Patches by burii

Author: ligurio

Dockerfile

@@ -0,0 +1,40 @@
+# Use the latest Ubuntu LTS release as the base image
+FROM ubuntu:latest
+
+# Set environment variables (optional)
+ENV DEBIAN_FRONTEND=noninteractive
+
+# Update package lists and install any necessary packages
+RUN apt-get update
+RUN apt-get install -y curl
+RUN apt-get install -y bash
+RUN apt-get install -y vim
+RUN apt-get install -y make
+RUN apt-get install -y cmake
+RUN apt-get install -y clang
+RUN apt-get install -y git
+RUN apt-get install -y libicu-dev
+RUN apt-get install -y libreadline8 libreadline-dev
+RUN apt-get install -y luarocks
+RUN apt-get install -y build-essential
+RUN apt-get install -y zlib1g zlib1g-dev
+RUN apt-get install -y openssl libssl-dev
+RUN apt-get install -y liblzma-dev
+RUN apt-get install -y screen
+
+RUN git clone https://github.com/tarantool/tarantool.git
+COPY conv.patch /conv.patch
+COPY fuzzer.patch /fuzzer.patch
+WORKDIR /tarantool
+RUN CC=clang CXX=clang++ cmake -DCMAKE_BUILD_TYPE=Debug -DENABLE_FUZZER=ON -DENABLE_BACKTRACE=ON -DLUAJIT_ENABLE_GC64=ON .
+WORKDIR /tarantool/third_party/luajit
+RUN git apply /conv.patch
+WORKDIR /tarantool
+RUN git apply /fuzzer.patch
+RUN make luaL_loadbuffer_fuzzer -j4
+
+# Copy application files (if any)
+COPY .screenrc /.screenrc
+
+# Define the command to run when the container starts
+CMD ["bash"]

conv.patch

@@ -0,0 +1,50 @@
+diff --git a/src/lj_record.c b/src/lj_record.c
+index 1dd22dac..e930eba6 100644
+--- a/src/lj_record.c
++++ b/src/lj_record.c
+@@ -443,6 +448,19 @@ static void rec_for_check(jit_State *J, IRType t, int dir,
+   }
+ }
+ 
++/* Convert IR to the target number type. Used for loop indexes narrowing. */
++static TRef irconv_numtype(jit_State *J, TRef tr, IRType t)
++{
++  if (t == IRT_INT) {
++    if (!tref_isinteger(tr))
++      return emitir(IRTGI(IR_CONV), tr, IRCONV_INT_NUM|IRCONV_CHECK);
++  } else {
++    if (!tref_isnum(tr))
++      return emitir(IRTN(IR_CONV), tr, IRCONV_NUM_INT);
++  }
++  return tr;
++}
++
+ /* Record a FORL instruction. */
+ static void rec_for_loop(jit_State *J, const BCIns *fori, ScEvEntry *scev,
+ 			 int init)
+@@ -454,8 +472,8 @@ static void rec_for_loop(jit_State *J, const BCIns *fori, ScEvEntry *scev,
+ 	     (init || LJ_DUALNUM) ? lj_opt_narrow_forl(J, tv) : IRT_NUM;
+   int mode = IRSLOAD_INHERIT +
+     ((!LJ_DUALNUM || tvisint(tv) == (t == IRT_INT)) ? IRSLOAD_READONLY : 0);
+-  TRef stop = fori_arg(J, fori, ra+FORL_STOP, t, mode);
+-  TRef step = fori_arg(J, fori, ra+FORL_STEP, t, mode);
++  TRef stop = irconv_numtype(J, fori_arg(J, fori, ra+FORL_STOP, t, mode), t);
++  TRef step = irconv_numtype(J, fori_arg(J, fori, ra+FORL_STEP, t, mode), t);
+   int tc, dir = rec_for_direction(&tv[FORL_STEP]);
+   lj_assertJ(bc_op(*fori) == BC_FORI || bc_op(*fori) == BC_JFORI,
+ 	     "bad bytecode %d instead of FORI/JFORI", bc_op(*fori));
+@@ -517,13 +535,7 @@ static LoopEvent rec_for(jit_State *J, const BCIns *fori, int isforl)
+       lj_assertJ(tref_isnumber_str(tr[i]), "bad FORI argument type");
+       if (tref_isstr(tr[i]))
+ 	tr[i] = emitir(IRTG(IR_STRTO, IRT_NUM), tr[i], 0);
+-      if (t == IRT_INT) {
+-	if (!tref_isinteger(tr[i]))
+-	  tr[i] = emitir(IRTGI(IR_CONV), tr[i], IRCONV_INT_NUM|IRCONV_CHECK);
+-      } else {
+-	if (!tref_isnum(tr[i]))
+-	  tr[i] = emitir(IRTN(IR_CONV), tr[i], IRCONV_NUM_INT);
+-      }
++      tr[i] = irconv_numtype(J, tr[i], t);
+     }
+     tr[FORL_EXT] = tr[FORL_IDX];
+     stop = tr[FORL_STOP];

