269509 2024-02-15 14:09:28 -0800 Wrong chain F{32,64}Sub + F{32,64}Copysign when rhs is NaN in BBQ JIT mode 2024-02-16 23:04:07 -0800 1 1 1 Unclassified WebKit WebAssembly WebKit Nightly Build Unspecified Unspecified RESOLVED FIXED InRadar P2 Normal --- 1 marcus_plutowski webkit-unassigned webkit-bug-importer oldest_to_newest 2014137 0 marcus_plutowski 2024-02-15 14:09:28 -0800 rdar://120780768 Tested on commit 9fb944e082ca85e9c509d60d879e898476822bd8. Below the Poc: ``` // (module // (type (func (param f64) (result f64))) // (func (type 0) (local f64) // (local.set 1 (local.get 0)) // (local.set 0 (f64.sub (local.get 0) (f64.const nan))) // (local.set 1 (f64.copysign (local.get 1) (local.get 0))) // (local.get 1) // ) // (export "poc" (func 0)) // ) const wasm_code = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 6, 1, 96, 1, 124, 1, 124, 3, 2, 1, 0, 7, 7, 1, 3, 112, 111, 99, 0, 0, 10, 33, 1, 31, 1, 1, 124, 32, 0, 33, 1, 32, 0, 68, 0, 0, 0, 0, 0, 0, 248, 127, 161, 33, 0, 32, 1, 32, 0, 166, 33, 1, 32, 1, 11]); try { const wasm_mod = new WebAssembly.Module(wasm_code); const wasm_instance = new WebAssembly.Instance(wasm_mod); let ret = undefined; for (let i = 0; i < 10000; i++) { ret = wasm_instance.exports.poc(1234); } print(ret); } catch (e) { print(e); } ``` The result is different if it's JIT'ed on BBQ or not. ``` $ jsc --useConcurrentJIT=false --useBBQJIT=true --useOMGJIT=false ./poc.js -1234 $ jsc --useWasmLLInt=true --useBBQJIT=false --useOMGJIT=false ./poc.js 1234 ``` 2014185 1 marcus_plutowski 2024-02-15 15:16:58 -0800 Pull request: https://github.com/WebKit/WebKit/pull/24554 2014779 2 ews-feeder 2024-02-16 23:04:06 -0800 Committed 274910@main (5f1ac6454783): <https://commits.webkit.org/274910@main> Reviewed commits have been landed. Closing PR #24554 and removing active labels.