Bug 265581

Summary: Compare exchange instruction doesn't overwrite value if highest bit is set
Product: WebKit Reporter: laurmaedje
Component: WebAssemblyAssignee: Nobody <webkit-unassigned>
Status: RESOLVED DUPLICATE    
Severity: Major CC: justin_michaud, karlcow, keith_miller, mark.lam, mike, webkit-bug-importer
Priority: P2 Keywords: BrowserCompat, InRadar
Version: Safari 17   
Hardware: Mac (Apple Silicon)   
OS: macOS 14   
Attachments:
Description Flags
A minimal reproduction of the bug. none

laurmaedje
Reported 2023-11-30 08:40:17 PST
Created attachment 468823 [details] A minimal reproduction of the bug. The atomic.rmw.cmpxchg family of instructions don't overwrite the target value when the current value to check for has the highest bit set. If the highest bit isn't set, they work as expected. The code below demonstrates the bug: ``` (module (import "env" "memory" (memory 1 1 shared)) (func $demo (result i32) (i32.atomic.rmw.cmpxchg ;; overwrite memory slot 0 if it is zero (i32.const 0) ;; address (i32.const 0) ;; current (i32.const 2147483648)) ;; new drop ;; ignore output (i32.atomic.rmw.cmpxchg ;; overwrite memory slot 0 if it is 2147483648 (i32.const 0) ;; address (i32.const 2147483648) ;; current (i32.const 1)) ;; new drop ;; ignore output i32.const 0 ;; address i32.load ;; read memory slot 0 ) (export "demo" (func $demo)) ) ``` Safari outputs -2147483648 here, while Chrome and Firefox output 1. If 2147483648 is changed to 2147483647, things work as expected. For a complete minimal reproduction, see the attached ZIP file or the repository linked below: https://github.com/laurmaedje/safari-atomic-bug
Attachments
A minimal reproduction of the bug. (47.79 KB, application/zip)
2023-11-30 08:40 PST, laurmaedje
no flags
Radar WebKit Bug Importer
Comment 1 2023-12-02 11:31:24 PST
Justin Michaud
Comment 2 2023-12-04 15:06:49 PST
I confirmed this was fixed in https://github.com/WebKit/WebKit/pull/19889 Thanks for the nice repro case!
Justin Michaud
Comment 3 2023-12-04 15:07:13 PST
*** This bug has been marked as a duplicate of bug 263292 ***
Note You need to log in before you can comment on or make changes to this bug.