Bug 265581

Summary:

Compare exchange instruction doesn't overwrite value if highest bit is set

Product:

WebKit

Reporter:

laurmaedje

Component:

WebAssembly

Assignee:

Nobody <webkit-unassigned>

Status:

RESOLVED DUPLICATE

Severity:

Major

CC:

justin_michaud, karlcow, keith_miller, mark.lam, mike, webkit-bug-importer

Priority:

Keywords:

BrowserCompat, InRadar

Version:

Safari 17

Hardware:

Mac (Apple Silicon)

OS:

macOS 14

Attachments:

Description	Flags
A minimal reproduction of the bug.	none

Description laurmaedje 2023-11-30 08:40:17 PST

Created attachment 468823 [details]
A minimal reproduction of the bug.

The atomic.rmw.cmpxchg family of instructions don't overwrite the target value when the current value to check for has the highest bit set. If the highest bit isn't set, they work as expected.

The code below demonstrates the bug:

```
(module
  (import "env" "memory" (memory 1 1 shared))
  (func $demo (result i32)
    (i32.atomic.rmw.cmpxchg   ;; overwrite memory slot 0 if it is zero
      (i32.const 0)           ;; address
      (i32.const 0)           ;; current
      (i32.const 2147483648)) ;; new
    drop                      ;; ignore output
    (i32.atomic.rmw.cmpxchg   ;; overwrite memory slot 0 if it is 2147483648
      (i32.const 0)           ;; address
      (i32.const 2147483648)  ;; current
      (i32.const 1))          ;; new
    drop                      ;; ignore output
    i32.const 0               ;; address
    i32.load                  ;; read memory slot 0
  )
  (export "demo" (func $demo))
)
```

Safari outputs -2147483648 here, while Chrome and Firefox output 1. If 2147483648 is changed to 2147483647, things work as expected.

For a complete minimal reproduction, see the attached ZIP file or the repository linked below:
https://github.com/laurmaedje/safari-atomic-bug

Comment 1 Radar WebKit Bug Importer 2023-12-02 11:31:24 PST

<rdar://problem/119076730>

Comment 2 Justin Michaud 2023-12-04 15:06:49 PST

I confirmed this was fixed in https://github.com/WebKit/WebKit/pull/19889

Thanks for the nice repro case!

Comment 3 Justin Michaud 2023-12-04 15:07:13 PST


*** This bug has been marked as a duplicate of bug 263292 ***