Branch: refs/heads/main
Home: https://github.com/WebKit/WebKit
Commit: cf0e17e68442142b7024bcc21f4170a4c90c71fa
https://github.com/WebKit/WebKit/commit/cf0e17e68442142b7024bcc21f4170a4c90c71fa
Author: Matt Oestreich <[email protected]>
Date: 2025-09-30 (Tue, 30 Sep 2025)
Changed paths:
A JSTests/stress/math-random-inline-vs-non-inline-paths.js
M Source/JavaScriptCore/jit/AssemblyHelpers.cpp
Log Message:
-----------
[JSC] Math.random JIT path uses arithmetic instead of logical right shifts
https://bugs.webkit.org/show_bug.cgi?id=299242
Reviewed by Justin Michaud.
--SUMMARY--
This report concerns Math.random output when taking the JIT path.
Currently, state advancement in emitRandomThunkImpl uses arithmetic
right shifts (rshift64), whereas all other advancement paths use logical
right shifts.
[Source]: Source/JavaScriptCore/jit/AssemblyHelpers.cpp, line 847.
--REFERENCE IMPLEMENTATION--
WeakRandom::nextState uses the >> operator on a uint64_t, which performs
a logical shift.
[Source]: Source/WTF/wtf/WeakRandom.h, line 109.
--FTL LOWERING PATH--
compileArithRandom uses lShr (logical shift right).
[Source]: Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp, line 3501.
--JIT PATH ((problem))--
emitRandomThunkImpl calls jit.rshift64, which emits SAR (arithmetic shift).
[Source]: Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h, line 5311.
By contrast, urshift64 emits SHR (logical shift), this matches the intended
semantics.
[Source]: Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h, line 5350.
--IMPACT--
This discrepancy means that, when given the same seed, Math.random produces
different output depending on whether the JIT path is taken. The bug is not
immediately obvious because both arithmetic and logical right shifts still
generate values within the expected [0, 1) range, and the distribution may look
reasonable at a glance. However, the underlying state advancement diverges from
the intended algorithm, which leads to inconsistent and incorrect behavior
compared to other code paths.
Test: JSTests/stress/math-random-inline-vs-non-inline-paths.js
Test: JSTests/stress/math-random-inline-vs-non-inline-paths.js
* JSTests/stress/math-random-inline-vs-non-inline-paths.js: Added.
(isEqualArr):
* Source/JavaScriptCore/jit/AssemblyHelpers.cpp:
(JSC::emitRandomThunkImpl):
[JSC] Math.random JIT path uses arithmetic instead of logical right shifts
https://bugs.webkit.org/show_bug.cgi?id=299242
Reviewed by Justin Michaud.
--SUMMARY--
This report concerns Math.random output when taking the JIT path.
Currently, state advancement in emitRandomThunkImpl uses arithmetic
right shifts (rshift64), whereas all other advancement paths use logical
right shifts.
[Source]: Source/JavaScriptCore/jit/AssemblyHelpers.cpp, line 847.
--REFERENCE IMPLEMENTATION--
WeakRandom::nextState uses the >> operator on a uint64_t, which performs
a logical shift.
[Source]: Source/WTF/wtf/WeakRandom.h, line 109.
--FTL LOWERING PATH--
compileArithRandom uses lShr (logical shift right).
[Source]: Source/JavaScriptCore/ftl/FTLLowerDFGToB3.cpp, line 3501.
--JIT PATH ((problem))--
emitRandomThunkImpl calls jit.rshift64, which emits SAR (arithmetic shift).
[Source]: Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h, line 5311.
By contrast, urshift64 emits SHR (logical shift), this matches the intended
semantics.
[Source]: Source/JavaScriptCore/assembler/MacroAssemblerX86_64.h, line 5350.
--IMPACT--
This discrepancy means that, when given the same seed, Math.random produces
different output depending on whether the JIT path is taken. The bug is not
immediately obvious because both arithmetic and logical right shifts still
generate values within the expected [0, 1) range, and the distribution may look
reasonable at a glance. However, the underlying state advancement diverges from
the intended algorithm, which leads to inconsistent and incorrect behavior
compared to other code paths.
* JSTests/stress/math-random-inline-vs-non-inline-paths.js:
Canonical link: https://commits.webkit.org/300785@main
To unsubscribe from these emails, change your notification settings at
https://github.com/WebKit/WebKit/settings/notifications
_______________________________________________
webkit-changes mailing list
[email protected]
https://lists.webkit.org/mailman/listinfo/webkit-changes
