Suspicious-looking branchPtr in Compiler::iter.

RESOLVED INVALID

Status

()

Core
JavaScript Engine
RESOLVED INVALID
8 years ago
5 years ago

People

(Reporter: jbramley, Assigned: jbramley)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Assignee)

Description

8 years ago
http://hg.mozilla.org/tracemonkey/file/9123f97f059c/js/src/methodjit/Compiler.cpp#l4077

The comment claims that the code is comparing reg->proto->proto with NULL, but (on ARM at least) it is simply comparing it with itself. The NonZero condition will never hit here because 'cmp rX, rX' will always set the Zero flag.

There is a bug here, and it is almost certainly in one of two places:

 * ARM's 'NE' condition code might not map onto what we expect 'NonZero' to do in this context.
 * The call should have used ImmPtr(0) as one of the arguments, rather than using T1 twice.

The latter looks more likely to me, but I'm not familiar with this code and I haven't looked into it in any detail. On ARM at least, the branch will never be taken.
It looks like this should be branchTestPtr.
JM is gone.
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.