254626 – WasmBBQJIT I64Rotl incorrectly masks immediate to be less than 32

Bug 254626 - WasmBBQJIT I64Rotl incorrectly masks immediate to be less than 32

Summary: WasmBBQJIT I64Rotl incorrectly masks immediate to be less than 32

Status:	RESOLVED FIXED

Alias:	None

Product:	WebKit
Classification:	Unclassified
Component:	WebAssembly (show other bugs)
Version:	WebKit Nightly Build
Hardware:	Unspecified Unspecified

Importance:	P2 Normal
Assignee:	David Degazio

URL:
Keywords:	InRadar

Depends on:
Blocks:

Reported:	2023-03-28 16:22 PDT by David Degazio
Modified:	2023-03-29 10:19 PDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David Degazio 2023-03-28 16:22:30 PDT

rdar://107028963

The current implementation of I64Rotl in WasmBBQJIT calls the trustedImm32ForShift() function in MacroAssembler when the shift amount is a constant. This function is, however, specifically designed for 32-bit shifts, and just masks the amount to the bottom 5 bits. This means rotating left by any amount greater than 31 is likely to yield an incorrect result. We can fix this by directly constructing the TrustedImm32 for the instruction rather than calling the function - on ARM we mask the value anyway to the bottom 6 bits in relevant instructions, and on x86 it's at most a 1 byte immediate, so the risk of an untrustworthy value here is particularly minor.

Comment 1 David Degazio 2023-03-28 16:51:49 PDT

Pull request: https://github.com/WebKit/WebKit/pull/12085

Comment 2 EWS 2023-03-29 10:19:08 PDT

Committed 262279@main (fb2d9bc1e820): <https://commits.webkit.org/262279@main>

Reviewed commits have been landed. Closing PR #12085 and removing active labels.