Here's a bit of erroneous code:
00000c5c <s1ad_info>:
c5c: 8b 45 08 mov 0x8(%ebp),%eax
c5f: d9 46 03 flds 0x3(%esi)
c62: dd d9 fstp %st(1)
c64: d9 55 08 fsts 0x8(%ebp)
c67: 89 c6 mov %eax,%esi
c69: c7 45 00 24 0c 00 00 movl $0xc24,0x0(%ebp)
c70: f7 c6 03 00 00 00 test $0x3,%esi
c76: 75 ac jne c24 <s1ac_info>
So we should be doing some ffrees before the jne. The code that
inserts the ffrees wasn't expecting to do it for a conditional jump,
because they are usually local, but we have a late optimisation that
shortcuts jumps-to-jumps, and that can result in a non-local
conditional jump.
This at least fixes an instance of the bug that I was able to
reproduce, let's hope there aren't any more.
where p insn r = case insn of
CALL _ _ -> GFREE : insn : r
JMP _ -> GFREE : insn : r
where p insn r = case insn of
CALL _ _ -> GFREE : insn : r
JMP _ -> GFREE : insn : r
+ JXX_GBL _ _ -> GFREE : insn : r
_ -> insn : r
-- if you ever add a new FP insn to the fake x86 FP insn set,
_ -> insn : r
-- if you ever add a new FP insn to the fake x86 FP insn set,