I've discovered an issue on ARM64 LuaJIT 2.1(latest, 5874c21) with
__call metamethod invocations temporarily leaving the callstack frames
in a bad state that will cause a crash if a gc occurs.
Here's a very simple 100% immediate repro on any ARM64 iOS device:
local SomeTable = {}
local SomeTableMT = {
__call = function(self, ...)
print("Crash due to bad callstack frame during traversal")
collectgarbage()
return {}
end
}
setmetatable(SomeTable, SomeTableMT)
local function getTableHelper()
return SomeTable()
end
getTableHelper()
This crashes in gc_traverse_frames because lj_vmeta_callt ->
lj_BC_CALLT overwrites one of the frame pointers. It doesn't crash if
a normal function is invoked on the table instead of __call.
I'm digging into how to fix it myself now but any help from someone
more knowledgeable in the asm and frame structure would be greatly
appreciated!
Cheers,
Troy
