Fix js_math_imul
#356
Fix js_math_imul
#356
Conversation
chqrlie
commented
Apr 7, 2024
chqrlie
commented
- follow ECMA specification
- remove implementation defined signed conversion
- follow ECMA specification - remove implementation defined signed conversion
| * behavior but that's a step up from the undefined behavior it replaced. | ||
| */ | ||
| return js_int32((int64_t)a * (int64_t)b); | ||
| c = a * b; |
There was a problem hiding this comment.
It took me a while to figure out how this could possibly be correct but the trick is that JS_ToUint32 is just a call to JS_ToInt32 with the argument cast to int32_t * 🤦
I think we're in a state of sin^Wimplementation/undefined behavior here but okay, it's no worse than before.
There was a problem hiding this comment.
Yes that's correct. The correct solution is to implement JS_ToInt32 as a hack around JS_ToUint32 as specified in ECMA, not the other way around as is done right now.
There was a problem hiding this comment.
More specifically, JS_ToInt32 has this code with ret defined as int ret;:
ret = v >> 32;
/* take the #to account */
if (u.u64 >> 63)
if (ret != INT32_MIN)
ret = -ret;
For JS_ToUint32, with ret defined as uint32_t, the code could be made simpler and without implementation defined behavior:
uint32_t ret = v >> 32;
/* take the #to account */
if (u.u64 >> 63)
ret = -ret;
Or this branchless alternative:
uint32_t ret = v >> 32;
uint32_t sign = u.u64 >> 63;
ret = (ret ^ (-sign)) + sign;
