LJ_GC64: Always snapshot functions for non-base frames.

Reported by Arseny Vakhrushev.
Analysis and fix contributed by Peter Cawley.

2 files changed, 8 insertions, 2 deletions

diff --git a/src/lj_record.c b/src/lj_record.c
index df428818..9e41ce05 100644
--- a/src/lj_record.c
+++ b/src/lj_record.c
@@ -211,6 +211,7 @@ static TRef getcurrf(jit_State *J)
 {
   if (J->base[-1-LJ_FR2])
     return J->base[-1-LJ_FR2];
+  /* Non-base frame functions ought to be loaded already. */
   lj_assertJ(J->baseslot == 1+LJ_FR2, "bad baseslot");
   return sloadt(J, -1-LJ_FR2, IRT_FUNC, IRSLOAD_READONLY);
 }
diff --git a/src/lj_snap.c b/src/lj_snap.c
index a21894f6..36f81528 100644
--- a/src/lj_snap.c
+++ b/src/lj_snap.c
@@ -85,8 +85,13 @@ static MSize snapshot_slots(jit_State *J, SnapEntry *map, BCReg nslots)
       IRIns *ir = &J->cur.ir[ref];
       if ((LJ_FR2 || !(sn & (SNAP_CONT|SNAP_FRAME))) &&
           ir->o == IR_SLOAD && ir->op1 == s && ref > retf) {
-        /* No need to snapshot unmodified non-inherited slots. */
-        if (!(ir->op2 & IRSLOAD_INHERIT))
+        /*
+        ** No need to snapshot unmodified non-inherited slots.
+        ** But always snapshot the function below a frame in LJ_FR2 mode.
+        */
+        if (!(ir->op2 & IRSLOAD_INHERIT) &&
+            (!LJ_FR2 || s == 0 || s+1 == nslots ||
+             !(J->slot[s+1] & (TREF_CONT|TREF_FRAME))))
           continue;
         /* No need to restore readonly slots and unmodified non-parent slots. */
         if (!(LJ_DUALNUM && (ir->op2 & IRSLOAD_CONVERT)) &&