Bug 269729

Summary:	BBQ JIT wrongly emits asr instruction for I{32,64}DivU
Product:	WebKit	Reporter:	Marcus Plutowski <marcus_plutowski>
Component:	WebAssembly	Assignee:	Nobody <webkit-unassigned>
Status:	RESOLVED FIXED
Severity:	Normal	CC:	webkit-bug-importer
Priority:	P2	Keywords:	InRadar
Version:	WebKit Nightly Build
Hardware:	Unspecified
OS:	Unspecified

Marcus Plutowski

Reported 2024-02-19 10:26:45 PST

rdar://120840889 When JIT'ing the bytecode for `i64.div_u`, BBQ emits an `asr` arm64 instruction for the ultimate division, which while correct in cases where the lhs operand is positive, produces an incorrect (i.e. signed) result when that operand is negative. E.g. `(i64.div_u (local.get 1) (i64.const 2))` produces: ``` [ 0xf] GetLocal <124> 0x10d05807c: ldur x1, [fp, #-16] [0x11] I64Cons [0x13] I64DivU <128> 0x10d058080: asr x1, x1, #1 ``` If the local is e.g. -2 (0xFFFFFFFFFFFFFFFE), this results in -1 (0xFFFFFFFFFFFFFFFF), but since we're doing an unsigned division it should properly return INT64_MAX (0x7FFFFFFFFFFFFFFF).

Attachments
Add attachment proposed patch, testcase, etc.

Marcus Plutowski

Comment 1 2024-02-19 11:55:05 PST

Pull request: https://github.com/WebKit/WebKit/pull/24760

EWS

Comment 2 2024-02-19 16:41:30 PST

Committed 275011@main (3ee7e4fc30fd): <https://commits.webkit.org/275011@main> Reviewed commits have been landed. Closing PR #24760 and removing active labels.

Radar WebKit Bug Importer

Comment 3 2024-02-19 16:42:14 PST

<rdar://problem/123277034>

Note You need to log in before you can comment on or make changes to this bug.