Re: A proposal for safe bytecode in Lua 5.2

lua-l archive

[Date Prev][Date Next][Thread Prev][Thread Next] [Date Index] [Thread Index]

Subject: Re: A proposal for safe bytecode in Lua 5.2
From: Peter Cawley <lua@...>
Date: Mon, 18 Apr 2011 16:57:08 +0100

On Mon, Apr 18, 2011 at 4:29 PM, Roberto Ierusalimschy
<roberto@inf.puc-rio.br> wrote:
>> > Nevertheless, it seems interesting enough to deserve some support. We
>> > could do the small changes and add appropriate macros so that users
>> > could compile Lua with your verifier without having to change any
>> > source.
>
> And what macros would you need? Only at LoadFunction and OP_SETLIST?

The diff of changes is below. There are:
* The changes to the table in lopcodes.
* The changes to lparser.c to ensure that non-locals are never
upvalues, and that locals are never holding garbage.
* The non-negativity check in lundump.c.
* The calling of the verifier; I've gone for a single call after the
entire undumping process at the end of luaU_undump, rather than
verifying each function as it is undumped.
* The runtime check for OP_SETLIST.

diff -purN lua-5.2.0-alpha/src/lopcodes.c lua-5.2.0-alpha-bv/src/lopcodes.c
--- lua-5.2.0-alpha/src/lopcodes.c	Wed Oct 13 17:45:54 2010
+++ lua-5.2.0-alpha-bv/src/lopcodes.c	Sat Mar 26 11:58:41 2011
@@ -65,7 +65,7 @@ LUAI_DDEF const lu_byte luaP_opmodes[NUM
   opmode(0, 1, OpArgR, OpArgN, iABC)		/* OP_MOVE */
  ,opmode(0, 1, OpArgK, OpArgN, iABx)		/* OP_LOADK */
  ,opmode(0, 1, OpArgU, OpArgU, iABC)		/* OP_LOADBOOL */
- ,opmode(0, 1, OpArgR, OpArgN, iABC)		/* OP_LOADNIL */
+ ,opmode(0, 1, OpArgU, OpArgN, iABC)		/* OP_LOADNIL */
  ,opmode(0, 1, OpArgU, OpArgN, iABC)		/* OP_GETUPVAL */
  ,opmode(0, 1, OpArgU, OpArgK, iABC)		/* OP_GETTABUP */
  ,opmode(0, 1, OpArgR, OpArgK, iABC)		/* OP_GETTABLE */
@@ -88,7 +88,7 @@ LUAI_DDEF const lu_byte luaP_opmodes[NUM
  ,opmode(1, 0, OpArgK, OpArgK, iABC)		/* OP_EQ */
  ,opmode(1, 0, OpArgK, OpArgK, iABC)		/* OP_LT */
  ,opmode(1, 0, OpArgK, OpArgK, iABC)		/* OP_LE */
- ,opmode(1, 1, OpArgR, OpArgU, iABC)		/* OP_TEST */
+ ,opmode(1, 0, OpArgN, OpArgU, iABC)		/* OP_TEST */
  ,opmode(1, 1, OpArgR, OpArgU, iABC)		/* OP_TESTSET */
  ,opmode(0, 1, OpArgU, OpArgU, iABC)		/* OP_CALL */
  ,opmode(0, 1, OpArgU, OpArgU, iABC)		/* OP_TAILCALL */
diff -purN lua-5.2.0-alpha/src/lparser.c lua-5.2.0-alpha-bv/src/lparser.c
--- lua-5.2.0-alpha/src/lparser.c	Tue Sep  7 20:21:39 2010
+++ lua-5.2.0-alpha-bv/src/lparser.c	Fri Mar 25 14:30:42 2011
@@ -341,9 +341,9 @@ static void enterblock (FuncState *fs, B
 static void leaveblock (FuncState *fs) {
   BlockCnt *bl = fs->bl;
   fs->bl = bl->previous;
-  removevars(fs, bl->nactvar);
   if (bl->upval)
     luaK_codeABC(fs, OP_CLOSE, bl->nactvar, 0, 0);
+  removevars(fs, bl->nactvar);
   /* a block either controls scope or breaks (never both) */
   lua_assert(!bl->isbreakable || !bl->upval);
   lua_assert(bl->nactvar == fs->nactvar);
@@ -1249,6 +1249,7 @@ static void localfunc (LexState *ls) {
   adjustlocalvars(ls, 1);
   body(ls, &b, 0, ls->linenumber);
   luaK_storevar(fs, &v, &b);
+  getlocvar(fs, fs->nactvar - 1)->startpc = fs->pc;
 }


