|
From: | David Meyer |
Subject: | [Libjit] jump table corruption |
Date: | Wed, 22 Nov 2017 08:48:47 +0000 |
I tracked the problem to a subtle space allocation problem in JIT_OP_JUMP_TABLE in jit-rules-x86-64.ins. The code checks to ensure it has 64 bytes of space on entry, but this space can be used up by the call to _jit_gen_alloc (which reduces gen->mem_limit), causing the subsequent instruction insertions to be
written past gen->mem_limit. This fixes the problem: diff --git a/jit/jit-rules-x86-64.ins b/jit/jit-rules-x86-64.ins index b97a6d6..258653f 100644 --- a/jit/jit-rules-x86-64.ins +++ b/jit/jit-rules-x86-64.ins @@ -3307,7 +3307,7 @@ JIT_OP_JUMP_TABLE: ternary, branch labels = (jit_label_t *) $2; num_labels = $3; - + _jit_gen_check_space(gen, 64 + sizeof(void *) * $3); patch_jump_table = (unsigned char *)_jit_gen_alloc(gen, sizeof(void *) * $3); if(!patch_jump_table) { |
[Prev in Thread] | Current Thread | [Next in Thread] |