269729 – BBQ JIT wrongly emits asr instruction for I{32,64}DivU

Bug 269729 - BBQ JIT wrongly emits asr instruction for I{32,64}DivU

Summary: BBQ JIT wrongly emits asr instruction for I{32,64}DivU

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebAssembly (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	Nobody

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2024-02-19 10:26 PST by Marcus Plutowski
Modified:	2024-02-19 16:42 PST (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Plutowski 2024-02-19 10:26:45 PST

rdar://120840889

When JIT'ing the bytecode for `i64.div_u`, BBQ emits an `asr` arm64 instruction for the ultimate division, which while correct in cases where the lhs operand is positive, produces an incorrect (i.e. signed) result when that operand is negative. E.g. `(i64.div_u (local.get 1) (i64.const 2))` produces:

```
    [ 0xf] GetLocal
        <124> 0x10d05807c:    ldur    x1, [fp, #-16]
    [0x11] I64Cons
    [0x13] I64DivU
        <128> 0x10d058080:    asr     x1, x1, #1
```

If the local is e.g. -2 (0xFFFFFFFFFFFFFFFE), this results in -1 (0xFFFFFFFFFFFFFFFF), but since we're doing an unsigned division it should properly return INT64_MAX (0x7FFFFFFFFFFFFFFF).

Comment 1 Marcus Plutowski 2024-02-19 11:55:05 PST

Pull request: https://github.com/WebKit/WebKit/pull/24760

Comment 2 EWS 2024-02-19 16:41:30 PST

Committed 275011@main (3ee7e4fc30fd): <https://commits.webkit.org/275011@main>

Reviewed commits have been landed. Closing PR #24760 and removing active labels.

Comment 3 Radar WebKit Bug Importer 2024-02-19 16:42:14 PST

<rdar://problem/123277034>