Created attachment 155642 [details] lua-makeseed.diff When hashing strings into tables, Lua 5.2 uses a semi-random hash seed, which is obtained from a mixture of 'time()' and a few global addresses (in hope that ASLR would randomize those). See the 'makeseed' function in 'src/lstate.c' for how it's done. Since we don't have ASLR, the resulting seed depends only on time(), which means it can only change once a second, instead of at every execution. I think this randomization was meant as a way to prevent DoS attacks based on hash table collisions (I'm not sure if it's effective, since the random seed is only computed once at startup). In any case, the biggest effect this has for me is that performance of various code parts depends on the ordering of table keys (and thus, on the seed), but you only get one seed per second, so running microbenchmarks suddenly becomes a problem. Now, 'src/lstate.c' provides a way for us to supply a better seed: we just need to redefine 'luai_makeseed' (by default it's just a 'time()' call). The attached patch changes 'luai_makeseed' into an 'arc4random()' call for both lang/lua52 and lang/lua53 (lua51 doesn't seem to have an equivalent randomization). Note that defining __BSD_VISIBLE is only really needed for lua53, since it defines _XOPEN_SOURCE somewhere above, and without __BSD_VISIBLE 'arc4random' prototype is not visible with just a 'stdlib.h' include.
this would have to be validated by upstream first imho
The upstream accepts no patches, certainly not the unportable ones... Would you like me to to go lua-l and ask if it's OK to change 'time()' into 'arc4random()' on FreeBSD?
Maybe that's the right thing to do? Let's see what feedback you get.
Hi, Any update on this?
Created attachment 164875 [details] lua-arc4random.diff The update is that the upstream doesn't mind [1]. Also, based on their suggestions, here's a new (less intrusive) patch. Note that the new patch fixes what seems to be a mistake in lang/lua53/files/patch-src__Makefile: currently that file changes "CFLAGS= ..." into "CFLAGS?= ...", which makes it so that the "..." part is ignored, and the "MYCFLAGS" variable defined from lang/lua53/Makefile is never used. Note that the equivalent patch for lua52 (lang/lua53/files/patch-src__Makefile) does not add the "?", which is the correct way to do things. [1] http://article.gmane.org/gmane.comp.lang.lua.general/120118
Since upstream seems to have no problem with this, are there any other outstanding objections preventing this from being committed?
Perhaps the new maintainer should be aware of this! Russell, what do you think?
(I'll get this in)
Hi, Would this be a ports option or are you proposing a straight patch? Will you be posting something on phabricator, or shall I take a crack at it?
Hi, I've started a port for Lua 5.4 and mentioned this patch. Please speak up on the review if you have interest in this patch going in. If it does, I'll also apply it to 5.3. https://reviews.freebsd.org/D14709
lua54 in ports now with this issue fixed.