runtime: off-by-one-error in wasmTruncS and wasmTruncU causes a crash

[evanw]

What version of Go are you using (go version)?

$ go version
go version go1.14.2 darwin/amd64

Does this issue reproduce with the latest release?

Yes, this is the latest release.

What operating system and processor architecture are you using (go env)?

go env Output

$ go env
GO111MODULE=""
GOARCH="amd64"
GOBIN=""
GOCACHE="/Users/evan/Library/Caches/go-build"
GOENV="/Users/evan/Library/Application Support/go/env"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="darwin"
GOINSECURE=""
GONOPROXY=""
GONOSUMDB=""
GOOS="darwin"
GOPATH="/Users/evan/go"
GOPRIVATE=""
GOPROXY="https://proxy.golang.org,direct"
GOROOT="/usr/local/go"
GOSUMDB="sum.golang.org"
GOTMPDIR=""
GOTOOLDIR="/usr/local/go/pkg/tool/darwin_amd64"
GCCGO="gccgo"
AR="ar"
CC="clang"
CXX="clang++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=/var/folders/j6/np400cw17sz0n5ljd67byrzw0000gn/T/go-build935434891=/tmp/go-build -gno-record-gcc-switches -fno-common"

What did you do?

This is a reduced test case from a real-world issue: evanw/esbuild#83.

The contents of main.go:

package main

import (
  "fmt"
  "os"
  "strconv"
)

func main() {
  value, err := strconv.ParseFloat(os.Args[1], 64)
  if err != nil {
    panic(err)
  }
  fmt.Println(int64(value))
  fmt.Println(uint64(value))
}

Compile with this:

GOOS=js GOARCH=wasm go build -o main.wasm main.go

Run with this, where [number] is the number to test:

/usr/local/go/misc/wasm/go_js_wasm_exec main.wasm [number]

What did you expect to see?

This program should never crash.

What did you see instead?

This program crashes on the following inputs:

• 9223372036854776000 (i.e. 0x7fff_ffff_ffff_ffff) for the cast to int64 (i.e. runtime.wasmTruncS)
• 18446744073709552000 (i.e. 0xffff_ffff_ffff_ffff) for the cast to unt64 (i.e. runtime.wasmTruncU)

I believe the problem is that these runtime functions check their upper bounds with F64Gt (greater than) but they should check with F64Ge (greater than or equal to) instead.

The problem is that these values are outside the range where 64-bit floats can represent every integer, so 0x7fff_ffff_ffff_ffff is the same floating-point value as 0x8000_0000_0000_0000 (and many other nearby integers). Basically many integers both inside and outside the range map to that same floating-point value. It looks like all major JavaScript VMs consider that floating-point value outside the range and throw an exception.

The check for the lower bounds appears to be correct.

[randall77]

I'd say the constant in that code (runtime.wasmTrunc{S,U}) is really the problem. The constant is written as an integer, but is converted to a float by the assembler. It is rounded up when converted to a float.

So yes, changing to >= would work. But really we should write a constant that's exactly representable in floating point, and use >.

I believe that constant is 0x7ffffffffffffc00 for signed and 0xfffffffffffff800 for unsigned. Proof:

package main

import "fmt"

func main() {
	for i := int64(1<<63 - 1); i >= 0; i-- {
		f := float64(i)
		x := int64(f)
		if x != -1<<63 {
			fmt.Printf("%x %x\n", i, x)
			break
		}
	}
	for i := uint64(1<<64 - 1); i >= 0; i-- {
		f := float64(i)
		x := uint64(f)
		if x != 1<<63 {
			fmt.Printf("%x %x\n", i, x)
			break
		}
	}
}

We should double-check the less than condition in wasmTruncS also.

[randall77]

@neelance

[gopherbot]

Change https://golang.org/cl/231837 mentions this issue: runtime: use correct truncated constants for float conversion