LJ_GC64: Fix lua_concat().

Mike Pall · igormunkin · commit 30a9aa38f260 · 2023-11-20T13:24:04.000Z
Reported by Mathias Westerdahl. (cherry picked from commit 633f265) Lua 5.1 Reference Manual [1] defines a function `lua_concat`, that: > void lua_concat (lua_State *L, int n); > > Concatenates the n values at the top of the stack, pops them, and leaves > the result at the top. Without the patch, `lua_concat()` behaved incorrectly with userdata with the defined `__concat` metamethod. The problem is GC64-specific. Assuming we have three literals and a userdata with the defined `__concat` metamethod on top of the Lua stack: 1 [string] 2 [string] 3 [string] 4 [string] 5 [userdata] <--- top On attempt to concatenate *two* items on top of the Lua stack, `lua_concat()` concatenates *four* items and leaves the result on top of the Lua stack: 1 [string] 2 [string][string][string][userdata] <--- top The problem is in the incorrect calculation of `n` counter in the loop in the implementation of function `lua_concat`. Without the fix, `n` is equal to 3 at the end of the first iteration, and therefore it goes to the next iteration of concatenation. In the fixed implementation of `lua_concat()`, `n` is equal to 1 at the end of the first loop iteration, decremented in a loop postcondition, and breaks the loop. For details see implementation of `lj_meta_cat()` in <src/lj_meta.c>. The patch fixes incorrect behaviour. 1. https://www.lua.org/manual/5.1/manual.html Sergey Bronnikov: * added the description and the test for the problem Part of tarantool/tarantool#9145 Reviewed-by: Maxim Kokryashkin <m.kokryashkin@tarantool.org> Reviewed-by: Sergey Kaplun <skaplun@tarantool.org> Signed-off-by: Igor Munkin <imun@tarantool.org> (cherry picked from commit 3526ebb)
diff --git a/src/lj_api.c b/src/lj_api.c
@@ -801,7 +801,7 @@ LUA_API void lua_concat(lua_State *L, int n)
 	L->top -= n;
 	break;
       }
-      n -= (int)(L->top - top);
+      n -= (int)(L->top - (top - 2*LJ_FR2));
       L->top = top+2;
       jit_secure_call(L, top, 1+1);
       L->top -= 1+LJ_FR2;
diff --git a/test/tarantool-c-tests/lj-881-fix-lua-concat.test.c b/test/tarantool-c-tests/lj-881-fix-lua-concat.test.c
@@ -0,0 +1,98 @@
+#include <string.h>
+
+#include "lua.h"
+#include "lauxlib.h"
+
+#include "test.h"
+#include "utils.h"
+
+/*
+ * This test demonstrates LuaJIT's incorrect behaviour when
+ * calling `lua_concat()` with userdata with the __concat metamethod.
+ * See https://github.com/LuaJIT/LuaJIT/issues/881 for details.
+ */
+
+#define TYPE_NAME "int"
+
+#define TEST_VALUE 100
+#define TOSTR(s) #s
+#define CONCAT(A, B) A TOSTR(B)
+
+static int __concat(lua_State *L)
+{
+	const char *s = luaL_checkstring(L, 1);
+	int *n = (int *)luaL_checkudata(L, 2, TYPE_NAME);
+	/* Do non-default concatenation. */
+	lua_pushfstring(L, "%s + %d", s, *n);
+	return 1;
+}
+
+static const luaL_Reg mt[] = {
+	{ "__concat", __concat },
+	{ NULL, NULL}
+};
+
+static int lua_concat_testcase(void *test_state)
+{
+	/* Setup. */
+	lua_State *L = test_state;
+	const int top = 4;
+
+	/* Create metatable and put it to the Lua registry. */
+	luaL_newmetatable(L, TYPE_NAME);
+	/* Fill metatable. */
+	luaL_register(L, 0, mt);
+	lua_pop(L, 1);
+
+	assert_int_equal(lua_gettop(L), 0);
+
+	lua_pushliteral(L, "C");
+	lua_pushliteral(L, "B");
+	lua_pushliteral(L, "A");
+
+	int *n = (int *)lua_newuserdata(L, sizeof(*n));
+	*n = 100;
+
+	luaL_getmetatable(L, TYPE_NAME);
+	lua_setmetatable(L, -2);
+
+	assert_int_equal(lua_gettop(L), top);
+
+	/* Test body. */
+
+	/*
+	 * void lua_concat (lua_State *L, int n);
+	 *
+	 * Concatenates the n values at the top of the stack,
+	 * pops them, and leaves the result at the top. If n is 1,
+	 * the result is the single value on the stack; if n is 0,
+	 * the result is the empty string [1].
+	 *
+	 * 1. https://www.lua.org/manual/5.1/manual.html
+	 */
+
+	/* Concatenate two elements on the top. */
+	lua_concat(L, 2);
+
+	const char *str = lua_tostring(L, -1);
+	assert_int_equal(lua_gettop(L), top - 2 + 1);
+	const char expected_str[] = CONCAT("A + ", TEST_VALUE);
+	assert_str_equal(str, expected_str);
+
+	/* Teardown. */
+	lua_settop(L, 0);
+
+	return TEST_EXIT_SUCCESS;
+}
+
+int main(void)
+{
+	lua_State *L = utils_lua_init();
+	const struct test_unit tgroup[] = {
+		test_unit_def(lua_concat_testcase),
+	};
+	const int test_result = test_run_group(tgroup, L);
+	utils_lua_close(L);
+
+	return test_result;
+}

Original file line number	Diff line number	Diff line change
`@@ -801,7 +801,7 @@ LUA_API void lua_concat(lua_State *L, int n)`
`801`	`801`	`L->top -= n;`
`802`	`802`	`break;`
`803`	`803`	`}`
`804`		`- n -= (int)(L->top - top);`
	`804`	`+ n -= (int)(L->top - (top - 2*LJ_FR2));`
`805`	`805`	`L->top = top+2;`
`806`	`806`	`jit_secure_call(L, top, 1+1);`
`807`	`807`	`L->top -= 1+LJ_FR2;`