From 8c47c8a900df18f85aa0aebd216d162c6de35450 Mon Sep 17 00:00:00 2001
From: Mike Pall <mike>
Date: Wed, 4 Oct 2023 15:11:50 +0300
Subject: [PATCH] snap: check J->pc is within its proto bytecode

(cherry-picked from commit 5c46f47736f7609be407c88d531ecd1689d40a79)

This commit adds an assertion to ensure that the `pc` of the
snapshot being made is located within the current prototype.
Violation of this assertion's condition may lead to all kinds
of buggy behavior on restoration from that snapshot, depending
on what is located in memory at the address under `pc`.

NOTICE: This patch is only a part of the original commit,
and the other part is backported in the following commit. The
patch was split into two, so the test case becomes easier to
implement since it can now depend on this assertion instead
of memory layout.

Maxim Kokryashkin:
* added the description for the problem

Part of tarantool/tarantool#9145

Reviewed-by: Sergey Kaplun <skaplun@tarantool.org>
Reviewed-by: Sergey Bronnikov <sergeyb@tarantool.org>
Signed-off-by: Igor Munkin <imun@tarantool.org>
(cherry picked from commit 2cb19f51e7348c58a7714b4d372d73c6742a7853)
---
 src/lj_snap.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/lj_snap.c b/src/lj_snap.c
index c3e1a535b1..3d4cb1b088 100644
--- a/src/lj_snap.c
+++ b/src/lj_snap.c
@@ -115,6 +115,9 @@ static MSize snapshot_framelinks(jit_State *J, SnapEntry *map, uint8_t *topslot)
 #else
   MSize f = 0;
   map[f++] = SNAP_MKPC(J->pc);  /* The current PC is always the first entry. */
+  lj_assertJ(!J->pt ||
+	     (J->pc >= proto_bc(J->pt) &&
+	      J->pc < proto_bc(J->pt) + J->pt->sizebc), "bad snapshot PC");
 #endif
   while (frame > lim) {  /* Backwards traversal of all frames above base. */
     if (frame_islua(frame)) {