From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from [87.239.111.99] (localhost [127.0.0.1]) by dev.tarantool.org (Postfix) with ESMTP id C1DF51A21C0C; Wed, 4 Mar 2026 10:37:52 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org C1DF51A21C0C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=tarantool.org; s=dev; t=1772609872; bh=DE3T/4TxLzsTzhqhv6coG6MW5rFkFoIvPfcWdmywGcY=; h=Date:To:Cc:References:In-Reply-To:Subject:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From:Reply-To:From; b=jckMlPZv/Aaf43DymUsb2xRmdJAe7yFUBleQieg4/lhTM3Id6ZYqjINs2oa0DCiEu agc9nrkc+UaDvU8pUPR/DLCk3OL0X7T8Ejg9fKktY5nJ6JFxLIJezbhin9AtO9hd28 M0eOBRRbiDIwWmnUHN46+xcn6DMQ/uNRV+Ft4ItM= Received: from send220.i.mail.ru (send220.i.mail.ru [95.163.59.59]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by dev.tarantool.org (Postfix) with ESMTPS id 189EB1A21C0B for ; Wed, 4 Mar 2026 10:37:51 +0300 (MSK) DKIM-Filter: OpenDKIM Filter v2.11.0 dev.tarantool.org 189EB1A21C0B Received: by exim-smtp-558f87dcd7-7zsp2 with esmtpa (envelope-from ) id 1vxgnm-00000000Acz-0sGi; Wed, 04 Mar 2026 10:37:50 +0300 Content-Type: multipart/alternative; boundary="------------I0NoSAUvyJUzoChHH5DAFlMC" Message-ID: <4ec5bb78-26ca-4d2b-9d6f-d06c13a513c2@tarantool.org> Date: Wed, 4 Mar 2026 10:37:49 +0300 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Content-Language: en-US To: Sergey Kaplun Cc: tarantool-patches@dev.tarantool.org References: <6efe3fc943083c79b3f82b6246f0bd3cfa276d14.1772437706.git.skaplun@tarantool.org> In-Reply-To: <6efe3fc943083c79b3f82b6246f0bd3cfa276d14.1772437706.git.skaplun@tarantool.org> X-Mailru-Src: smtp X-4EC0790: 10 X-7564579A: EEAE043A70213CC8 X-77F55803: 4F1203BC0FB41BD93BBDFC146E677825A2E3520CE34A8AA43A57EA65009D56CD1313CFAB8367EF908E2BE116634AD74DB044396A481A089CC591814E25D11F9F5253A70AE8EC1B040D0795A1B116B9A1D6C07CA76FD93A9B X-7FA49CB5: FF5795518A3D127A4AD6D5ED66289B5278DA827A17800CE7FDE19FEC90BA7BD7C2099A533E45F2D0395957E7521B51C2CFCAF695D4D8E9FCEA1F7E6F0F101C6759CC434672EE6371C2A783ECEC0211ADC4224003CC836476D5A39DEEDB180909611E41BBFE2FEB2BED746E52CD160533FB766069550F3964CD7FD22DA28751E33C6527CE2D026F459FA2833FD35BB23D9E625A9149C048EE33AC447995A7AD1828451B159A507268D2E47CDBA5A96583BD4B6F7A4D31EC0BC014FD901B82EE079FA2833FD35BB23D27C277FBC8AE2E8B5FC25ED3FCEC3375A471835C12D1D977C4224003CC836476EB9C4185024447017B076A6E789B0E975F5C1EE8F4F765FCF858E60A7739E4253AA81AA40904B5D9CF19DD082D7633A0C84D3B47A649675F3AA81AA40904B5D98AA50765F7900637F3DF60C7B35BBE46D81D268191BDAD3D3666184CF4C3C14F3FC91FA280E0CE3D1A620F70A64A45A98AA50765F79006372E808ACE2090B5E1725E5C173C3A84C3C5EA940A35A165FF2DBA43225CD8A89FB26E97DCB74E62526D8C47C27EEC5E9FB5C8C57E37DE458BEDA766A37F9254B7 X-C1DE0DAB: 0D63561A33F958A5CBA6724DF00255C75002B1117B3ED696480E5CEE9F39A458B2920F75BA9A967F823CB91A9FED034534781492E4B8EEADA91A6E18C88C5E2F X-C8649E89: 1C3962B70DF3F0AD73CAD6646DEDE191716CD42B3DD1D34CAB70F9BE574AE9C625B6776AC983F447FC0B9F89525902EE6F57B2FD27647F25E66C117BDB76D659E721248F79022F52EF64040F2C7CC005A287D7FBF83FA0FAC86C88F42D1981436E2EF06B8B5A6536B8341EE9D5BE9A0A68D14ECBD7670940A626D9D813416B05A0E6B73F7078F7328CD93680B12512CF4C41F94D744909CE2512F26BEC029E55448553D2254B8D95CD72808BE417F3B9E0E7457915DAA85F X-D57D3AED: 3ZO7eAau8CL7WIMRKs4sN3D3tLDjz0dLbV79QFUyzQ2Ujvy7cMT6pYYqY16iZVKkSc3dCLJ7zSJH7+u4VD18S7Vl4ZUrpaVfd2+vE6kuoey4m4VkSEu53w8ahmwBjZKM/YPHZyZHvz5uv+WouB9+ObcCpyrx6l7KImUglyhkEat/+ysWwi0gdhEs0JGjl6ggRWTy1haxBpVdbIX1nthFXMZebaIdHP2ghjoIc/363UZI6Kf1ptIMVbwN8XFWZxQUtDEKc7/qZPs= X-Mailru-Sender: C4F68CFF4024C8867DFDF7C7F258845896998D89773295AC4825860F061DF2142A989763AC743D02BB7C3E8CC8FD7553645D15D82EE4B272BD6E4642A116CA93524AA66B5ACBE6721EF430B9A63E2A504198E0F3ECE9B5443453F38A29522196 X-Mras: Ok Subject: Re: [Tarantool-patches] [PATCH luajit 2/3] DUALNUM: Fix narrowing of unary minus. X-BeenThere: tarantool-patches@dev.tarantool.