Division deoptimization bug

[plafosse]

orig_state_exec.zip

This expression:

rax_403#1 = (((sx.q(rax_359#1) * 0xd96ec7) u>> 0x20).d s>> 0xf).w - (rax_359#1 s>> 0x1f).w

is simplified down to this

rax_403#1 = (rax_359#1 s/ 0x96b43f).w

It should actually simplify down to this

x % 0x96b43f

Special Thanks to: Zao Yang and Stefan Nagy for their research in Decompiler Fuzzing for reporting this issue.

[negasora]

With the following code:

#include <stdio.h>
#include <stdint.h>

int optimized(int val) {
    return (((int32_t)(((int64_t)val * 0xd96ec7) >> 32) >> 15) - (val >> 31));
}

int div(int val) {
    return val / 0x96b43f;
}

int mod(int val) {
    return val % 0x96b43f;
}

int main(int argc, char** argv, char** envp)
{
    for (uint32_t i = 0; i < 0xffffffff; i++)
    {
        int a = optimized(i);
        int b = div(i);
        if (a != b)
        {
            printf("%d: 0x%x 0x%x\n", i, a, b);
            return 1;
        }
    }
    return 0;
}

If you look at the hlil debug report for div right before the deoptimization it looks exactly like the IL snippet you posted

And if you compile and run that code, it completes without ever printing. If you change it to mod instead of div then it fails immediately.

You can look at the hlil debug report for mod and see the IL for mod operation: