Closed
Bug 564117
Opened 15 years ago
Closed 15 years ago
TM: negative index check for GETELEM on 64-bit platforms is bogus?
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: n.nethercote, Assigned: n.nethercote)
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
2.72 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
denseArrayElement() has this check before getting an array element:
/* Guard against negative index */
if (MAX_DSLOTS_LENGTH > MAX_DSLOTS_LENGTH32 && !idx_ins->isImmI()) {
/* Only 64-bit machines support large enough arrays for this. */
JS_ASSERT(sizeof(jsval) == 8);
guard(false,
lir->ins2ImmI(LIR_lt, idx_ins, 0),
exit);
}
AFAICT this is totally bogus. idx_ins is a uint32 (on both 32-bit and 64-bit platforms). By doing a signed comparison of idx_ins against 0, all that will happen is that any index with value 2^31 (0x80000000) or higher will cause an unnecessary side-exit.
Furthermore, the !idx_ins->isImmI() test doesn't make any sense, and the maximum array size is 2^32-1 regardless of the machine word size, AIUI.
dvander agrees that it looks bogus and that it was probably written before the 64-bit TM port was working.
The attached patch removes it. AFAICT Andreas wrote the code so I'm asking him to review. I've been thinking about this for a while and am now royally confused, esp. how a negative index is actually handled, so input from others is welcome.
Attachment #443819 -
Flags: review?(gal)
|
Assignee | |
Comment 1•15 years ago
|
||
One month review ping coming up:
PING!
|
||
Comment 2•15 years ago
|
||
ooops
|
|
||
Updated•15 years ago
|
Attachment #443819 -
Flags: review?(gal) → review+
|
|
Assignee | |
Comment 3•15 years ago
|
||
Whiteboard: fixed-in-tracemonkey
|
||
Comment 4•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•