Bug 269729

Summary: BBQ JIT wrongly emits asr instruction for I{32,64}DivU
Product: WebKit Reporter: Marcus Plutowski <marcus_plutowski>
Component: WebAssemblyAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description Marcus Plutowski 2024-02-19 10:26:45 PST 
rdar://120840889

When JIT'ing the bytecode for `i64.div_u`, BBQ emits an `asr` arm64 instruction for the ultimate division, which while correct in cases where the lhs operand is positive, produces an incorrect (i.e. signed) result when that operand is negative. E.g. `(i64.div_u (local.get 1) (i64.const 2))` produces:

```
    [ 0xf] GetLocal
        <124> 0x10d05807c:    ldur    x1, [fp, #-16]
    [0x11] I64Cons
    [0x13] I64DivU
        <128> 0x10d058080:    asr     x1, x1, #1
```

If the local is e.g. -2 (0xFFFFFFFFFFFFFFFE), this results in -1 (0xFFFFFFFFFFFFFFFF), but since we're doing an unsigned division it should properly return INT64_MAX (0x7FFFFFFFFFFFFFFF).
Comment 1 Marcus Plutowski 2024-02-19 11:55:05 PST 
Pull request: https://github.com/WebKit/WebKit/pull/24760
Comment 2 EWS 2024-02-19 16:41:30 PST 
Committed 275011@main (3ee7e4fc30fd): <https://commits.webkit.org/275011@main>

Reviewed commits have been landed. Closing PR #24760 and removing active labels.
Comment 3 Radar WebKit Bug Importer 2024-02-19 16:42:14 PST 
<rdar://problem/123277034>