expand Down