From f31d9bc491808122d8c8cfb5973aad783d574744 Mon Sep 17 00:00:00 2001
From: Aaron Hill <aa1ronham@gmail.com>
Date: Sun, 28 Jan 2024 13:47:25 -0500
Subject: [PATCH] avm2: Make Math.random() more closely match Flash Player

See the comments for details. Our previous implementation
was 'too good', and broke Bloons Tower Defense 5 by
generating `Number`s that Flash Player would never generate.
---
 core/src/avm2/globals/math.rs                 |   6 +-
 .../tests/swfs/avm2/cryptscore/CryptScore.as  |  75 ++++++++++++++++++
 tests/tests/swfs/avm2/cryptscore/Test.as      |  28 +++++++
 tests/tests/swfs/avm2/cryptscore/output.txt   |  11 +++
 tests/tests/swfs/avm2/cryptscore/test.fla     | Bin 0 -> 3944 bytes
 tests/tests/swfs/avm2/cryptscore/test.swf     | Bin 0 -> 1189 bytes
 tests/tests/swfs/avm2/cryptscore/test.toml    |   7 ++
 7 files changed, 126 insertions(+), 1 deletion(-)
 create mode 100755 tests/tests/swfs/avm2/cryptscore/CryptScore.as
 create mode 100755 tests/tests/swfs/avm2/cryptscore/Test.as
 create mode 100644 tests/tests/swfs/avm2/cryptscore/output.txt
 create mode 100755 tests/tests/swfs/avm2/cryptscore/test.fla
 create mode 100644 tests/tests/swfs/avm2/cryptscore/test.swf
 create mode 100644 tests/tests/swfs/avm2/cryptscore/test.toml

diff --git a/core/src/avm2/globals/math.rs b/core/src/avm2/globals/math.rs
index 9eb065285..f6365fd9e 100644
--- a/core/src/avm2/globals/math.rs
+++ b/core/src/avm2/globals/math.rs
@@ -145,5 +145,9 @@ pub fn random<'gc>(
     _this: Object<'gc>,
     _args: &[Value<'gc>],
 ) -> Result<Value<'gc>, Error<'gc>> {
-    Ok(activation.context.rng.gen_range(0.0f64..1.0f64).into())
+    // See https://github.com/adobe/avmplus/blob/858d034a3bd3a54d9b70909386435cf4aec81d21/core/MathUtils.cpp#L1731C24-L1731C44
+    // This generated a restricted set of 'f64' values, which some SWFs implicitly rely on.
+    const MAX_VAL: u32 = 0x7FFFFFFF;
+    let rand = activation.context.rng.gen_range(0..MAX_VAL);
+    Ok(((rand as f64) / (MAX_VAL as f64 + 1f64)).into())
 }
diff --git a/tests/tests/swfs/avm2/cryptscore/CryptScore.as b/tests/tests/swfs/avm2/cryptscore/CryptScore.as
new file mode 100755
index 000000000..51fcd322a
--- /dev/null
+++ b/tests/tests/swfs/avm2/cryptscore/CryptScore.as
@@ -0,0 +1,75 @@
+package
+{
+   import flash.display.MovieClip;
+   import flash.events.Event;
+   
+   public class CryptScore
+   {
+      
+      private static var randamaroo:MovieClip;
+       
+      
+      private var bs1:Number;
+      
+      private var a:Number;
+      
+      private var b:Number;
+      
+      private var bs2:Number;
+      
+      private var c:Number;
+      
+      private var bs3:Number;
+      
+      private var bs4:Number;
+      
+      private var d:Number;
+      
+      private var count:int = 0;
+      
+      public function CryptScore(param1:Number = 0, param2:Boolean = false)
+      {
+         super();
+         if(randamaroo == null)
+         {
+            randamaroo = new MovieClip();
+         }
+         randamaroo.addEventListener(Event.ENTER_FRAME,this.randomise,false,0,true);
