+++ Debian Bug Tracking System [2016-03-22 15:03 +0000]:

OK, so the issue is indeed the 47/48 bit pointers. The mozilla jit had
the exact same issue. https://bugzilla.mozilla.org/show_bug.cgi?id=1143022

I've hacked up a patch (attached), which changes the pointer length to
48 bits, to demonstrate that the top bit is no longer masked and the
segfault goes away. However this patch is not a proper fix (and
crashes a bit later) because it does not properly deal with the fact
that moving up one bit pushes the 4 tags further up and impinges on
the fff8 'NaN' value currently used.

My understanding of the code is not sufficient to work out whether
everything can simply be shoved up by one bit to make this work. Can
the NaN change, or is it set by the IEEE specs? Does it need to change in
fact, or is it only use in the 32bit mode?

And I don't properly understand the distinction between LJ_64 and
LJ_GC64 which affects how things are laid out. So I'm well aware that
my patch is half-a-bodge, and merely to prove that I was barking up
the right tree.

So the issue is nicely described in src/lj_obj.h 'Internal object tags'
** Format for 32 bit GC references (!LJ_GC64): **
** Internal tags overlap the MSW of a number object (must be a double).
** Interpreted as a double these are special NaNs. The FPU only generates
** one type of NaN (0xfff8_0000_0000_0000). So MSWs > 0xfff80000 are available
** for use as internal tags. Small negative numbers are used to shorten the
** encoding of type comparisons (reg/mem against sign-ext. 8 bit immediate).
**
** ---MSW---.---LSW---
** primitive types | itype | |
** lightuserdata | itype | void * | (32 bit platforms)
** lightuserdata |ffff| void * | (64 bit platforms, 47 bit pointers)
** GC objects | itype | GCRef |
** int (LJ_DUALNUM)| itype | int |
** number -------double------
**
** Format for 64 bit GC references (LJ_GC64):
**
** The upper 13 bits must be 1 (0xfff8...) for a special NaN. The next
** 4 bits hold the internal tag. The lowest 47 bits either hold a pointer,
** a zero-extended 32 bit integer or all bits set to 1 for primitive types.
**
** ------MSW------.------LSW------
** primitive types |1..1|itype|1..................1|
** GC objects/lightud |1..1|itype|-------GCRef--------|
** int (LJ_DUALNUM) |1..1|itype|0..0|-----int-------|
** number ------------double-------------

So can we just change that to:
** The upper 12 bits must be 1 (0xfff...) for a special NaN. The next
** 4 bits hold the internal tag. The lowest 48 bits either hold a pointer,
** a zero-extended 32 bit integer or all bits set to 1 for primitive types.
?

Or will that just break and we need to keep fff8, leaving only 3 bits for the tags?

Ultimately this design needs to change, because ARM64 pointers are
going to change to 52 bits in the future and x86 pointers will be
getting bigger too as they are subject to the same pressures in new hardware.

So putting the tags somewhere else would be smart, or maybe down at
the bottom end if you know things are aligned to large enough boundaries?

But perhaps we can make a smaller change for now to get this running?

I'll file this upstream too, referring back here.

Wookey
--
Principal hats: Linaro, Debian, Wookware, ARM
http://wookware.org/

hey Ben!

The version in unstable hadn't yet turned on arm64 builds.

-dann

well, version 2.0.4+dfsg-1 does not have any arm64 support and thus is not built for arm64.

So no, it doesn't have the bug that you can build it for arm64 but it doesn't work.

But on the other hand it does have 'doesn't work on arm64'

So I'm really not sure whether one should mark this bug as applying to
2.0.4.

Can we get laujit 2.1-with-arm64-support into unstable for stretch?
There are serious people that would really like to see that (because
important stuff like nginx need luajit), but presumably the transition
freeze applies here?

Wookey