Fix serialization of open upvalues on threads

HaroldCindy · HaroldCindy · commit 73681935c9d1 · 2026-03-12T07:13:19.000-07:00
This fixes a long-standing bug I've always suspected I might've
accidentally introduced. Luau's handling of upvalues is so optimized
I had trouble finding a case that would trigger it before I incidentally
tripped over it while working on `lljson`.
diff --git a/VM/src/ares.cpp b/VM/src/ares.cpp
@@ -2380,7 +2380,10 @@ p_thread(Info *info) {                                          /* ... thread */
     pushpath(info, "[%d]", level++);
     WRITE_VALUE(eris_savestackidx(thread, uv->v) + 1, ares_size_t);
     eris_setobj(info->L, info->L->top - 1, uv->v);          /* ... thread obj */
-    lua_pushlightuserdata(info->L, uv);                  /* ... thread obj id */
+    // Use `uv->v` (stack slot address) with `LUTAG_ARES_UPREF as the key
+    // so we can have this point at the underlying value on the stack.
+    // `uv` itself is generally irrelevant.
+    lua_pushlightuserdatatagged(info->L, uv->v, LUTAG_ARES_UPREF); /* ... thread obj id */
     persist_keyed(info, LUA_TUPVAL);                        /* ... thread obj */
     poppath(info);
     eris_assert(uv_top == lua_gettop(info->L));
diff --git a/tests/conformance/ares_coros.lua b/tests/conformance/ares_coros.lua
@@ -144,5 +144,54 @@ assert(tabs[3] == rtabs[3])
 assert(tabs[3].one == rtabs[3].one)
 assert(tabs[2].three == rtabs[2].three)
 
+-- open upvalue patching: closure on the stack (not executing) at yield time
+-- Regression test: p_thread's open upvalue section must use the same reftable key
+-- as p_closure so u_thread can patch closure upvalue references to be open.
+-- Without the fix, the inner closure's upvalues remain closed after unpersist,
+-- so writes from the closure go to a copy instead of the outer function's local.
+do
+    local co = coroutine.create(function()
+        local captured = nil
+        local function writer()
+            captured = "written"
+        end
+        -- Push writer onto the stack and yield before calling it.
+        -- This means writer (with its open upvalue for `captured`) is a raw
+        -- value on the coroutine's stack at persist time.
+        local f = writer
+        coroutine.yield()
+        -- After round-trip, call writer. Its upvalue must be open (pointing to
+        -- our stack slot for `captured`), not closed (pointing to a copy).
+        f()
+        return captured
+    end)
+
+    coroutine.resume(co)
+    co = ares.unpersist(uperms, ares.persist(perms, co))
+    local ok, result = coroutine.resume(co)
+    assert(ok)
+    assert(result == "written", "expected 'written', got " .. tostring(result))
+end
+
+-- same test but with two closures sharing the open upvalue
+do
+    local co = coroutine.create(function()
+        local shared = 0
+        local function inc() shared = shared + 1 end
+        local function get() return shared end
+        local fi, fg = inc, get
+        coroutine.yield()
+        fi()
+        fi()
+        return fg()
+    end)
+
+    coroutine.resume(co)
+    co = ares.unpersist(uperms, ares.persist(perms, co))
+    local ok, result = coroutine.resume(co)
+    assert(ok)
+    assert(result == 2, "expected 2, got " .. tostring(result))
+end
+
 print('OK')
 return 'OK'
