RESOLVED DUPLICATE of bug 263292 265581
Compare exchange instruction doesn't overwrite value if highest bit is set
https://bugs.webkit.org/show_bug.cgi?id=265581
Summary Compare exchange instruction doesn't overwrite value if highest bit is set
laurmaedje
Reported 2023-11-30 08:40:17 PST
Created attachment 468823 [details] A minimal reproduction of the bug. The atomic.rmw.cmpxchg family of instructions don't overwrite the target value when the current value to check for has the highest bit set. If the highest bit isn't set, they work as expected. The code below demonstrates the bug: ``` (module (import "env" "memory" (memory 1 1 shared)) (func $demo (result i32) (i32.atomic.rmw.cmpxchg ;; overwrite memory slot 0 if it is zero (i32.const 0) ;; address (i32.const 0) ;; current (i32.const 2147483648)) ;; new drop ;; ignore output (i32.atomic.rmw.cmpxchg ;; overwrite memory slot 0 if it is 2147483648 (i32.const 0) ;; address (i32.const 2147483648) ;; current (i32.const 1)) ;; new drop ;; ignore output i32.const 0 ;; address i32.load ;; read memory slot 0 ) (export "demo" (func $demo)) ) ``` Safari outputs -2147483648 here, while Chrome and Firefox output 1. If 2147483648 is changed to 2147483647, things work as expected. For a complete minimal reproduction, see the attached ZIP file or the repository linked below: https://github.com/laurmaedje/safari-atomic-bug
Attachments
A minimal reproduction of the bug. (47.79 KB, application/zip)
2023-11-30 08:40 PST, laurmaedje
no flags
Radar WebKit Bug Importer
Comment 1 2023-12-02 11:31:24 PST
Justin Michaud
Comment 2 2023-12-04 15:06:49 PST
I confirmed this was fixed in https://github.com/WebKit/WebKit/pull/19889 Thanks for the nice repro case!
Justin Michaud
Comment 3 2023-12-04 15:07:13 PST
*** This bug has been marked as a duplicate of bug 263292 ***
Note You need to log in before you can comment on or make changes to this bug.