gh-mirror/mikepaul-LuaJIT
1
0
Fork 0
mirror of https://github.com/LuaJIT/LuaJIT.git synced 2025-02-07 15:14:08 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Fix unsinking of IR_FSTORE for NULL metatable.

Browse Source 
Reported by pwnhacker0x18. #1147
This commit is contained in:
Mike Pall 2024-01-23 18:58:52 +01:00
parent 658530562c
commit 85b4fed0b0
1 changed files with 8 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
src/lj_snap.c
View File

@ -412,6 +412,7 @@ static TRef snap_replay_const(jit_State *J, IRIns *ir)
case IR_KNUM: return lj_ir_k64(J, IR_KNUM, ir_knum(ir)); case IR_KNUM: return lj_ir_k64(J, IR_KNUM, ir_knum(ir));
case IR_KINT64: return lj_ir_k64(J, IR_KINT64, ir_kint64(ir)); case IR_KINT64: return lj_ir_k64(J, IR_KINT64, ir_kint64(ir));
case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir)); /* Continuation. */ case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir)); /* Continuation. */
case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t));
default: lua_assert(0); return TREF_NIL; break; default: lua_assert(0); return TREF_NIL; break;
} }
} }
@ -821,9 +822,13 @@ static void snap_unsink(jit_State *J, GCtrace *T, ExitState *ex,
if (irk->o == IR_FREF) { if (irk->o == IR_FREF) {
switch (irk->op2) { switch (irk->op2) {
case IRFL_TAB_META: case IRFL_TAB_META:
snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp); if (T->ir[irs->op2].o == IR_KNULL) {
/* NOBARRIER: The table is new (marked white). */ setgcrefnull(t->metatable);
setgcref(t->metatable, obj2gco(tabV(&tmp))); } else {
snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
/* NOBARRIER: The table is new (marked white). */
setgcref(t->metatable, obj2gco(tabV(&tmp)));
}
break; break;
case IRFL_TAB_NOMM: case IRFL_TAB_NOMM:
/* Negative metamethod cache invalidated by lj_tab_set() below. */ /* Negative metamethod cache invalidated by lj_tab_set() below. */