+         this.count = Math.random() * 30;
+         this.value = param1;
+      }
+      
+      private function randomise(param1:Event) : void
+      {
+         ++this.count;
+         if(this.count >= 15)
+         {
+            this.value = this.value;
+            this.count -= 15;
+         }
+      }
+      
+      public function get value() : Number
+      {
+         return this.a - this.b + (this.c - this.d);
+      }
+      
+      public function set value(param1:Number) : void
+      {
+         this.bs1 = param1;
+         this.a = Math.random() * 32;
+         this.bs2 = -this.a;
+         do
+         {
+            this.b = Math.random() * 14;
+            this.bs3 = -this.b;
+         }
+         while(false);
+         
+         var _loc2_:Number = param1 - (this.a - this.b);
+         this.c = Math.random() * 23;
+         this.d = this.c - _loc2_;
+         this.bs4 = -param1;
+      }
+   }
+}
diff --git a/tests/tests/swfs/avm2/cryptscore/Test.as b/tests/tests/swfs/avm2/cryptscore/Test.as
new file mode 100755
index 000000000..5bfa0c561
--- /dev/null
+++ b/tests/tests/swfs/avm2/cryptscore/Test.as
@@ -0,0 +1,28 @@
+package  {
+	
+	import flash.display.MovieClip;
+	import flash.events.Event;
+	
+	
+	
+	public class Test extends MovieClip {
+	
+		
+		public function Test() {
+			var score = new CryptScore();
+			for (var i = 0; i < 10000; i ++) {
+				if (i % 1000 == 0) {
+					trace("i = " + i);
+				}
+				score.value = score.value;
+				var value = score.value;
+				if (value !== 0) {
+					trace("i = " + i + " Bad value: " + value);
+				}
+			}
+		    trace("Done!");
+		}
+
+	}
+	
+}
diff --git a/tests/tests/swfs/avm2/cryptscore/output.txt b/tests/tests/swfs/avm2/cryptscore/output.txt
new file mode 100644
index 000000000..94c9a25b9
--- /dev/null
+++ b/tests/tests/swfs/avm2/cryptscore/output.txt
@@ -0,0 +1,11 @@
+i = 0
+i = 1000
+i = 2000
+i = 3000
+i = 4000
+i = 5000
+i = 6000
+i = 7000
+i = 8000
+i = 9000
+Done!
diff --git a/tests/tests/swfs/avm2/cryptscore/test.fla b/tests/tests/swfs/avm2/cryptscore/test.fla
new file mode 100755
index 0000000000000000000000000000000000000000..88f776a15c3e6ae5a5e07b72e277e41362b6c393
GIT binary patch
literal 3944
zcmbtXc{r5&7atm7jIG8t!bP%1BzwdVvLu5dVldgaj3QgsY}rMKhz2p1>`V4(lr{TW
z$ewjVjiukr?N+z@-0nZW^FHU@zUOnk=Xu|Ap6Bz?(>el#002|~0IP-kH4a+qBh&x@
zfaJti02I<4CF*(8QBVK!HRIDT_&L2_!if<-j1;b|siLo}Z!GrvC{kh_H3Q|-nz|SN
zBaD$4=IUYTXy<N=LOQuRB8Y|j6;4h?^=GNq^$6t6<N$yt4FEt-3|GCZqv~Si;e>Q1
zR_x?hVWbl?c7~zh>au^y#M!nlB`_mvK3k2*@^Q6n^C}@A<;1DmkTeRy%F4-m7Z`Rd
z&Y|1R;-~OwZt;juTPMO%a6L>D23O-VqRHG+p+6UdbgCLZ99oUEN6J!-4)rXcy=tGS
zy|pqe2u4FH4bdRcy$*d5TP3EDiZ@%e&KAnC&IOm;eUKDgY-sLs59C9Cbdq)8{a!Z$
zuFsB1Co%7t!g1~sgBL8?jN=4!4CcdMs~QGxP|j+VCNb1k&N&ejymGZlM!1BVxM>GQ
zEJ_hyj>%NgE643K53-$g3^JE$4>Y=))jf?u&kN3>Y6r@Uv8fuomS6RS%mi%+JDOn<
z!N&1gcbU@ogoWw?-I5@vM5!Khdeof3sup2sToQzUWC=iHW;r=8&t%+xr7IT3Q7nBc
zPC6`|aZ__*sQgPC-d7rAnx=YOr9LL8Lk1fREM1Y4+QDvY9?0vN!#oxP6)@#*?lMOo
zkeR;ee>g-3m=r2XF=9MDc()}%O*fg_U@)|W<{opdX3}uL@mKK2u7B9B`P&5=d{B|!
