Fix unsinking of IR_FSTORE for NULL metatable.

Reported by pwnhacker0x18. #1147

1 files changed, 8 insertions, 3 deletions

diff --git a/src/lj_snap.c b/src/lj_snap.c
index b387dd76..4a773048 100644
--- a/src/lj_snap.c
+++ b/src/lj_snap.c
@@ -412,6 +412,7 @@ static TRef snap_replay_const(jit_State *J, IRIns *ir)
   case IR_KNUM: return lj_ir_k64(J, IR_KNUM, ir_knum(ir));
   case IR_KINT64: return lj_ir_k64(J, IR_KINT64, ir_kint64(ir));
   case IR_KPTR: return lj_ir_kptr(J, ir_kptr(ir));  /* Continuation. */
+  case IR_KNULL: return lj_ir_knull(J, irt_type(ir->t));
   default: lua_assert(0); return TREF_NIL; break;
   }
 }
@@ -821,9 +822,13 @@ static void snap_unsink(jit_State *J, GCtrace *T, ExitState *ex,
         if (irk->o == IR_FREF) {
           switch (irk->op2) {
           case IRFL_TAB_META:
-            snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
-            /* NOBARRIER: The table is new (marked white). */
-            setgcref(t->metatable, obj2gco(tabV(&tmp)));
+            if (T->ir[irs->op2].o == IR_KNULL) {
+              setgcrefnull(t->metatable);
+            } else {
+              snap_restoreval(J, T, ex, snapno, rfilt, irs->op2, &tmp);
+              /* NOBARRIER: The table is new (marked white). */
+              setgcref(t->metatable, obj2gco(tabV(&tmp)));
+            }
             break;
           case IRFL_TAB_NOMM:
             /* Negative metamethod cache invalidated by lj_tab_set() below. */