I recently experimented with an overridden mmap implementation, to see if I could implement MAP_32BIT to allocate from the bottom 4GB of address space. I can extend the address space to the bottom 2GB for LuaJIT without issue. However, if I utilize any address over 2 GB (any address with the 31st bit set) then I get a segfault in 2.1 git head in what appears to be jitted code. The address that segfaults appears to be a 64bit sign-extended pointer to a 128KB region allocated with MAP_32BIT. Does LuaJIT intentionally only give 31 bit pointers, or is this an accidental sign extension? If it's not intentional, would a minimal reproduction help in finding the issue? It will take maybe an hour to put it together. The disassembly of the (Jitted?) frame looks like: 0xbcdff02 <+0x0000> add %al,(%rax) 0xbcdff04 <+0x0000> add %al,(%rax) 0xbcdff06 <+0x0000> add %al,(%rax) 0xbcdff08 <+0x0000> add %al,(%rax) 0xbcdff0a <+0x0000> add %al,(%rax) 0xbcdff0c <+0x0000> add %al,(%rax) 0xbcdff0e <+0x0000> add %al,(%rax) 0xbcdff10 <+0x0000> add %al,(%rax) 0xbcdff12 <+0x0000> add %bh,%dh 0xbcdff14 <+0x0000> add %al,(%rax) ******0xbcdff16 <+0x0000> movl $0x1,0xfffffffffffe0410 ******That's a kernel address. The block 0xfffe0000 was the first 128KB allocated to LuaJIT by the customized mmap. 0xbcdff21 <+0x0000> movsd 0xfffffffffffa44e8,%xmm6 0xbcdff2a <+0x0000> movsd 0xfffffffffffa44e0,%xmm5 0xbcdff33 <+0x0000> cmpl $0xfffffffb,0x2c(%rdx) 0xbcdff37 <+0x0000> jne 0xbcd0010 0xbcdff3d <+0x0000> mov 0x28(%rdx),%ebp 0xbcdff40 <+0x0000> cmp $0xfffec0a8,%ebp 0xbcdff46 <+0x0000> jne 0xbcd0014 0xbcdff4c <+0x0000> cmpl $0xfffeffff,0xc(%rdx) 0xbcdff53 <+0x0000> jae 0xbcd0018 0xbcdff59 <+0x0000> movsd 0x8(%rdx),%xmm7 0xbcdff5e <+0x0000> addsd %xmm5,%xmm7 0xbcdff62 <+0x0000> cmp $0xfffd9468,%ebp 0xbcdff68 <+0x0000> je 0xbcd001c 0xbcdff6e <+0x0000> cmpl $0xfffffff7,0x14(%rdx) 0xbcdff72 <+0x0000> jne 0xbcd0020 0xbcdff78 <+0x0000> mov 0x10(%rdx),%ebp Cheers, Dan