Skip to content

Fixed memory corruption bug with yielding from Lua code and using the LuaJIT2 VM. #21

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Fixed memory corruption bug with yielding from Lua code and using the LuaJIT2 VM. #21

wants to merge 1 commit into from

Conversation

Neopallium
Copy link

If you turn on LUA_USE_APICHECK in LuaJIT2, then an exception will be raised in lua_settop(cc, 0) when called after the Lua code yields. I do not see any reason why lua_settop() should be call when Lua yields.

@Neopallium
Fixed memory corruption with LuaJIT2. If you turn on LUA_USE_APICHECK…
d4d68bd 
… in LuaJIT2, then an exception will be raised in lua_settop(cc, 0). I do not see any reason why lua_settop() should be call when Lua yields.
@chaoslawful
Copy link
Contributor

The problem you described can't be reproduced in our environment. I checked LuaJIT2's apicheck mechanism, and found that using lua_settop(L, 0) should not cause any exceptions. Could you provide more information about your compiling environment (especially LuaJIT2.0 source revision you used) and a minimum test to reproduce it?

@Neopallium
Copy link
Author

I am using super-nginx with the latest HEAD revision of LuaJIT2. The crash/api exception happens when running the /lua/ or /recur examples. Also the memory corruption doesn't seem to happen when nginx is compiled with -O1 or lower, but only with -O2 or higher. I am using gcc 4.4.5 glibc 2.12 on Linux 2.6.36.

The crash happens at: ngx_http_handler() in nginx/src/http/ngx_http_core_module.c:824. The value at r->main_conf[0] is over written in side a memalign() call from nginx's pool allocator (I have used the no-pool patch to remove the pool allocator to confirm the problem wasn't with the pool allocator) called at line nginx/src/http/ngx_http_request.c:436. I wasn't sure how memalign()'s internal state was being corrupted, but when I removed the lua_setup(cc, 0) call the problem disapeared (which I removed because LuaJIT2 with api check turned on was raising an exception).

Maybe the root cause of the memory corruption is from somewhere else and causing some corruption in the LuaJIT2 state.

@Neopallium
Copy link
Author

I did some more testing with nginx compiled at -O1 instead of -O2 or higher the api check in LuaJIT2 isn't triggered when calling lua_settop(). The crash might be cause by some optimization bug in gcc. I will try compiling with LLVM's clang compiler.

@Neopallium
Copy link
Author

I have now isolated the bug down to gcc's -fcaller-saves optimization. I think this optimization is incompatible/conflicting with LuaJIT2. The crash can be re-created with "-O1 -fcaller-saves". It is possible to use higher optimization levels (-O2 or even -O3) by disabling that optimization with "-fno-caller-saves". I will report this to Mike Pall.

I am closing this pull request, since the problem isn't with lua_settop(). Sorry for the noise.

@yangshuxin yangshuxin mentioned this pull request Oct 5, 2016
Open
@sdcuike sdcuike mentioned this pull request Jun 8, 2018
Closed
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Neopallium @chaoslawful