5 files changed, 38 insertions, 47 deletions

diff --git a/src/lj_asm.c b/src/lj_asm.c
index 9cdbcf12..aed12043 100644
--- a/src/lj_asm.c
+++ b/src/lj_asm.c
@@ -3044,7 +3044,7 @@ static void asm_tail_sync(ASMState *as)
   SnapShot *snap = &as->T->snap[as->T->nsnap-1];  /* Last snapshot. */
   MSize n, nent = snap->nent;
   SnapEntry *map = &as->T->snapmap[snap->mapofs];
-  SnapEntry *flinks = map + nent + 1;
+  SnapEntry *flinks = map + nent + snap->depth;
   BCReg newbase = 0, topslot = 0;
 
   checkmclim(as);
@@ -3102,11 +3102,11 @@ static void asm_tail_sync(ASMState *as)
       if (!(sn & (SNAP_CONT|SNAP_FRAME)))
         emit_movmroi(as, RID_BASE, ofs+4, irt_toitype(ir->t));
       else if (s != 0)  /* Do not overwrite link to previous frame. */
-        emit_movmroi(as, RID_BASE, ofs+4, (int32_t)(*flinks++));
+        emit_movmroi(as, RID_BASE, ofs+4, (int32_t)(*flinks--));
     }
     checkmclim(as);
   }
-  lua_assert(map + nent + 1 + snap->depth == flinks);
+  lua_assert(map + nent == flinks);
 }
 
 /* Fixup the tail code. */
diff --git a/src/lj_def.h b/src/lj_def.h
index 83b1935c..de4ad1be 100644
--- a/src/lj_def.h
+++ b/src/lj_def.h
@@ -66,7 +66,6 @@ typedef unsigned __int32 uintptr_t;
 
 /* JIT compiler limits. */
 #define LJ_MAX_JSLOTS   250             /* Max. # of stack slots for a trace. */
-#define LJ_MAX_JFRAME   20              /* Max. # of frames for a trace. */
 #define LJ_MAX_PHI      32              /* Max. # of PHIs for a loop. */
 #define LJ_MAX_EXITSTUBGR       8       /* Max. # of exit stub groups. */
 
diff --git a/src/lj_jit.h b/src/lj_jit.h
index 229642a5..ec368feb 100644
--- a/src/lj_jit.h
+++ b/src/lj_jit.h
@@ -252,7 +252,6 @@ typedef struct jit_State {
 
   IRRef1 chain[IR__MAX];  /* IR instruction skip-list chain anchors. */
   TRef slot[LJ_MAX_JSLOTS+LJ_STACK_EXTRA];  /* Stack slot map. */
-  SnapEntry frame[LJ_MAX_JFRAME+2];  /* Frame link stack. */
 
   int32_t param[JIT_P__MAX];  /* JIT engine parameters. */
 
diff --git a/src/lj_record.c b/src/lj_record.c
index eaaafc51..e5a8b208 100644
--- a/src/lj_record.c
+++ b/src/lj_record.c
@@ -92,26 +92,6 @@ static void rec_check_ir(jit_State *J)
   }
 }
 
-/* Compare frame stack of the recorder and the VM. */
-static void rec_check_frames(jit_State *J)
-{
-  cTValue *frame = J->L->base - 1;
-  cTValue *lim = J->L->base - J->baseslot;
-  int32_t depth = J->framedepth;
-  while (frame > lim) {
-    depth--;
-    lua_assert(depth >= 0);
-    lua_assert((SnapEntry)frame_ftsz(frame) == J->frame[depth]);
-    if (frame_iscont(frame)) {
-      depth--;
-      lua_assert(depth >= 0);
-      lua_assert((SnapEntry)frame_ftsz(frame-1) == J->frame[depth]);
-    }
-    frame = frame_prev(frame);
-  }
-  lua_assert(depth == 0);
-}
-
 /* Compare stack slots and frames of the recorder and the VM. */
 static void rec_check_slots(jit_State *J)
 {
@@ -157,7 +137,6 @@ static void rec_check_slots(jit_State *J)
     }
   }
   lua_assert(J->framedepth == depth);
-  rec_check_frames(J);
 }
 #endif
 
@@ -519,9 +498,7 @@ static void rec_call(jit_State *J, BCReg func, ptrdiff_t nargs)
   fbase[0] = trfunc | TREF_FRAME;
 