diff -purN lua-5.2.0-alpha/src/lundump.c lua-5.2.0-alpha-bv/src/lundump.c
--- lua-5.2.0-alpha/src/lundump.c	Tue Oct 26 01:23:46 2010
+++ lua-5.2.0-alpha-bv/src/lundump.c	Wed Mar 23 20:08:21 2011
@@ -54,6 +54,7 @@ static int LoadInt(LoadState* S)
 {
  int x;
  LoadVar(S,x);
+ if (x < 0) error(S,"corrupted");
  return x;
 }

@@ -209,7 +210,7 @@ Proto* luaU_undump (lua_State* L, ZIO* Z
  S.Z=Z;
  S.b=buff;
  LoadHeader(&S);
- return LoadFunction(&S);
+ return luaU_verify(L, buff, LoadFunction(&S));
 }

 /* data to catch conversion errors */
diff -purN lua-5.2.0-alpha/src/lundump.h lua-5.2.0-alpha-bv/src/lundump.h
--- lua-5.2.0-alpha/src/lundump.h	Tue Oct 26 01:23:46 2010
+++ lua-5.2.0-alpha-bv/src/lundump.h	Sun Mar 20 16:15:39 2011
@@ -13,6 +13,8 @@
 /* load one chunk; from lundump.c */
 LUAI_FUNC Proto* luaU_undump (lua_State* L, ZIO* Z, Mbuffer* buff,
const char* name);

+LUAI_FUNC Proto* luaU_verify (lua_State* L, Mbuffer* buff, Proto* proto);
+
 /* make header; from lundump.c */
 LUAI_FUNC void luaU_header (char* h);
diff -purN lua-5.2.0-alpha/src/lvm.c lua-5.2.0-alpha-bv/src/lvm.c
--- lua-5.2.0-alpha/src/lvm.c	Fri Oct 29 18:52:46 2010
+++ lua-5.2.0-alpha-bv/src/lvm.c	Wed Mar 23 14:35:39 2011
@@ -454,6 +454,8 @@ void luaV_finishOp (lua_State *L) {
 ** some macros for common tasks in `luaV_execute'
 */

+#define runtime_check(L, c)	{ if (!(c)) break; }
+
 #define RA(i)	(base+GETARG_A(i))
 /* to be used after possible stack reallocation */
 #define RB(i)	check_exp(getBMode(GET_OPCODE(i)) == OpArgR, base+GETARG_B(i))
@@ -759,6 +761,7 @@ void luaV_execute (lua_State *L) {
           lua_assert(GET_OPCODE(*ci->u.l.savedpc) == OP_EXTRAARG);
           c = GETARG_Ax(*ci->u.l.savedpc++);
         }
+        runtime_check(L, ttistable(ra));
         h = hvalue(ra);
         last = ((c-1)*LFIELDS_PER_FLUSH) + n;
         if (last > h->sizearray)  /* needs more space? */

Follow-Ups:
- Re: A proposal for safe bytecode in Lua 5.2, Roberto Ierusalimschy

References:
- Re: A proposal for safe bytecode in Lua 5.2, Roberto Ierusalimschy
- Re: A proposal for safe bytecode in Lua 5.2, Peter Cawley
- Re: A proposal for safe bytecode in Lua 5.2, Roberto Ierusalimschy

Prev by Date: Re: question about cdata type identification
Next by Date: Re: question about cdata type identification
Previous by thread: Re: A proposal for safe bytecode in Lua 5.2
Next by thread: Re: A proposal for safe bytecode in Lua 5.2
Index(es):
- Date
- Thread