RESOLVED FIXED254626
WasmBBQJIT I64Rotl incorrectly masks immediate to be less than 32 
https://bugs.webkit.org/show_bug.cgi?id=254626
Summary WasmBBQJIT I64Rotl incorrectly masks immediate to be less than 32
David Degazio
Reported 2023-03-28 16:22:30 PDT
rdar://107028963 The current implementation of I64Rotl in WasmBBQJIT calls the trustedImm32ForShift() function in MacroAssembler when the shift amount is a constant. This function is, however, specifically designed for 32-bit shifts, and just masks the amount to the bottom 5 bits. This means rotating left by any amount greater than 31 is likely to yield an incorrect result. We can fix this by directly constructing the TrustedImm32 for the instruction rather than calling the function - on ARM we mask the value anyway to the bottom 6 bits in relevant instructions, and on x86 it's at most a 1 byte immediate, so the risk of an untrustworthy value here is particularly minor.
Attachments
Add attachment proposed patch, testcase, etc.
David Degazio
Comment 1 2023-03-28 16:51:49 PDT
Pull request: https://github.com/WebKit/WebKit/pull/12085
EWS
Comment 2 2023-03-29 10:19:08 PDT
Committed 262279@main (fb2d9bc1e820): <https://commits.webkit.org/262279@main> Reviewed commits have been landed. Closing PR #12085 and removing active labels.
Note You need to log in before you can comment on or make changes to this bug.