   /* Bump frame. */
-  J->frame[J->framedepth++] = SNAP_MKPC(J->pc+1);
-  if (J->framedepth > LJ_MAX_JFRAME)
-    lj_trace_err(J, LJ_TRERR_STACKOV);
+  J->framedepth++;
   J->base += func+1;
   J->baseslot += func+1;
   J->maxslot = nargs;
@@ -626,6 +603,7 @@ static BCReg rec_mm_prep(jit_State *J, ASMFunction cont)
   trcont = lj_ir_kptr(J, (void *)cont);
 #endif
   J->base[top] = trcont | TREF_CONT;
+  J->framedepth++;
   for (s = J->maxslot; s < top; s++)
     J->base[s] = 0;  /* Clear frame gap to avoid resurrecting previous refs. */
   return top+1;
@@ -695,7 +673,6 @@ ok:
   base[0] = ix->mobj;
   copyTV(J->L, basev+0, &ix->mobjv);
   rec_call(J, func, 2);
-  J->frame[J->framedepth++] = SNAP_MKFTSZ((func+1)*sizeof(TValue)+FRAME_CONT);
   return 0;  /* No result yet. */
 }
 
@@ -710,7 +687,6 @@ static void rec_mm_callcomp(jit_State *J, RecordIndex *ix, int op)
   copyTV(J->L, tv+1, &ix->valv);
   copyTV(J->L, tv+2, &ix->keyv);
   rec_call(J, func, 2);
-  J->frame[J->framedepth++] = SNAP_MKFTSZ((func+1)*sizeof(TValue)+FRAME_CONT);
 }
 
 /* Record call to equality comparison metamethod (for tab and udata only). */
@@ -890,11 +866,9 @@ static TRef rec_idx(jit_State *J, RecordIndex *ix)
         base[3] = ix->val;
         copyTV(J->L, tv+3, &ix->valv);
         rec_call(J, func, 3);  /* mobj(tab, key, val) */
-        J->frame[J->framedepth++] = SNAP_MKFTSZ((func+1)*sizeof(TValue)+FRAME_CONT);
         return 0;
       } else {
         rec_call(J, func, 2);  /* res = mobj(tab, key) */
-        J->frame[J->framedepth++] = SNAP_MKFTSZ((func+1)*sizeof(TValue)+FRAME_CONT);
         return 0;  /* No result yet. */
       }
     }
@@ -1294,8 +1268,6 @@ static void LJ_FASTCALL recff_ipairs(jit_State *J, RecordFFData *rd)
 static void LJ_FASTCALL recff_pcall(jit_State *J, RecordFFData *rd)
 {
   if (J->maxslot >= 1) {
-    J->pc = (const BCIns *)(sizeof(TValue) - 4 +
-                            (hook_active(J2G(J)) ? FRAME_PCALLH : FRAME_PCALL));
     rec_call(J, 0, J->maxslot - 1);
     rd->nres = -1;  /* Pending call. */
   }  /* else: Interpreter will throw. */
@@ -1321,8 +1293,6 @@ static void LJ_FASTCALL recff_xpcall(jit_State *J, RecordFFData *rd)
     copyTV(J->L, &argv1, &rd->argv[1]);
     copyTV(J->L, &rd->argv[0], &argv1);
     copyTV(J->L, &rd->argv[1], &argv0);
-    J->pc = (const BCIns *)(2*sizeof(TValue) - 4 +
-                            (hook_active(J2G(J)) ? FRAME_PCALLH : FRAME_PCALL));
     /* Need to protect rec_call because it may throw. */
     errcode = lj_vm_cpcall(J->L, NULL, J, recff_xpcall_cp);
     /* Always undo Lua stack swap to avoid confusing the interpreter. */
@@ -2329,13 +2299,12 @@ static void rec_setup_side(jit_State *J, Trace *T)
     }
   setslot:
     J->slot[s] = tr | (sn&(SNAP_CONT|SNAP_FRAME));  /* Same as TREF_* flags. */
-    if ((sn & SNAP_FRAME) && s != 0)
+    if ((sn & SNAP_FRAME))
       J->baseslot = s+1;
   }
   J->base = J->slot + J->baseslot;
   J->maxslot = snap->nslots - J->baseslot;
-  J->framedepth = snap->depth;  /* Copy frames from snapshot. */
-  memcpy(J->frame, &map[nent+1], sizeof(SnapEntry)*(size_t)snap->depth);
+  J->framedepth = snap->depth;
   lj_snap_add(J);
 }
 
diff --git a/src/lj_snap.c b/src/lj_snap.c
index 04b9a7f6..e17b7a0d 100644
--- a/src/lj_snap.c
+++ b/src/lj_snap.c
@@ -68,6 +68,31 @@ static MSize snapshot_slots(jit_State *J, SnapEntry *map, BCReg nslots)
   return n;
 }
 
