From 7f9907b4ed0870ba64342bcc4b26cff0a94540da Mon Sep 17 00:00:00 2001
From: Mike Pall <mike>
Date: Sat, 9 Sep 2023 13:37:31 +0200
Subject: [PATCH] Add NaN check to IR_NEWREF.

Thanks to Peter Cawley. #1069
---
 src/lj_opt_fold.c |  5 ++++-
 src/lj_record.c   | 12 +++++++++---
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/lj_opt_fold.c b/src/lj_opt_fold.c
index ab158143..b437d672 100644
--- a/src/lj_opt_fold.c
+++ b/src/lj_opt_fold.c
@@ -1739,7 +1739,10 @@ LJFOLD(NE any any)
 LJFOLDF(comm_equal)
 {
   /* For non-numbers only: x == x ==> drop; x ~= x ==> fail */
-  if (fins->op1 == fins->op2 && !irt_isnum(fins->t))
+  if (fins->op1 == fins->op2 &&
+      (!irt_isnum(fins->t) ||
+       (fleft->o == IR_CONV &&  /* Converted integers cannot be NaN. */
+	(uint32_t)(fleft->op2 & IRCONV_SRCMASK) - (uint32_t)IRT_I8 <= (uint32_t)(IRT_U64 - IRT_U8))))
     return CONDFOLD(fins->o == IR_EQ);
   return fold_comm_swap(J);
 }
diff --git a/src/lj_record.c b/src/lj_record.c
index 0e14382c..dfcc3f65 100644
--- a/src/lj_record.c
+++ b/src/lj_record.c
@@ -1254,10 +1254,16 @@ TRef lj_record_idx(jit_State *J, RecordIndex *ix)
       lua_assert(!hasmm);
       if (oldv == niltvg(J2G(J))) {  /* Need to insert a new key. */
 	TRef key = ix->key;
-	if (tref_isinteger(key))  /* NEWREF needs a TValue as a key. */
+	if (tref_isinteger(key)) {  /* NEWREF needs a TValue as a key. */
 	  key = emitir(IRTN(IR_CONV), key, IRCONV_NUM_INT);
-	else if (tref_isnumber(key) && tref_isk(key) && tvismzero(&ix->keyv))
-	  key = lj_ir_knum_zero(J);  /* Canonicalize -0.0 to +0.0. */
+	} else if (tref_isnum(key)) {
+	  if (tref_isk(key)) {
+	    if (tvismzero(&ix->keyv))
+	      key = lj_ir_knum_zero(J);  /* Canonicalize -0.0 to +0.0. */
+	  } else {
+	    emitir(IRTG(IR_EQ, IRT_NUM), key, key);  /* Check for !NaN. */
+	  }
+	}
 	xref = emitir(IRT(IR_NEWREF, IRT_P32), ix->tab, key);
 	keybarrier = 0;  /* NEWREF already takes care of the key barrier. */
       }