Bug 285728

Summary: [JSC] IPInt i32_trunc_sat_f32_s is using wrong limits
Product: WebKit Reporter: xiangwei1895
Component: WebAssemblyAssignee: Yusuke Suzuki <ysuzuki>
Status: RESOLVED FIXED    
Severity: Normal CC: d_degazio, keith_miller, mark.lam, webkit-bug-importer, xiangwei1895, ysuzuki
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
This file is equivalent to bug.js, but is more readable.
none
Use this sample to reproduce the inconsistency on the latest version of jsc. none

xiangwei1895
Reported 2025-01-09 22:25:10 PST
Created attachment 473854 [details] This file is equivalent to bug.js, but is more readable. OS: ubuntu22.04 Architecture: <x64> Version: 9aa05bd6327f280663e5845641a9568d5a58b1f5 ./jsc bug.js expected output -2147483648 -2147483648 actual output 0 -2147483648 bug.js ################################## var wasm_code = new Uint8Array([0,97,115,109,1,0,0,0,1,188,128,128,128,0,7,78,1,94,120,1,78,1,94,119,1,80,0,95,0,78,1,80,1,2,95,1,127,0,96,3,127,127,127,1,127,96,8,99,1,127,100,4,127,123,100,2,126,111,0,96,7,127,99,1,127,100,109,100,0,100,111,99,3,0,3,130,128,128,128,0,1,4,4,137,128,128,128,0,2,112,1,1,16,113,1,4,11,5,132,128,128,128,0,1,1,0,32,13,133,128,128,128,0,2,0,5,0,6,6,181,128,128,128,0,5,124,0,68,0,0,0,0,0,0,0,0,11,127,1,65,149,255,201,136,2,11,113,1,208,113,11,123,1,253,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,107,1,208,107,11,7,136,128,128,128,0,1,4,109,97,105,110,0,0,9,139,128,128,128,0,1,6,0,65,0,11,112,1,210,0,11,10,171,128,128,128,0,1,41,3,1,99,2,1,113,1,125,35,1,178,67,19,66,140,131,149,141,67,108,10,96,118,148,140,140,140,140,140,140,140,140,140,140,140,140,140,140,252,0,11]); var wasm_module = new WebAssembly.Module(wasm_code); var wasm_instance = new WebAssembly.Instance(wasm_module); var f = wasm_instance.exports.main; var result1 = f(0, -0, 1); for (var i = 0; i < 10000; i++) { f(1, -0, 0); } var result2 = f(0, -0, 1); print(result1) print(result2)
Attachments
This file is equivalent to bug.js, but is more readable. (73.71 KB, text/javascript)
2025-01-09 22:25 PST, xiangwei1895 		no flags
Details
Use this sample to reproduce the inconsistency on the latest version of jsc. (73.70 KB, text/javascript)
2025-01-20 01:02 PST, xiangwei1895 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Radar WebKit Bug Importer
Comment 1 2025-01-16 22:26:17 PST
<rdar://problem/143105685>
Keith Miller
Comment 2 2025-01-17 09:45:04 PST
Running this on https://commits.webkit.org/288950@main it seems to work fine. I tried both x86 (under rosetta) and arm64 so I don't think it's an architectural thing. Unfortunately, our auto bisect is failing for me right now so it's a bit hard to find the progression point. So I'm just going to close this for now. If you still see the issue feel free to reopen.
xiangwei1895
Comment 3 2025-01-20 01:02:39 PST
Created attachment 473951 [details] Use this sample to reproduce the inconsistency on the latest version of jsc. Please try this sample, I think the problem is related to the S128 type. IPInt is not the root cause.
xiangwei1895
Comment 4 2025-01-20 01:03:39 PST
REOPEN
Yusuke Suzuki
Comment 5 2025-04-06 02:49:41 PDT
<rdar://problem/148684505>
Yusuke Suzuki
Comment 6 2025-04-06 02:49:56 PDT
Pull request: https://github.com/WebKit/WebKit/pull/43711
EWS
Comment 7 2025-04-06 14:26:03 PDT
Committed 293331@main (d0b878f884fe): <https://commits.webkit.org/293331@main> Reviewed commits have been landed. Closing PR #43711 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.