+/* Add frame links at the end of the snapshot. */
+static void snapshot_framelinks(jit_State *J, SnapEntry *map)
+{
+  cTValue *frame = J->L->base - 1;
+  cTValue *lim = J->L->base - J->baseslot;
+  MSize f = 0;
+  map[f++] = SNAP_MKPC(J->pc);  /* The current PC is always the first entry. */
+  while (frame > lim) {  /* Backwards traversal of all frames above base. */
+    if (frame_islua(frame)) {
+      map[f++] = SNAP_MKPC(frame_pc(frame));
+      frame = frame_prevl(frame);
+    } else if (frame_ispcall(frame)) {
+      map[f++] = SNAP_MKFTSZ(frame_ftsz(frame));
+      frame = frame_prevd(frame);
+    } else if (frame_iscont(frame)) {
+      map[f++] = SNAP_MKFTSZ(frame_ftsz(frame));
+      map[f++] = SNAP_MKPC(frame_contpc(frame));
+      frame = frame_prevd(frame);
+    } else {
+      lua_assert(0);
+    }
+  }
+  lua_assert(f == (MSize)(1 + J->framedepth));
+}
+
 /* Take a snapshot of the current stack. */
 static void snapshot_stack(jit_State *J, SnapShot *snap, MSize nsnapmap)
 {
@@ -78,6 +103,7 @@ static void snapshot_stack(jit_State *J, SnapShot *snap, MSize nsnapmap)
   lj_snap_grow_map(J, nsnapmap + nslots + (MSize)J->framedepth+1);
   p = &J->cur.snapmap[nsnapmap];
   nent = snapshot_slots(J, p, nslots);
+  snapshot_framelinks(J, p + nent);
   snap->mapofs = (uint16_t)nsnapmap;
   snap->ref = (IRRef1)J->cur.nins;
   snap->nent = (uint8_t)nent;
@@ -85,9 +111,6 @@ static void snapshot_stack(jit_State *J, SnapShot *snap, MSize nsnapmap)
   snap->nslots = (uint8_t)nslots;
   snap->count = 0;
   J->cur.nsnapmap = (uint16_t)(nsnapmap + nent + 1 + J->framedepth);
-  /* Add frame links at the end of the snapshot. */
-  p[nent] = SNAP_MKPC(J->pc);  /* The current PC is always the first entry. */
-  memcpy(&p[nent+1], J->frame, sizeof(SnapEntry)*(size_t)J->framedepth);
 }
 
 /* Add or merge a snapshot. */
@@ -119,6 +142,7 @@ void lj_snap_shrink(jit_State *J)
   snap->nslots = (uint8_t)nslots;
   if (nent > 0 && snap_slot(map[nent-1]) >= nslots) {
     MSize s, delta, depth = snap->depth;
+    lua_assert(depth == (MSize)J->framedepth);
     for (nent--; nent > 0 && snap_slot(map[nent-1]) >= nslots; nent--)
       ;
     delta = snap->nent - nent;
@@ -187,7 +211,7 @@ const BCIns *lj_snap_restore(jit_State *J, void *exptr)
   SnapShot *snap = &T->snap[snapno];
   MSize n, nent = snap->nent;
   SnapEntry *map = &T->snapmap[snap->mapofs];
-  SnapEntry *flinks = map + nent + 1;
+  SnapEntry *flinks = map + nent + snap->depth;
   int32_t ftsz0;
   BCReg nslots = snap->nslots;
   TValue *frame;
@@ -213,7 +237,7 @@ const BCIns *lj_snap_restore(jit_State *J, void *exptr)
       lj_ir_kvalue(L, o, ir);
       if ((sn & (SNAP_CONT|SNAP_FRAME))) {
         /* Overwrite tag with frame link. */
-        o->fr.tp.ftsz = s != 0 ? (int32_t)*flinks++ : ftsz0;
+        o->fr.tp.ftsz = s != 0 ? (int32_t)*flinks-- : ftsz0;
         if ((sn & SNAP_FRAME)) {
           GCfunc *fn = ir_kfunc(ir);
           if (isluafunc(fn)) {
@@ -264,8 +288,8 @@ const BCIns *lj_snap_restore(jit_State *J, void *exptr)
     }
   }
   L->top = curr_topL(L);
-  lua_assert(map + nent + 1 + snap->depth == flinks);
-  return snap_pc(map[nent]);
+  lua_assert(map + nent == flinks);
+  return snap_pc(*flinks);
 }
 
 #undef IR