Fix deallocation of T->szirmcode

This array, containing debug information for mapping machine code onto IR instructions, was not correctly deallocated.
eugeneia · Oct 8, 2018 · a667ead · a667ead
1 parent 2a7990a
commit a667ead
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 11 deletions.
diff --git a/src/lj_asm.c b/src/lj_asm.c
@@ -1995,18 +1995,13 @@ void lj_asm_trace(jit_State *J, GCtrace *T)
   /* Setup initial state. Copy some fields to reduce indirections. */
   as->J = J;
   as->T = T;
-  J->curfinal = lj_trace_alloc(J->L, T);  /* Copies IR and moves szirmcode. */
+  J->curfinal = lj_trace_alloc(J->L, T);
   as->flags = J->flags;
   as->loopref = J->loopref;
   as->realign = NULL;
   as->loopinv = 0;
   as->parent = J->parent ? traceref(J, J->parent) : NULL;
 
-  /* Initialize mcode size of IR instructions array. */
-  /* +2 extra spaces for the last instruction and the trace header at [0]. */
-  T->szirmcode = lj_mem_new(J->L, (T->nins + 2 - REF_BIAS) * sizeof(*T->szirmcode));
-  memset(T->szirmcode, 0, (T->nins + 2 - REF_BIAS) * sizeof(*T->szirmcode));
-
   /* Reserve MCode memory. */
   as->mctop = origtop = lj_mcode_reserve(J, &as->mcbot);
   as->mcp = as->mctop;
@@ -2075,7 +2070,8 @@ void lj_asm_trace(jit_State *J, GCtrace *T)
       RA_DBG_REF();
       checkmclim(as);
       asm_ir(as, ir);
-      T->szirmcode[as->curins - REF_BIAS] = (uint16_t)((intptr_t)end - (intptr_t)as->mcp);
+      lua_assert(as->curins-REF_BIAS < J->curfinal->nszirmcode);
+      J->curfinal->szirmcode[as->curins-REF_BIAS] = (uint16_t)(end - as->mcp);
     }
 
     firstins = as->mcp;	/* MCode assembled for IR instructions. */
@@ -2105,14 +2101,15 @@ void lj_asm_trace(jit_State *J, GCtrace *T)
 	     (T->nins - as->orignins) * sizeof(IRIns));  /* Copy RENAMEs. */
       T->nins = J->curfinal->nins;
       /* Log size of trace head */
-      T->szirmcode[0] = (uint16_t)((intptr_t)firstins - (intptr_t)as->mcp);
+      J->curfinal->szirmcode[0] = (uint16_t)((intptr_t)firstins - (intptr_t)as->mcp);
       break;  /* Done. */
     }
 
     /* Otherwise try again with a bigger IR. */
     lj_trace_free(J2G(J), J->curfinal);
     J->curfinal = NULL;  /* In case lj_trace_alloc() OOMs. */
     J->curfinal = lj_trace_alloc(J->L, T);
+    lua_assert(J->curfinal->nszirmcode);
     as->realign = NULL;
   }
 

diff --git a/src/lj_auditlog.c b/src/lj_auditlog.c
@@ -173,7 +173,7 @@ static void log_GCtrace(GCtrace *T)
   log_mem("SnapShot[]", T->snap, T->nsnap * sizeof(*T->snap));
   log_mem("SnapEntry[]", T->snapmap, T->nsnapmap * sizeof(*T->snapmap));
   log_mem("IRIns[]", &T->ir[T->nk], (T->nins - T->nk + 1) * sizeof(IRIns));
-  log_mem("uint16_t[]", T->szirmcode, (T->nins - REF_BIAS - 1) * sizeof(uint16_t));
+  log_mem("uint16_t[]", T->szirmcode, T->nszirmcode * sizeof(uint16_t));
   for (ref = T->nk; ref < REF_TRUE; ref++) {
     IRIns *ir = &T->ir[ref];
     if (ir->o == IR_KGC) {

diff --git a/src/lj_jit.h b/src/lj_jit.h
@@ -192,6 +192,7 @@ typedef struct GCtrace {
   MSize szmcode;	/* Size of machine code. */
   MCode *mcode;		/* Start of machine code. */
   MSize mcloop;		/* Offset of loop start in machine code. */
+  uint16_t nszirmcode;	/* Number of elements in szirmcode array. */
   uint16_t *szirmcode;  /* Bytes of mcode for each IR instruction (array.) */
   uint16_t nchild;	/* Number of child traces (root trace only). */
   uint16_t spadjust;	/* Stack pointer adjustment (offset in bytes). */

diff --git a/src/lj_trace.c b/src/lj_trace.c
@@ -91,7 +91,12 @@ GCtrace * lj_trace_alloc(lua_State *L, GCtrace *T)
   T2->nk = T->nk;
   T2->nsnap = T->nsnap;
   T2->nsnapmap = T->nsnapmap;
-  T2->szirmcode = T->szirmcode;
+  /* Set szirmcode into T2 allocated memory. May be unallocated in T.
+  ** +2 extra spaces for the last instruction and the trace header at [0].
+  */
+  T2->nszirmcode = T->nins+2-REF_BIAS;
+  T2->szirmcode = lj_mem_newt(L, T2->nszirmcode*sizeof(uint16_t), uint16_t);
+  memset(T2->szirmcode, 0, T2->nszirmcode*sizeof(uint16_t));
   memcpy(p, T->ir + T->nk, szins);
   return T2;
 }
@@ -101,6 +106,8 @@ static void trace_save(jit_State *J, GCtrace *T)
 {
   size_t sztr = ((sizeof(GCtrace)+7)&~7);
   size_t szins = (J->cur.nins-J->cur.nk)*sizeof(IRIns);
+  size_t nszirmcode = T->nszirmcode;
+  uint16_t *szirmcode = T->szirmcode;
   char *p = (char *)T + sztr;
   memcpy(T, &J->cur, sizeof(GCtrace));
   T->parent = J->parent;
@@ -113,6 +120,9 @@ static void trace_save(jit_State *J, GCtrace *T)
   p += szins;
   TRACE_APPENDVEC(snap, nsnap, SnapShot)
   TRACE_APPENDVEC(snapmap, nsnapmap, SnapEntry)
+  /* Set szirmcode into T2 allocated memory. May be unallocated in T. */
+  T->nszirmcode = nszirmcode;
+  T->szirmcode = szirmcode;
   J->cur.traceno = 0;
   J->curfinal = NULL;
   setgcrefp(J->trace[T->traceno], T);
@@ -129,7 +139,7 @@ void lj_trace_free(global_State *g, GCtrace *T)
     lj_gdbjit_deltrace(J, T);
     setgcrefnull(J->trace[T->traceno]);
   }
-  lj_mem_free(g, T->szirmcode, (T->nins + 2 - REF_BIAS) * sizeof(*T->szirmcode));
+  lj_mem_free(g, T->szirmcode, T->nszirmcode*sizeof(uint16_t));
   lj_mem_free(g, T,
     ((sizeof(GCtrace)+7)&~7) + (T->nins-T->nk)*sizeof(IRIns) +
     T->nsnap*sizeof(SnapShot) + T->nsnapmap*sizeof(SnapEntry));
@@ -391,6 +401,8 @@ static void trace_start(jit_State *J)
   J->cur.ir = J->irbuf;
   J->cur.snap = J->snapbuf;
   J->cur.snapmap = J->snapmapbuf;
+  J->cur.nszirmcode = 0;	/* Only present in assembled trace. */
+  J->cur.szirmcode = NULL;
   J->mergesnap = 0;
   J->needsnap = 0;
   J->bcskip = 0;