0005 CRASH detected in 0x0000555535fae567 due to a fault at or near 0x0000000000000008 leading to SIGSEGV

[pwnhacker0x18]

poc.txt

[Buristan]

Hi! I simplified the reproducer to the following:

LUA_PATH="src/?.lua;;" src/luajit -Ohotloop=1 -O-fuse -e '

local function f()
  s={nil,nil,nil,nil}
  local t = {}
  for i = 1,2 do
    if i ~= 1 then
      for i = -0,i  do
        if i ~= 0 then
          s[i]=nil
          s={}
       end
      end
    end
  end
  f()
end
f()
'

The reason is the missing ABC check for AREF (see 0019 0020) in the variant part of the loop:

0005 >  tab SLOAD  #2    T
0006    int FLOAD  0005  tab.asize
0007 >  p32 ABC    0006  0001
0008 >  p32 ABC    0006  0003
0009    p64 FLOAD  0005  tab.array
0010    p64 AREF   0009  0003
0011    tab FLOAD  0005  tab.meta
0012 >  tab EQ     0011  NULL
0013    nil ASTORE 0010  nil
....        SNAP   #3   [ ---- ---- ---- ---- ---- ---- ---- ---- 0003 0001 ---- ---- ---- ]
0014 >+ tab TNEW   #0    #0
0015  + int ADD    0003  +1
....        SNAP   #4   [ ---- ---- 0014 ---- ---- ---- ---- ---- ]
0016 >  int LE     0015  0001
....        SNAP   #5   [ ---- ---- 0014 ---- ---- ---- ---- ---- 0015 0001 ---- 0015 ]
0017 ------ LOOP ------------
....        SNAP   #6   [ ---- ---- 0014 ---- ---- ---- ---- ---- 0015 0001 ---- 0015 ]
0018 >  int NE     0015  +0
0019    p64 FLOAD  0014  tab.array
0020    p64 AREF   0019  0015
0021    nil ASTORE 0020  nil

The reason is missing PHIBARRIER for fload_tab_tnew_asize() and etc.
With the following patch, the behaviour is fixed:

diff --git a/src/lj_opt_fold.c b/src/lj_opt_fold.c
index 96780fa2..f917b479 100644
--- a/src/lj_opt_fold.c
+++ b/src/lj_opt_fold.c
@@ -2164,6 +2164,7 @@ LJFOLDF(fwd_href_tdup)
 LJFOLD(FLOAD TNEW IRFL_TAB_ASIZE)
 LJFOLDF(fload_tab_tnew_asize)
 {
+  PHIBARRIER(IR(fins->op1));
   if (LJ_LIKELY(J->flags & JIT_F_OPT_FOLD) && lj_opt_fwd_tptr(J, fins->op1))
     return INTFOLD(fleft->op1);
   return NEXTFOLD;
@@ -2172,6 +2173,7 @@ LJFOLDF(fload_tab_tnew_asize)
 LJFOLD(FLOAD TNEW IRFL_TAB_HMASK)
 LJFOLDF(fload_tab_tnew_hmask)
 {
+  PHIBARRIER(IR(fins->op1));
   if (LJ_LIKELY(J->flags & JIT_F_OPT_FOLD) && lj_opt_fwd_tptr(J, fins->op1))
     return INTFOLD((1 << fleft->op2)-1);
   return NEXTFOLD;
@@ -2180,6 +2182,7 @@ LJFOLDF(fload_tab_tnew_hmask)
 LJFOLD(FLOAD TDUP IRFL_TAB_ASIZE)
 LJFOLDF(fload_tab_tdup_asize)
 {
+  PHIBARRIER(IR(fins->op1));
   if (LJ_LIKELY(J->flags & JIT_F_OPT_FOLD) && lj_opt_fwd_tptr(J, fins->op1))
     return INTFOLD((int32_t)ir_ktab(IR(fleft->op1))->asize);
   return NEXTFOLD;
@@ -2188,6 +2191,7 @@ LJFOLDF(fload_tab_tdup_asize)
 LJFOLD(FLOAD TDUP IRFL_TAB_HMASK)
 LJFOLDF(fload_tab_tdup_hmask)
 {
+  PHIBARRIER(IR(fins->op1));
   if (LJ_LIKELY(J->flags & JIT_F_OPT_FOLD) && lj_opt_fwd_tptr(J, fins->op1))
     return INTFOLD((int32_t)ir_ktab(IR(fleft->op1))->hmask);
   return NEXTFOLD;

The loop part looks like the following after the patch:

0014 >+ tab TNEW   #0    #0
0015  + int ADD    0003  +1
....        SNAP   #4   [ ---- ---- 0014 ---- ---- ---- ---- ---- ]
0016 >  int LE     0015  0001
....        SNAP   #5   [ ---- ---- 0014 ---- ---- ---- ---- ---- 0015 0001 ---- 0015 ]
0017 ------ LOOP ------------
....        SNAP   #6   [ ---- ---- 0014 ---- ---- ---- ---- ---- 0015 0001 ---- 0015 ]
0018 >  int NE     0015  +0
....        SNAP   #7   [ ---- ---- 0014 ---- ---- ---- ---- ---- 0015 0001 ---- 0015 ]
0019    int FLOAD  0014  tab.asize
0020 >  p32 ABC    0019  0001
0021 >  p32 ABC    0019  0015
0022    p64 FLOAD  0014  tab.array
0023    p64 AREF   0022  0015
0024    nil ASTORE 0023  nil
....        SNAP   #8   [ ---- ---- 0014 ---- ---- ---- ---- ---- 0015 0001 ---- 0015 ---- ]
0025 >+ tab TNEW   #0    #0
0026  + int ADD    0015  +1
....        SNAP   #9   [ ---- ---- 0025 ---- ---- ---- ---- ---- ]
0027 >  int LE     0026  0001
0028    int PHI    0015  0026
0029    tab PHI    0014  0025
---- TRACE 2 stop -> loop

[MikePall]

IMHO the proposed fix is overreaching. It foils allocation sinking in particular.

Sorry, running out of time to further analyze this right now.