SIGSEGV when using ffi.string with char[?] VLA

openresty / luajit2

OpenResty's Branch of LuaJIT 2

https://luajit.org/luajit.html

Other

1.2k stars 193 forks source link

SIGSEGV when using ffi.string with char[?] VLA #134

Closed piotrp closed 2 years ago

piotrp commented 2 years ago

Reproduction case:

Save as _ffisigsegv.lua

local ffi = require "ffi"
local t_char = ffi.typeof("char[?]")

for i = 1, 10000 do
  local str = "abc" .. i .. "bca"
  print(i)
  ffi.string(t_char(#str, str), 1)
end

print("ok")

Run docker run --rm -it -v "$(pwd):/work" openresty/openresty:1.19.9.1-buster-fat bash -c 'resty /work/ffi_sigsegv.lua; echo $?'

Run a few times if it prints "ok", on my system it's failing nine times out of ten. I tried running it via luajit but then I didn't manage to make it crash.

piotrp commented 2 years ago

Maybe LuaJIT tries to initialize my array with entirety of passed data, i.e. all characters of string str + implicit 0x0 to terminate it? But that shouldn't be the case.

doujiang24 commented 2 years ago

Interesting, I do think it is a bug.

doujiang24 commented 2 years ago

i.e. all characters of string str + implicit 0x0 to terminate it?

Yes, you are right. It's indeed the behaviour of the official LuaJIT.

I found the source code here: https://github.com/LuaJIT/LuaJIT/blob/v2.1/src/lj_cconv.c#L591

I have created a issue in official LuaJIT repo: https://github.com/LuaJIT/LuaJIT/issues/758 So, closing this issue.

Thanks for your report, it's interesting anyway.