From 528954b7ec9642f9ec987707352d558f9fd41446 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bj=C3=B6rn-Egil=20Dahlberg?= <egil@erlang.org>
Date: Sat, 23 May 2015 00:56:21 +0200
Subject: erts: Fix garbage collect literals in code purge

During code purging and check_process_code, the checking of the binary reference
embedded in the match binary state was omitted for the tracing tests. This would cause
the binary match state to reference deallocated memory.
---
 erts/emulator/beam/beam_bif_load.c | 11 ++++++++++-
 erts/emulator/beam/erl_gc.c        | 29 ++++++++++++++++++++++++-----
 2 files changed, 34 insertions(+), 6 deletions(-)

diff --git a/erts/emulator/beam/beam_bif_load.c b/erts/emulator/beam/beam_bif_load.c
index df1983a83d..ef42bb20d3 100644
--- a/erts/emulator/beam/beam_bif_load.c
+++ b/erts/emulator/beam/beam_bif_load.c
@@ -33,6 +33,7 @@
 #include "beam_catches.h"
 #include "erl_binary.h"
 #include "erl_nif.h"
+#include "erl_bits.h"
 #include "erl_thr_progress.h"
 
 static void set_default_trace_pattern(Eterm module);
@@ -940,7 +941,15 @@ any_heap_refs(Eterm* start, Eterm* end, char* mod_start, Uint mod_size)
 	    break;
 	case TAG_PRIMARY_HEADER:
 	    if (!header_is_transparent(val)) {
-		Eterm* new_p = p + thing_arityval(val);
+		Eterm* new_p;
+                if (header_is_bin_matchstate(val)) {
+                    ErlBinMatchState *ms = (ErlBinMatchState*) p;
+                    ErlBinMatchBuffer *mb = &(ms->mb);
+                    if (in_area(EXPAND_POINTER(mb->orig), mod_start, mod_size)) {
+                        return 1;
+                    }
+                }
+		new_p = p + thing_arityval(val);
 		ASSERT(start <= new_p && new_p < end);
 		p = new_p;
 	    }
diff --git a/erts/emulator/beam/erl_gc.c b/erts/emulator/beam/erl_gc.c
index 0db42d4325..3856fc0a6a 100644
--- a/erts/emulator/beam/erl_gc.c
+++ b/erts/emulator/beam/erl_gc.c
@@ -677,7 +677,7 @@ erts_garbage_collect_literals(Process* p, Eterm* literals,
     Uint area_size;
     Eterm* old_htop;
     Uint n;
-    struct erl_off_heap_header** prev;
+    struct erl_off_heap_header** prev = NULL;
 
     if (p->flags & F_DISABLE_GC)
 	return;
@@ -786,10 +786,10 @@ erts_garbage_collect_literals(Process* p, Eterm* literals,
      */
 
     if (oh) {
-	prev = &MSO(p).first;
-	while (*prev) {
-	    prev = &(*prev)->next;
-	}
+        prev = &MSO(p).first;
+        while (*prev) {
+            prev = &(*prev)->next;
+        }
     }
 
     /*
@@ -818,6 +818,10 @@ erts_garbage_collect_literals(Process* p, Eterm* literals,
 	oh = oh->next;
     }
 
+    if (prev) {
+        *prev = NULL;
+    }
+
     /*
      * We no longer need this temporary area.
      */
@@ -1869,6 +1873,21 @@ sweep_one_heap(Eterm* heap_ptr, Eterm* heap_end, Eterm* htop, char* src, Uint sr
 	    if (!header_is_thing(gval)) {
 		heap_ptr++;
 	    } else {
+		if (header_is_bin_matchstate(gval)) {
+		    ErlBinMatchState *ms = (ErlBinMatchState*) heap_ptr;
+		    ErlBinMatchBuffer *mb = &(ms->mb);
+		    Eterm* origptr;
+		    origptr = &(mb->orig);
+		    ptr = boxed_val(*origptr);
+		    val = *ptr;
+		    if (IS_MOVED_BOXED(val)) {
+			*origptr = val;
+			mb->base = binary_bytes(*origptr);
+		    } else if (in_area(ptr, src, src_size)) {
+			MOVE_BOXED(ptr,val,htop,origptr);
+			mb->base = binary_bytes(*origptr);
+		    }
+		}
 		heap_ptr += (thing_arityval(gval)+1);
 	    }
 	    break;
-- 
cgit v1.2.3