From 88ed9fdbbba632d174a473a0a97c914089c2916d Mon Sep 17 00:00:00 2001 From: Mike Pall Date: Sun, 10 Mar 2024 17:13:28 +0100 Subject: [PATCH 1/4] Handle stack reallocation in debug.setmetatable() and lua_setmetatable(). Thanks to Sergey Kaplun. #1172 --- src/lj_api.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/lj_api.c b/src/lj_api.c index 2018cb8f..d40ade30 100644 --- a/src/lj_api.c +++ b/src/lj_api.c @@ -975,6 +975,7 @@ LUA_API int lua_setmetatable(lua_State *L, int idx) /* Flush cache, since traces specialize to basemt. But not during __gc. */ if (lj_trace_flushall(L)) lj_err_caller(L, LJ_ERR_NOGCMM); + o = index2adr(L, idx); /* Stack may have been reallocated. */ if (tvisbool(o)) { /* NOBARRIER: basemt is a GC root. */ setgcref(basemt_it(g, LJ_TTRUE), obj2gco(mt)); From dda1ac273ad946387088d91039a8ae319359903d Mon Sep 17 00:00:00 2001 From: Mike Pall Date: Sun, 10 Mar 2024 17:16:41 +0100 Subject: [PATCH 2/4] FFI: Treat cdata finalizer table as a GC root. Thanks to Sergey Bronnikov. #1168 --- src/lj_gc.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/lj_gc.c b/src/lj_gc.c index 06484f6f..9c0d6797 100644 --- a/src/lj_gc.c +++ b/src/lj_gc.c @@ -93,6 +93,9 @@ static void gc_mark_start(global_State *g) gc_markobj(g, tabref(mainthread(g)->env)); gc_marktv(g, &g->registrytv); gc_mark_gcroot(g); +#if LJ_HASFFI + if (ctype_ctsG(g)) gc_markobj(g, ctype_ctsG(g)->finalizer); +#endif g->gc.state = GCSpropagate; } From 302366a33853b730f1b7eb61d792abc4f84f0caa Mon Sep 17 00:00:00 2001 From: Mike Pall Date: Sun, 10 Mar 2024 17:19:29 +0100 Subject: [PATCH 3/4] Check frame size limit before returning to a lower frame. Thanks to Sergey Kaplun. #1173 --- src/lj_record.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/lj_record.c b/src/lj_record.c index 0122105b..35e6d6e1 100644 --- a/src/lj_record.c +++ b/src/lj_record.c @@ -749,6 +749,8 @@ void lj_record_ret(jit_State *J, BCReg rbase, ptrdiff_t gotresults) lj_trace_err(J, LJ_TRERR_LLEAVE); } else if (J->needsnap) { /* Tailcalled to ff with side-effects. */ lj_trace_err(J, LJ_TRERR_NYIRETL); /* No way to insert snapshot here. */ + } else if (1 + pt->framesize >= LJ_MAX_JSLOTS) { + lj_trace_err(J, LJ_TRERR_STACKOV); } else { /* Return to lower frame. Guard for the target we return to. */ TRef trpt = lj_ir_kgc(J, obj2gco(pt), IRT_PROTO); TRef trpc = lj_ir_kptr(J, (void *)frame_pc(frame)); From cae361187e7e1e3545353fb560c032cdace32d5f Mon Sep 17 00:00:00 2001 From: Mike Pall Date: Sun, 10 Mar 2024 17:23:21 +0100 Subject: [PATCH 4/4] Prevent down-recursion for side traces. Thanks to Sergey Kaplun. #1169 --- src/lj_record.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/lj_record.c b/src/lj_record.c index 35e6d6e1..f2a06f41 100644 --- a/src/lj_record.c +++ b/src/lj_record.c @@ -728,7 +728,7 @@ void lj_record_ret(jit_State *J, BCReg rbase, ptrdiff_t gotresults) if ((pt->flags & PROTO_NOJIT)) lj_trace_err(J, LJ_TRERR_CJITOFF); if (J->framedepth == 0 && J->pt && frame == J->L->base - 1) { - if (check_downrec_unroll(J, pt)) { + if (!J->cur.root && check_downrec_unroll(J, pt)) { J->maxslot = (BCReg)(rbase + gotresults); lj_snap_purge(J); rec_stop(J, LJ_TRLINK_DOWNREC, J->cur.traceno); /* Down-recursion. */