[Webkit-unassigned] [Bug 201634] New: [JSC] 32bit bitwide operation with all-one (-1) is wrong in B3

[bugzilla-daemon at webkit.org]

https://bugs.webkit.org/show_bug.cgi?id=201634

            Bug ID: 201634
           Summary: [JSC] 32bit bitwide operation with all-one (-1) is
                    wrong in B3
           Product: WebKit
           Version: WebKit Nightly Build
          Hardware: Unspecified
                OS: Unspecified
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: JavaScriptCore
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: ysuzuki at apple.com

1034             // Turn this: BitAnd(value, all-ones)
1035             // Into this: value.
1036             if ((m_value->type() == Int64 && m_value->child(1)->isInt(std::numeric_limits<uint64_t>::max()))
1037                 || (m_value->type() == Int32 && m_value->child(1)->isInt(std::numeric_limits<uint32_t>::max()))) {
1038                 replaceWithIdentity(m_value->child(0));
1039                 break;
1040             }

B3::Value::isInt is 

262 inline bool Value::isInt(int64_t value) const
263 {
264     return hasInt() && asInt() == value;
265 }

And B3::Value::asInt is

257 inline int64_t Value::asInt() const
258 {
259     return hasInt32() ? asInt32() : asInt64();
260 }

So, UINT32_MAX will become `static_cast<int64_t>(UINT32_MAX)` (not -1), and comparing with -1 in `asInt() == value`, and false!

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20190910/da1047fa/attachment-0001.html>