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Tarantool development patches List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Sergey Bronnikov via Tarantool-patches Reply-To: Sergey Bronnikov Errors-To: tarantool-patches-bounces@dev.tarantool.org Sender: "Tarantool-patches" This is a multi-part message in MIME format. --------------I0NoSAUvyJUzoChHH5DAFlMC Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Hi, Sergey, thanks for the patch! See my comments. Sergey On 3/2/26 10:52, Sergey Kaplun wrote: > From: Mike Pall > > Reported by Sergey Kaplun. > > (cherry picked from commit b1cd2f83b5d085bb71368b87c91a461be77d4364) > > `lj_opt_narrow_unm()` in the DUALNUM mode narrows doubles too > optimistic, missing 0 check. In that case, the narrowing of 0 is > incorrect. This leads to the assertion failure in `rec_check_slots()` > for the string obtained from the corresponding number. > > This patch fixes it by restricting the check of the given TValue. > > Sergey Kaplun: > * added the description and the test for the problem > > Part of tarantool/tarantool#12134 > --- > src/lj_opt_narrow.c | 4 +- > ...lj-1418-dualnum-narrowing-minus-0.test.lua | 49 +++++++++++++++++++ > 2 files changed, 51 insertions(+), 2 deletions(-) > create mode 100644 test/tarantool-tests/lj-1418-dualnum-narrowing-minus-0.test.lua > > diff --git a/src/lj_opt_narrow.c b/src/lj_opt_narrow.c > index 6b6f20d3..6e3e9533 100644 > --- a/src/lj_opt_narrow.c > +++ b/src/lj_opt_narrow.c > @@ -553,9 +553,9 @@ TRef lj_opt_narrow_unm(jit_State *J, TRef rc, TValue *vc) > rc = conv_str_tonum(J, rc, vc); > if (tref_isinteger(rc)) { > uint32_t k = (uint32_t)numberVint(vc); > - if ((LJ_DUALNUM || k != 0) && k != 0x80000000u) { > + if ((tvisint(vc) || k != 0) && k != 0x80000000u) { > TRef zero = lj_ir_kint(J, 0); > - if (!LJ_DUALNUM) > + if (!tvisint(vc)) > emitir(IRTGI(IR_NE), rc, zero); > return emitir(IRTGI(IR_SUBOV), zero, rc); > } > diff --git a/test/tarantool-tests/lj-1418-dualnum-narrowing-minus-0.test.lua b/test/tarantool-tests/lj-1418-dualnum-narrowing-minus-0.test.lua > new file mode 100644 > index 00000000..84f17953 > --- /dev/null > +++ b/test/tarantool-tests/lj-1418-dualnum-narrowing-minus-0.test.lua > @@ -0,0 +1,49 @@ > +local tap = require('tap') > + > +-- This test demonstrates LuaJIT's incorrect narrowing > +-- optimization in the DUALNUM mode for 0. > +-- See alsohttps://github.com/LuaJIT/LuaJIT/issues/1418. > + > +local test = tap.test('lj-1418-dualnum-narrowing-minus-0'):skipcond({ > + ['Test requires JIT enabled'] = not jit.status(), > +}) > + cannot reproduce an original bug with reverted fix. CMake configuration: CFLAGS=-DDUALNUM cmake -S . -B build -DCMAKE_BUILD_TYPE=Debug > +test:plan(2) > + > +local tostring = tostring > + > +local function test_const_on_trace(x) > + local zero = x % 1 > + local mzero = -zero > + -- Bad IR slot with enabled optimizations. > + local res = tostring(mzero) > + return res > +end > + > +local function test_non_const_on_trace(a, b) > + local mb_zero = a % b > + -- Too optimistic optimization without check for the 0 corner > + -- case. > + local mb_mzero = -mb_zero > + local res = tostring(mb_mzero) > + return res > +end > + > +jit.opt.start('hotloop=1') > + > +-- Hot trace. > +test_const_on_trace(1) > +-- Compile trace. > +test:is(test_const_on_trace(1), '-0', 'correct const value on trace') > + > +-- Reset hotcounts. > +jit.opt.start('hotloop=1') > + > +-- Hot trace. > +test_non_const_on_trace(2, 3) > +-- Record trace, use non zero result value to record. s/non zero/non-zero/ > +test_non_const_on_trace(2, 3) > +-- Misbehaviour on trace with result zero value. > +test:is(test_non_const_on_trace(2, 1), '-0', 'correct non-const value on trace') > + > +test:done(true) --------------I0NoSAUvyJUzoChHH5DAFlMC Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 7bit