fuzzer.patch

@@ -0,0 +1,138 @@
+diff --git a/test/fuzz/luaL_loadbuffer/luaL_loadbuffer_fuzzer.cc b/test/fuzz/luaL_loadbuffer/luaL_loadbuffer_fuzzer.cc
+index 05fb39ceb0..24af9ae216 100644
+--- a/test/fuzz/luaL_loadbuffer/luaL_loadbuffer_fuzzer.cc
++++ b/test/fuzz/luaL_loadbuffer/luaL_loadbuffer_fuzzer.cc
+@@ -21,6 +21,74 @@ extern "C"
+ 			  << " (" << (val) * 100 / (total) << "%)" \
+ 			  << std::endl
+ 
++#define LUA_MEMORY_LIMIT_DEFAULT (2ULL * 1024 * 1024 * 1024)
++
++/**
++ * Default allocator function which is wrapped into a new one
++ * with the Lua memory limit checker.
++ */
++static lua_Alloc orig_alloc;
++/**
++ * Memory limit for LuaJIT.
++ */
++static size_t memory_limit = LUA_MEMORY_LIMIT_DEFAULT;
++/**
++ * Amount of memory used by LuaJIT.
++ */
++static size_t used;
++
++/**
++ * Lua custom memory allocation function. It extends the original
++ * one with a memory counter and a limit check.
++ */
++static void *
++alloc_with_limit(void *ud, void *ptr, size_t osize, size_t nsize)
++{
++	size_t new_used = used + nsize - osize;
++	if (new_used > memory_limit) {
++		/*
++		 * Returning NULL results in the "not enough
++		 * memory" error.
++		 */
++		return NULL;
++	}
++
++	void *result = orig_alloc(ud, ptr, osize, nsize);
++
++	if (result != NULL || nsize == 0)
++		used = new_used;
++
++	/*
++	 * Result may be NULL, in this case "not enough memory"
++	 * is raised.
++	 */
++	return result;
++}
++
++static size_t
++getgctotal(struct lua_State *L)
++{
++	return (lua_getgccount(L) * 1024ULL) + lua_gc(L, LUA_GCCOUNTB, 0);
++}
++
++static void
++lua_initalloc(struct lua_State *L)
++{
++	assert(L != NULL);
++
++	used = getgctotal(L);
++
++	void *orig_ud;
++	orig_alloc = lua_getallocf(L, &orig_ud);
++
++	assert(orig_alloc != NULL);
++
++	if (::getenv("LUA_MEMMAX"))
++		memory_limit = std::stoi(::getenv("LUA_MEMMAX"));
++
++	lua_setallocf(L, alloc_with_limit, orig_ud);
++}
++
+ struct metrics {
+ 	size_t total_num;
+ 	size_t total_num_with_errors;
+@@ -111,6 +179,7 @@ DEFINE_PROTO_FUZZER(const lua_grammar::Block &message)
+ 	if (!L)
+ 		return;
+ 
++	lua_initalloc(L);
+ 	std::string code = luajit_fuzzer::MainBlockToString(message);
+ 
+ 	if (::getenv("LPM_DUMP_NATIVE_INPUT") && code.size() != 0) {
+@@ -130,6 +199,8 @@ DEFINE_PROTO_FUZZER(const lua_grammar::Block &message)
+ 
+ 	if (luaL_loadbuffer(L, code.c_str(), code.size(), "fuzz") != LUA_OK) {
+ 		report_error(L, "luaL_loadbuffer()");
++
++		std::cout << code << std::endl;
+ 		goto end;
+ 	}
+ 
+@@ -140,8 +211,9 @@ DEFINE_PROTO_FUZZER(const lua_grammar::Block &message)
+ 	 * needed to describe Lua semantics for more interesting
+ 	 * results and fuzzer tests.
+ 	 */
+-	if (lua_pcall(L, 0, 0, 0) != LUA_OK)
++	if (lua_pcall(L, 0, 0, 0) != LUA_OK) {
+ 		report_error(L, "lua_pcall()");
++	}
+ 
+ end:
+ 	metrics.total_num++;
+diff --git a/test/fuzz/luaL_loadbuffer/serializer.cc b/test/fuzz/luaL_loadbuffer/serializer.cc
+index b029ddb8ce..72074dc941 100644
+--- a/test/fuzz/luaL_loadbuffer/serializer.cc
++++ b/test/fuzz/luaL_loadbuffer/serializer.cc
+@@ -647,7 +647,7 @@ NESTED_PROTO_TOSTRING(Args, args, FunctionCall)
+ 	case ArgsType::kTableconstructor:
+ 		return TableConstructorToString(args.tableconstructor());
+ 	case ArgsType::kStr:
+-		return "'" + ConvertToStringDefault(args.str()) + "'";
++		return "'" + ConvertToStringDefault(args.str(), true) + "'";
+ 	default:
+ 		/* For more variability. */
+ 		return TableConstructorToString(args.tableconstructor());
+@@ -982,7 +982,7 @@ PROTO_TOSTRING(Expression, expr)
+ 		return std::to_string(number);
+ 	}
+ 	case ExprType::kStr:
+-		return "'" + ConvertToStringDefault(expr.str()) + "'";
++		return "'" + ConvertToStringDefault(expr.str(), true) + "'";
+ 	case ExprType::kEllipsis:
+ 		if (GetContext().vararg_is_possible()) {
+ 			return " ... ";
+@@ -1004,7 +1004,7 @@ PROTO_TOSTRING(Expression, expr)
+ 		 * Arbitrary choice.
+ 		 * TODO: Choose "more interesting" defaults.
+ 		 */
+-		return "'" + ConvertToStringDefault(expr.str()) + "'";
++		return "'" + ConvertToStringDefault(expr.str(), true) + "'";
+ 	}
+ }
+