ChakraCore icon indicating copy to clipboard operation
ChakraCore copied to clipboard

Published 20 hours ago verified publisher icon chakra-core

incorrect result with unsigned right shift operator

Open frto027 opened this issue 3 years ago • 1 comments

This poc will output different results in the JIT compiler.

function test2(a) {
  if ((a | 0) >>> 0 > (11569 | -29007) >>> 0)
    return true;
  else
    return false;
}

for (var i = 0; i < 10; i++) {
  print(test2(-1))
}

run with command in current master branch(commit 41ad58a9eebf8d52a83424c8fccfaacdb14105ec):

Build\VcBuild\bin\x64_debug\ch.exe test.js -bgjit- -mic:5 -off:simplejit

output:

true
true
true
true
true
false
false
false
false
false

frto027 avatar Jul 26 '22 13:07 frto027

Minor simplification of POC:

function test2(a) {
  if (a >>> 0 > -2 >>> 0)
    return true;
  else
    return false;
}

for (var i = 0; i < 10; i++) {
  print(test2(-1))
}

The bug repros with the fulljit only, not the simplejit.

Also does not repro with any further simplifications of the above - seems to be an issue involving an invalid optimisation of an if statement possibly to do with when the if's condition includes a calculation of a value larger than 2^31.

rhuanjl avatar Sep 28 '22 21:09 rhuanjl