Fixed bug for emergency collection in upvalue creation

When creating an upvalue, an emergency collection can collect the
previous upvalue where the new one would be linked. The following
code can trigger the bug, using valgrind on Lua compiled with the
-DHARDMEMTESTS option:

  local x; local y
  (function () return y end)();
  (function () return x end)()

1 files changed, 8 insertions, 6 deletions

diff --git a/lfunc.c b/lfunc.c
index 9f91ad4f..f7edf56b 100644
--- a/lfunc.c
+++ b/lfunc.c
@@ -82,20 +82,22 @@ static UpVal *newupval (lua_State *L, int tbc, StkId level, UpVal **prev) {
 
 
 /*
-** Find and reuse, or create if it does not exist, a regular upvalue
-** at the given level.
+** Find and reuse, or create if it does not exist, an upvalue
+** at the given level and set it to the given slot.
 */
-UpVal *luaF_findupval (lua_State *L, StkId level) {
+void luaF_setupval (lua_State *L, StkId level, UpVal **slot) {
   UpVal **pp = &L->openupval;
   UpVal *p;
   lua_assert(isintwups(L) || L->openupval == NULL);
   while ((p = *pp) != NULL && uplevel(p) >= level) {  /* search for it */
+    *slot = p;
     if (uplevel(p) == level && !isdead(G(L), p))  /* corresponding upvalue? */
-      return p;  /* return it */
+      return;  /* found it */
     pp = &p->u.open.next;
   }
-  /* not found: create a new upvalue after 'pp' */
-  return newupval(L, 0, level, pp);
+  /* not found: create a new upvalue after 'pp' (which is
+    anchored in 'slot', in case of an emergency collection) */
+  *slot = newupval(L, 0, level, pp);
 }