TM: negative index check for GETELEM on 64-bit platforms is bogus?

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: njn, Assigned: njn)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment)

(Assignee)

Description

8 years ago
Created attachment 443819 [details] [diff] [review]
patch

denseArrayElement() has this check before getting an array element:

    /* Guard against negative index */
    if (MAX_DSLOTS_LENGTH > MAX_DSLOTS_LENGTH32 && !idx_ins->isImmI()) {
        /* Only 64-bit machines support large enough arrays for this. */
        JS_ASSERT(sizeof(jsval) == 8);
        guard(false,
              lir->ins2ImmI(LIR_lt, idx_ins, 0),
              exit);
    }

AFAICT this is totally bogus.  idx_ins is a uint32 (on both 32-bit and 64-bit platforms).  By doing a signed comparison of idx_ins against 0, all that will happen is that any index with value 2^31 (0x80000000) or higher will cause an unnecessary side-exit.

Furthermore, the !idx_ins->isImmI() test doesn't make any sense, and the maximum array size is 2^32-1 regardless of the machine word size, AIUI.

dvander agrees that it looks bogus and that it was probably written before the 64-bit TM port was working.

The attached patch removes it.  AFAICT Andreas wrote the code so I'm asking him to review.  I've been thinking about this for a while and am now royally confused, esp. how a negative index is actually handled, so input from others is welcome.
Attachment #443819 - Flags: review?(gal)
(Assignee)

Comment 1

8 years ago
One month review ping coming up:

  PING!

Comment 2

8 years ago
ooops

Updated

8 years ago
Attachment #443819 - Flags: review?(gal) → review+
(Assignee)

Comment 3

8 years ago
http://hg.mozilla.org/tracemonkey/rev/a9cdb738b187
Whiteboard: fixed-in-tracemonkey

Comment 4

8 years ago
http://hg.mozilla.org/mozilla-central/rev/a9cdb738b187
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.