Bug 265581

Created attachment 468823 [details] A minimal reproduction of the bug. The atomic.rmw.cmpxchg family of instructions don't overwrite the target value when the current value to check for has the highest bit set. If the highest bit isn't set, they work as expected. The code below demonstrates the bug: ``` (module (import "env" "memory" (memory 1 1 shared)) (func $demo (result i32) (i32.atomic.rmw.cmpxchg ;; overwrite memory slot 0 if it is zero (i32.const 0) ;; address (i32.const 0) ;; current (i32.const 2147483648)) ;; new drop ;; ignore output (i32.atomic.rmw.cmpxchg ;; overwrite memory slot 0 if it is 2147483648 (i32.const 0) ;; address (i32.const 2147483648) ;; current (i32.const 1)) ;; new drop ;; ignore output i32.const 0 ;; address i32.load ;; read memory slot 0 ) (export "demo" (func $demo)) ) ``` Safari outputs -2147483648 here, while Chrome and Firefox output 1. If 2147483648 is changed to 2147483647, things work as expected. For a complete minimal reproduction, see the attached ZIP file or the repository linked below: https://github.com/laurmaedje/safari-atomic-bug