Hi, Sergey,

thanks for the patch! See my comments.

Sergey

On 3/2/26 10:52, Sergey Kaplun wrote:
From: Mike Pall <mike>

Reported by Sergey Kaplun.

(cherry picked from commit b1cd2f83b5d085bb71368b87c91a461be77d4364)

`lj_opt_narrow_unm()` in the DUALNUM mode narrows doubles too
optimistic, missing 0 check. In that case, the narrowing of 0 is
incorrect. This leads to the assertion failure in `rec_check_slots()`
for the string obtained from the corresponding number.

This patch fixes it by restricting the check of the given TValue.

Sergey Kaplun:
* added the description and the test for the problem

Part of tarantool/tarantool#12134
---
 src/lj_opt_narrow.c                           |  4 +-
 ...lj-1418-dualnum-narrowing-minus-0.test.lua | 49 +++++++++++++++++++
 2 files changed, 51 insertions(+), 2 deletions(-)
 create mode 100644 test/tarantool-tests/lj-1418-dualnum-narrowing-minus-0.test.lua

diff --git a/src/lj_opt_narrow.c b/src/lj_opt_narrow.c
index 6b6f20d3..6e3e9533 100644
--- a/src/lj_opt_narrow.c
+++ b/src/lj_opt_narrow.c
@@ -553,9 +553,9 @@ TRef lj_opt_narrow_unm(jit_State *J, TRef rc, TValue *vc)
   rc = conv_str_tonum(J, rc, vc);
   if (tref_isinteger(rc)) {
     uint32_t k = (uint32_t)numberVint(vc);
-    if ((LJ_DUALNUM || k != 0) && k != 0x80000000u) {
+    if ((tvisint(vc) || k != 0) && k != 0x80000000u) {
       TRef zero = lj_ir_kint(J, 0);
-      if (!LJ_DUALNUM)
+      if (!tvisint(vc))
 	emitir(IRTGI(IR_NE), rc, zero);
       return emitir(IRTGI(IR_SUBOV), zero, rc);
     }
diff --git a/test/tarantool-tests/lj-1418-dualnum-narrowing-minus-0.test.lua b/test/tarantool-tests/lj-1418-dualnum-narrowing-minus-0.test.lua
new file mode 100644
index 00000000..84f17953
--- /dev/null
+++ b/test/tarantool-tests/lj-1418-dualnum-narrowing-minus-0.test.lua
@@ -0,0 +1,49 @@
+local tap = require('tap')
+
+-- This test demonstrates LuaJIT's incorrect narrowing
+-- optimization in the DUALNUM mode for 0.
+-- See also https://github.com/LuaJIT/LuaJIT/issues/1418.
+
+local test = tap.test('lj-1418-dualnum-narrowing-minus-0'):skipcond({
+  ['Test requires JIT enabled'] = not jit.status(),
+})
+

cannot reproduce an original bug with reverted fix.

CMake configuration: CFLAGS=-DDUALNUM cmake -S . -B build -DCMAKE_BUILD_TYPE=Debug


+test:plan(2)
+
+local tostring = tostring
+
+local function test_const_on_trace(x)
+  local zero = x % 1
+  local mzero = -zero
+  -- Bad IR slot with enabled optimizations.
+  local res = tostring(mzero)
+  return res
+end
+
+local function test_non_const_on_trace(a, b)
+  local mb_zero = a % b
+  -- Too optimistic optimization without check for the 0 corner
+  -- case.
+  local mb_mzero = -mb_zero
+  local res = tostring(mb_mzero)
+  return res
+end
+
+jit.opt.start('hotloop=1')
+
+-- Hot trace.
+test_const_on_trace(1)
+-- Compile trace.
+test:is(test_const_on_trace(1), '-0', 'correct const value on trace')
+
+-- Reset hotcounts.
+jit.opt.start('hotloop=1')
+
+-- Hot trace.
+test_non_const_on_trace(2, 3)
+-- Record trace, use non zero result value to record.
s/non zero/non-zero/ 
+test_non_const_on_trace(2, 3)
+-- Misbehaviour on trace with result zero value.
+test:is(test_non_const_on_trace(2, 1), '-0', 'correct non-const value on trace')
+
+test:done(true)
--------------I0NoSAUvyJUzoChHH5DAFlMC--