ECMA is not clear about conv.ovf.i1.un behavior.

[sandreenko]

Digging into #52828 I think there are more issues to fix, according to ECMA-335 such IL

      ldc.r4       -1.0
      conv.ovf.i1.un

should throw,
when

      ldc.r4       -1.0
      conv.ovf.i1

should not.

Nowadays they both don't (with or without the changes from #52828 )

[SingleAccretion]

Digging into #52828 I think there are more issues to fix, according to ECMA-335 such IL

  ldc.r4       -1.0
  conv.ovf.i1.un

should throw

Hmm, I am not seeing it 🤔. Could you point me to the part of the specification which implies this?

[sandreenko]

Hmm, I am not seeing it 🤔. Could you point me to the part of the specification which implies this?

I could be wrong, cc @echesakovMSFT , @AndyAyersMS, and @dotnet/jit-contrib to help me here.

we start with:

and it says:

so I understand it as:
ldc.r4 -1.0 -> push -1.0F on the stack
conv.ovf.i1.un -> pop value from the stack and treat as unsigned int, meaning -1.0F is truncated to -1 and then treated as MAX_UNSIGNED (0xFFFFFFFF), then we try to cast MAX_UNSIGNED to i1 but it does not fit -> overflow exception.

[sandreenko]

Looks like

runtime/src/coreclr/jit/importer.cpp

Line 13370 in 57bdb95

goto CONV_UN;

and

runtime/src/coreclr/jit/importer.cpp

Line 13379 in 57bdb95

case CEE_CONV_U8:

should be goto CONV;
but changing this causes Process terminated. Infinite recursion during resource lookup within System.Private.CoreLib., interesting.

the dumps for the method that causes it.
badmethods.dump.txt
goodmethods.dump.txt

I don't think I will have time to work on it this week, feel free to grab it if you are interested and like to read ecma.

[AndyAyersMS]

@sandreenko presumably this is not a regression, so not something we need to address urgently?

[sandreenko]

@sandreenko presumably this is not a regression, so not something we need to address urgently?

I think we need to address it in 6.0 because the behavior has changed since 5.0, so now there are 3 behaviours:

1. what we had in 5.0;
2. what we have now;
3. what ECMA says we should have;

and if somebody hits an issue with 2. that did not repro with 1. it would be hard to justify why it is expected.

• without understanding how we want these unsigned casts to work it would be questionable if we can review and accept changes like Remove some unneeded code from division morphing #53464, because the fix for this issue will change which nodes have this flag.

[SingleAccretion]

Some points to consider:

1. As far as I am aware this opcode is never produced by Roslyn for a floating-point operand.
2. Behavior (per the specification, not implementation) of other instructions suffixed with .un:

• Relops, shr.un: not relevant for our purposes.
• add.ovf.un, sub.ovf.un, mul.ovf.un - don't support* floating point operands (see Table III.7: Overflow Arithmetic Operations).
• rem.un, div.un: don't support* floating point operands (see floating point operands).
• conv.r.un: The conv.r.un operation takes an integer off the stack, interprets it as unsigned, and replaces it with an F type floating-point number to represent the integer.

* "don't support" - operands required to be of correct type for Correctness.

I believe the most relevant bit of text is in III.3.29, unsigned data conversion with overflow detection, which is the only place I've been able to find that specifies what should the .un conversions do when the type on the stack is a floating-point one:

Convert the value on top of the stack to the type specified in the opcode, and leave that converted 
value on the top of the stack. If the value cannot be represented, an exception is thrown. The item 
on the top of the stack is treated as an unsigned value before the conversion. 
Conversions from floating-point numbers to integral values truncate the number toward zero. 
Note that integer values of less than 4 bytes are extended to int32 (not native int) on the 
evaluation stack.

Of course, Table III.8: Conversion Operations is also very relevant.

Below is my reconstruction based on it and the above rules for the sequence in question.

1. ldc.r4 -1 - type on the stack is F.
2. conv.ovf.i1.un
   • Type on the stack is F, target type is int8 => instruction is legal, action is Truncate to zero.
   • "Treat the item in top of the stack as unsigned" - I have not been able to find what should this mean for Fs (that's the real question here I suppose). However, Conversions from floating-point numbers to integral values truncate the number toward zero seems to indicate that this is a no-op for Fs.
   • Truncation to zero occurs, now the value is of type int32 and is equal to -1.
   • Bounds check occurs and passes, the final value is -1.

I suppose that'd be my argument for why the current behavior is correct. However, it seems to me that the specification is quite terse on this, if not incomplete. It would be awesome to have it be specified what "treating as unsigned" means for Fs. There is text here and there (e. g. in III.1.1.1 Numeric data types, Unsigned integers) that strongly implies "being treated as unsigned" is only valid for integers, but it is not clear what implications does this have for the conversion operations.

[SingleAccretion]

Curiously enough, and as another data point, Mono interpreter considers conv.ovf.i1.un to be:

1. Pop the floating point value.
2. if (val < 0 || val > MAXINT8 || isnan(val)) throw.
3. Cast to int8 and push on the stack.

So, there the semantic for "treat as unsigned" seems to be "consider < 0 invalid" (added in mono/mono#18813).

[sandreenko]

Thanks for the great analysis, @SingleAccretion. The idea that maybe we should edit the spec seems attractive because it is for sure can state the contract clearer for such case.