From 47822655d478d0b07e6508ba0e966d346751f9fe Mon Sep 17 00:00:00 2001
From: Luke Gorrie <luke@snabb.co>
Date: Thu, 9 Aug 2018 08:30:58 +0000
Subject: [PATCH] Fix allocation/deallocation of T->szirmcode

This array was allocated too large (padded to REF_BASE) and was not
freed.
---
 src/lj_asm.c   | 5 +++--
 src/lj_trace.c | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/lj_asm.c b/src/lj_asm.c
index b51cf229cc..3fa9a2e498 100644
--- a/src/lj_asm.c
+++ b/src/lj_asm.c
@@ -2003,8 +2003,9 @@ void lj_asm_trace(jit_State *J, GCtrace *T)
   as->parent = J->parent ? traceref(J, J->parent) : NULL;
 
   /* Initialize mcode size of IR instructions array. */
-  T->szirmcode = lj_mem_new(J->L, (T->nins + 1) * sizeof(*T->szirmcode));
-  memset(T->szirmcode, 0, (T->nins + 1) * sizeof(*T->szirmcode));
+  /* +2 extra spaces for the last instruction and the trace header at [0]. */
+  T->szirmcode = lj_mem_new(J->L, (T->nins + 2 - REF_BIAS) * sizeof(*T->szirmcode));
+  memset(T->szirmcode, 0, (T->nins + 2 - REF_BIAS) * sizeof(*T->szirmcode));
 
   /* Reserve MCode memory. */
   as->mctop = origtop = lj_mcode_reserve(J, &as->mcbot);
diff --git a/src/lj_trace.c b/src/lj_trace.c
index d9809c7845..316dc40772 100644
--- a/src/lj_trace.c
+++ b/src/lj_trace.c
@@ -136,6 +136,7 @@ void lj_trace_free(global_State *g, GCtrace *T)
     lj_gdbjit_deltrace(J, T);
     setgcrefnull(J->trace[T->traceno]);
   }
+  lj_mem_free(g, T->szirmcode, (T->nins + 2 - REF_BIAS) * sizeof(*T->szirmcode));
   lj_mem_free(g, T,
     ((sizeof(GCtrace)+7)&~7) + (T->nins-T->nk)*sizeof(IRIns) +
     T->nsnap*sizeof(SnapShot) + T->nsnapmap*sizeof(SnapEntry));