RESOLVED FIXED269509
Wrong chain F{32,64}Sub + F{32,64}Copysign when rhs is NaN in BBQ JIT mode 
https://bugs.webkit.org/show_bug.cgi?id=269509
Summary Wrong chain F{32,64}Sub + F{32,64}Copysign when rhs is NaN in BBQ JIT mode
Marcus Plutowski
Reported 2024-02-15 14:09:28 PST
rdar://120780768 Tested on commit 9fb944e082ca85e9c509d60d879e898476822bd8. Below the Poc: ``` // (module // (type (func (param f64) (result f64))) // (func (type 0) (local f64) // (local.set 1 (local.get 0)) // (local.set 0 (f64.sub (local.get 0) (f64.const nan))) // (local.set 1 (f64.copysign (local.get 1) (local.get 0))) // (local.get 1) // ) // (export "poc" (func 0)) // ) const wasm_code = new Uint8Array([0, 97, 115, 109, 1, 0, 0, 0, 1, 6, 1, 96, 1, 124, 1, 124, 3, 2, 1, 0, 7, 7, 1, 3, 112, 111, 99, 0, 0, 10, 33, 1, 31, 1, 1, 124, 32, 0, 33, 1, 32, 0, 68, 0, 0, 0, 0, 0, 0, 248, 127, 161, 33, 0, 32, 1, 32, 0, 166, 33, 1, 32, 1, 11]); try { const wasm_mod = new WebAssembly.Module(wasm_code); const wasm_instance = new WebAssembly.Instance(wasm_mod); let ret = undefined; for (let i = 0; i < 10000; i++) { ret = wasm_instance.exports.poc(1234); } print(ret); } catch (e) { print(e); } ``` The result is different if it's JIT'ed on BBQ or not. ``` $ jsc --useConcurrentJIT=false --useBBQJIT=true --useOMGJIT=false ./poc.js -1234 $ jsc --useWasmLLInt=true --useBBQJIT=false --useOMGJIT=false ./poc.js 1234 ```
Attachments
Add attachment proposed patch, testcase, etc.
Marcus Plutowski
Comment 1 2024-02-15 15:16:58 PST
Pull request: https://github.com/WebKit/WebKit/pull/24554
EWS
Comment 2 2024-02-16 23:04:06 PST
Committed 274910@main (5f1ac6454783): <https://commits.webkit.org/274910@main> Reviewed commits have been landed. Closing PR #24554 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.