Bug 214834 - [JSC][wasm] Truncating slightly less than INT32_MIN is incorrect
Summary: [JSC][wasm] Truncating slightly less than INT32_MIN is incorrect
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebAssembly (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Yusuke Suzuki
URL:
Keywords: InRadar
Depends on:
Blocks:
 
Reported: 2020-07-27 10:43 PDT by Alon Zakai
Modified: 2020-07-28 12:55 PDT (History)
11 users (show)

See Also:

Attachments
Patch (277.66 KB, patch)
2020-07-27 20:21 PDT, Yusuke Suzuki 		darin: review+
Details | Formatted Diff | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alon Zakai 2020-07-27 10:43:07 PDT 
(module
 (func (export "trunc")
  (drop
   (i32.trunc_f64_s
    (f64.const -2147483648.1)
   )
  )
 )
)

This should not trap - while the number is smaller than INT32_MIN, it rounds to a valid value.

See https://github.com/WebAssembly/spec/issues/1224 for details and https://github.com/WebAssembly/spec/pull/1225 for the spec + spec suite update (that will now test this).
Comment 1 Radar WebKit Bug Importer 2020-07-27 18:27:33 PDT 
<rdar://problem/66193187>
Comment 2 Yusuke Suzuki 2020-07-27 20:21:40 PDT 
Created attachment 405338 [details]
Patch
Comment 3 Darin Adler 2020-07-28 09:11:42 PDT 
Comment on attachment 405338 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=405338&action=review

> Source/JavaScriptCore/llint/WebAssembly.asm:1105
> +    move 0xcf000000, t0 # INT32_MIN (Note that INT32_MIN - 1.0 in float is the same to INT32_MIN in float).

"same to" -> "same as"

> Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp:2815
> +    auto min = addConstant(Type::F64, bitwise_cast<uint64_t>(static_cast<double>(std::numeric_limits<int32_t>::min()) - 1.0));

No need for the static_cast<double> now since "- 1.0" causes conversion to double, but I suppose we can keep it for clarity.

> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:2273
> +    Value* min = constant(Double, bitwise_cast<uint64_t>(static_cast<double>(std::numeric_limits<int32_t>::min()) - 1.0));

Ditto.
Comment 4 Yusuke Suzuki 2020-07-28 10:33:11 PDT 
Comment on attachment 405338 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=405338&action=review

Thanks!

>> Source/JavaScriptCore/llint/WebAssembly.asm:1105
>> +    move 0xcf000000, t0 # INT32_MIN (Note that INT32_MIN - 1.0 in float is the same to INT32_MIN in float).
> 
> "same to" -> "same as"

Fixed!

>> Source/JavaScriptCore/wasm/WasmAirIRGenerator.cpp:2815
>> +    auto min = addConstant(Type::F64, bitwise_cast<uint64_t>(static_cast<double>(std::numeric_limits<int32_t>::min()) - 1.0));
> 
> No need for the static_cast<double> now since "- 1.0" causes conversion to double, but I suppose we can keep it for clarity.

For clarity, keeping this looks good :)

>> Source/JavaScriptCore/wasm/WasmB3IRGenerator.cpp:2273
>> +    Value* min = constant(Double, bitwise_cast<uint64_t>(static_cast<double>(std::numeric_limits<int32_t>::min()) - 1.0));
> 
> Ditto.

Ditto.
Comment 5 Yusuke Suzuki 2020-07-28 10:34:29 PDT 
Committed r264995: <https://trac.webkit.org/changeset/264995>