From 54cce2e1719a15fc33e40c57dbc3d62e9c104b03 Mon Sep 17 00:00:00 2001
From: Mike Pall <mike>
Date: Wed, 11 Feb 2026 23:14:13 +0100
Subject: Prevent recording of loops with -0 step or NaN values.

Thanks to Sergey Kaplun. #1432 #1433
---
 src/lj_record.c | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'src')

diff --git a/src/lj_record.c b/src/lj_record.c
index 1919ab03..6c64c645 100644
--- a/src/lj_record.c
+++ b/src/lj_record.c
@@ -526,6 +526,12 @@ static LoopEvent rec_for(jit_State *J, const BCIns *fori, int isforl)
   LoopEvent ev;
   TRef stop;
   IRType t;
+  /* Avoid semantic mismatches and always failing guards. */
+  if (tvisnan(&tv[FORL_IDX]) ||
+      tvisnan(&tv[FORL_STOP]) ||
+      tvisnan(&tv[FORL_STEP]) ||
+      tvismzero(&tv[FORL_STEP]))
+    lj_trace_err(J, LJ_TRERR_GFAIL);
   if (isforl) {  /* Handle FORL/JFORL opcodes. */
     TRef idx = tr[FORL_IDX];
     if (mref(J->scev.pc, const BCIns) == fori && tref_ref(idx) == J->scev.idx) {
-- 
cgit v1.2.3-55-g6feb