FFI: Fix dangling reference to CType. Improve checks.

Reported by elmknot.

diff --git a/src/lj_crecord.c b/src/lj_crecord.c
index 3f3552a632223cd4ad15392ac3518358248d80f7..2fcc6d1c9b1396d2d36c311c6ef14a2b3d9bb8c5 100644 (file)
--- a/src/lj_crecord.c
+++ b/src/lj_crecord.c
@@ -1396,9 +1396,13 @@ void LJ_FASTCALL recff_cdata_arith(jit_State *J, RecordFFData *rd)
        if (ctype_isenum(ct->info)) ct = ctype_child(cts, ct);
        goto ok;
       } else if (ctype_isfunc(ct->info)) {
+       CTypeID id0 = i ? ctype_typeid(cts, s[0]) : 0;
        tr = emitir(IRT(IR_FLOAD, IRT_PTR), tr, IRFL_CDATA_PTR);
        ct = ctype_get(cts,
          lj_ctype_intern(cts, CTINFO(CT_PTR, CTALIGN_PTR|id), CTSIZE_PTR));
+       if (i) {
+         s[0] = ctype_get(cts, id0);  /* cts->tab may have been reallocated. */
+       }
        goto ok;
       } else {
        tr = emitir(IRT(IR_ADD, IRT_PTR), tr, lj_ir_kintp(J, sizeof(GCcdata)));

diff --git a/src/lj_ctype.c b/src/lj_ctype.c
index 7ef00521cb3cb440986fedd59858ecc5bb89f2a7..adbacaec9b426150c8b89e1906e3783970642e08 100644 (file)
--- a/src/lj_ctype.c
+++ b/src/lj_ctype.c
@@ -187,8 +187,20 @@ CTypeID lj_ctype_intern(CTState *cts, CTInfo info, CTSize size)
   }
   id = cts->top;
   if (LJ_UNLIKELY(id >= cts->sizetab)) {
+#ifdef LUAJIT_CTYPE_CHECK_ANCHOR
+    CType *ct;
+#endif
     if (id >= CTID_MAX) lj_err_msg(cts->L, LJ_ERR_TABOV);
+#ifdef LUAJIT_CTYPE_CHECK_ANCHOR
+    ct = lj_mem_newvec(cts->L, id+1, CType);
+    memcpy(ct, cts->tab, id*sizeof(CType));
+    memset(cts->tab, 0, id*sizeof(CType));
+    lj_mem_freevec(cts->g, cts->tab, cts->sizetab, CType);
+    cts->tab = ct;
+    cts->sizetab = id+1;
+#else
     lj_mem_growvec(cts->L, cts->tab, cts->sizetab, CTID_MAX, CType);
+#endif
   }
   cts->top = id+1;
   cts->tab[id].info = info;