From c7db8255e1eb59f933fac7bc9322f0e4f8ddc6e6 Mon Sep 17 00:00:00 2001
From: Mike Pall <mike>
Date: Sun, 16 Apr 2023 13:26:18 +0200
Subject: Fix TDUP load forwarding after table rehash.

Reported by Sergey Kaplun. #980
---
 src/lj_opt_mem.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/src/lj_opt_mem.c b/src/lj_opt_mem.c
index feec6bb7..5b1ad898 100644
--- a/src/lj_opt_mem.c
+++ b/src/lj_opt_mem.c
@@ -154,6 +154,7 @@ static TRef fwd_ahload(jit_State *J, IRRef xref)
     if (ir->o == IR_TNEW || (ir->o == IR_TDUP && irref_isk(xr->op2))) {
       /* A NEWREF with a number key may end up pointing to the array part.
       ** But it's referenced from HSTORE and not found in the ASTORE chain.
+      ** Or a NEWREF may rehash the table and move unrelated number keys.
       ** For now simply consider this a conflict without forwarding anything.
       */
       if (xr->o == IR_AREF) {
@@ -164,6 +165,11 @@ static TRef fwd_ahload(jit_State *J, IRRef xref)
 	    goto cselim;
 	  ref2 = newref->prev;
 	}
+      } else {
+	IRIns *key = IR(xr->op2);
+	if (key->o == IR_KSLOT) key = IR(key->op1);
+	if (irt_isnum(key->t) && J->chain[IR_NEWREF] > tab)
+	  goto cselim;
       }
       /* NEWREF inhibits CSE for HREF, and dependent FLOADs from HREFK/AREF.
       ** But the above search for conflicting stores was limited by xref.
-- 
cgit v1.2.1