Bug 254626

Summary: WasmBBQJIT I64Rotl incorrectly masks immediate to be less than 32
Product: WebKit Reporter: David Degazio <d_degazio>
Component: WebAssemblyAssignee: David Degazio <d_degazio>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   

Description David Degazio 2023-03-28 16:22:30 PDT 
rdar://107028963

The current implementation of I64Rotl in WasmBBQJIT calls the trustedImm32ForShift() function in MacroAssembler when the shift amount is a constant. This function is, however, specifically designed for 32-bit shifts, and just masks the amount to the bottom 5 bits. This means rotating left by any amount greater than 31 is likely to yield an incorrect result. We can fix this by directly constructing the TrustedImm32 for the instruction rather than calling the function - on ARM we mask the value anyway to the bottom 6 bits in relevant instructions, and on x86 it's at most a 1 byte immediate, so the risk of an untrustworthy value here is particularly minor.
Comment 1 David Degazio 2023-03-28 16:51:49 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/12085
Comment 2 EWS 2023-03-29 10:19:08 PDT 
Committed 262279@main (fb2d9bc1e820): <https://commits.webkit.org/262279@main>

Reviewed commits have been landed. Closing PR #12085 and removing active labels.