LJ_GC64: Always snapshot functions for non-base frames.

Mike Pall · Mike Pall · commit ff1e72acead0 · 2020-08-27T18:05:32.000+02:00
Reported by Arseny Vakhrushev.
Analysis and fix contributed by Peter Cawley.
diff --git a/src/lj_record.c b/src/lj_record.c
@@ -211,6 +211,7 @@ static TRef getcurrf(jit_State *J)
 {
   if (J->base[-1-LJ_FR2])
     return J->base[-1-LJ_FR2];
+  /* Non-base frame functions ought to be loaded already. */
   lj_assertJ(J->baseslot == 1+LJ_FR2, "bad baseslot");
   return sloadt(J, -1-LJ_FR2, IRT_FUNC, IRSLOAD_READONLY);
 }
diff --git a/src/lj_snap.c b/src/lj_snap.c
@@ -85,8 +85,13 @@ static MSize snapshot_slots(jit_State *J, SnapEntry *map, BCReg nslots)
       IRIns *ir = &J->cur.ir[ref];
       if ((LJ_FR2 || !(sn & (SNAP_CONT|SNAP_FRAME))) &&
 	  ir->o == IR_SLOAD && ir->op1 == s && ref > retf) {
-	/* No need to snapshot unmodified non-inherited slots. */
-	if (!(ir->op2 & IRSLOAD_INHERIT))
+	/*
+	** No need to snapshot unmodified non-inherited slots.
+	** But always snapshot the function below a frame in LJ_FR2 mode.
+	*/
+	if (!(ir->op2 & IRSLOAD_INHERIT) &&
+	    (!LJ_FR2 || s == 0 || s+1 == nslots ||
+	     !(J->slot[s+1] & (TREF_CONT|TREF_FRAME))))
 	  continue;
 	/* No need to restore readonly slots and unmodified non-parent slots. */
 	if (!(LJ_DUALNUM && (ir->op2 & IRSLOAD_CONVERT)) &&

Original file line number	Diff line number	Diff line change
`@@ -211,6 +211,7 @@ static TRef getcurrf(jit_State *J)`
`211`	`211`	`{`
`212`	`212`	`if (J->base[-1-LJ_FR2])`
`213`	`213`	`return J->base[-1-LJ_FR2];`
	`214`	`+ /* Non-base frame functions ought to be loaded already. */`
`214`	`215`	`lj_assertJ(J->baseslot == 1+LJ_FR2, "bad baseslot");`
`215`	`216`	`return sloadt(J, -1-LJ_FR2, IRT_FUNC, IRSLOAD_READONLY);`
`216`	`217`	`}`