LJ_GC64: Always snapshot functions for non-base frames.

Reported by Arseny Vakhrushev.
Analysis and fix contributed by Peter Cawley.

diff --git a/src/lj_record.c b/src/lj_record.c
index df4288184051aa78bd43665e1d56b0bbf6a53e07..9e41ce0562ac91f5086e02e9c8b1676690ea4665 100644 (file)
--- a/src/lj_record.c
+++ b/src/lj_record.c
@@ -211,6 +211,7 @@ static TRef getcurrf(jit_State *J)
 {
   if (J->base[-1-LJ_FR2])
     return J->base[-1-LJ_FR2];
+  /* Non-base frame functions ought to be loaded already. */
   lj_assertJ(J->baseslot == 1+LJ_FR2, "bad baseslot");
   return sloadt(J, -1-LJ_FR2, IRT_FUNC, IRSLOAD_READONLY);
 }

diff --git a/src/lj_snap.c b/src/lj_snap.c
index a21894f60b110f0fe542d7404d5cbd17c5b009d4..36f815285c7d2c928335cdd4aceb73da9889ed7b 100644 (file)
--- a/src/lj_snap.c
+++ b/src/lj_snap.c
@@ -85,8 +85,13 @@ static MSize snapshot_slots(jit_State *J, SnapEntry *map, BCReg nslots)
       IRIns *ir = &J->cur.ir[ref];
       if ((LJ_FR2 || !(sn & (SNAP_CONT|SNAP_FRAME))) &&
          ir->o == IR_SLOAD && ir->op1 == s && ref > retf) {
-       /* No need to snapshot unmodified non-inherited slots. */
-       if (!(ir->op2 & IRSLOAD_INHERIT))
+       /*
+       ** No need to snapshot unmodified non-inherited slots.
+       ** But always snapshot the function below a frame in LJ_FR2 mode.
+       */
+       if (!(ir->op2 & IRSLOAD_INHERIT) &&
+           (!LJ_FR2 || s == 0 || s+1 == nslots ||
+            !(J->slot[s+1] & (TREF_CONT|TREF_FRAME))))
          continue;
        /* No need to restore readonly slots and unmodified non-parent slots. */
        if (!(LJ_DUALNUM && (ir->op2 & IRSLOAD_CONVERT)) &&