zC(F8Kj`ou61)N%tMCaGSd@jZh&fnIohV*|TTU5@fW8k4W>^*pK%^n%B4qhuupSHEz
zCW{{$PaKNFuN^I{lefJ9U2q<8ncQd;l&Rd2q!=1x1tU#Lw;Z`zjoYiU2h)YxKQD{u
zIWx;9tn_Fv&(=0tr&W~ZXH&?0=o)=T==6R`8KYIf+3<mPX4Lr}CHjIYOWI&o*F)Jd
z7FM2w_fir&IRCd%W{we2F1+42$fN42xXA!J%JBYxk7>7i)j4p{f)YFOu}<$GHBW;?
zB_7MYoem8$gLj$Xuy}1bpWBYJ`73Xu9O2ft*hlHWlTCTEIU^&k8JmwDC*v}v9W4en
zr+RhS2?~oTwBu5%7OwEKJOZ9Dd~Yp5QR?0M+2Wm9rEfDt{?}j<8~lec5$}G?kP{Mx
zutuN|q@Mo{`8FWyRUF!+A;z2l0FDzOdf(;=jzppCoNe4mfOcai7pN@5p<g3;R{xT&
z5cM1R5KMVM><5TGrgvWP54CQ~rmnInJXC|Q;<8^^NSmlyv}TassleIeiJfKh?tiQ<
zV5WF7s#`M{{xumx0g+0{4aRasOc~c)3+n^<3+!y3DB`^#66}C=?NoxuUZ2hWs+HBt
zQN+a?FG`tM#K0w<YJsKJrIEQ9!<aFrs_gj;G8r&5uv@#pT&()RzAc3ZLKV3e0n;5l
zAAWFacVdPkjvI8Eu~|5d&s<IA#lB&0U}s3l=POOaKrtYXf5rSYo*8wrB_k6CCD0RF
zKEP&zdv>F{D4suNwQjysMyh;$qcps`R}|b0WO*Gpi<8BPT1ThTAOlb=P%eg`YB@`~
zc#26z_t*&|@E<Suux_t=-maRusE4kvhn%NSvhr4n?g|bYKYJy9gngzHl2v6xrRo&U
z3+k)lBa8K(!G$l52bw2@j6v><mhw{Fn_yC>lWL+x2voJl1#y(j0b=)N#=2M@kOv4|
zX>bH8S4@c-2H6)II2fkpM&7J3v#(0)iu7yb`gE5?%?pf&#}w36FM0);)LgM2piI&)
znhAJjUt<IXRu~l<7gvZmR8$o>P<zm3VN8;ip|T#^JL3a}N1amMInoxC$mL=%0~IgP
z7;nFvsd<OZb2;7lm-f|?z9`PeCSRE745H<Ui-m+XN;?Wxhc65i8%-s(H|kathF@xB
z@PHZ6PP4U8c{{<%!F`g!eY1mL#3xT|-a>-|dp0uc88<XEk3IWlSOK?C=mzA96b#9_
zwQQ&s2x9n1b^QiKA}Uy1lgi36fCEuTO-?+~&2k{LgVDT_pbI19u%u{E&~QiKX;^;X
zo-Cg+@?&2LtcQtTU?^nGyLAr~7-q%H8y%BB!lHM{bZ|yhDHt?hxLmUB8*)oXq9nto
z6Jt95%E|FTWTAq>lT$S%1H<Q)sGhU!T4R&_8t5XJ^4~jXGi$94zrN=%=BdWKwUb5F
zFqE=kfYCVys?U{VRDRe9g1WbTrYeFf9DnO&L=&tbn@`oi{2C`sB_5H}#T0C^cphkj
zj!)=id`FqIVeSB7Je(P>T?jQe;=9k<w-Jt01T-IiGuEojFv~Vcx1^0Z|H@A1qz=y~
ziMCCX!jnBvIQy{~GMT4Q*6GlU_e|P)*ZKF<*AG6qgBFmr$~2*tinQ@LF*2!B`Wvp$
z&PCpgqv8QGVKhm%awXa~TNgGV$2@eI9YR&lrQNt3S_OZ6Ajh^VveaFbGfr(X!OKkF
zA5tGRqVZB-JY=|*Gjbf8pQ@0hndxkWGl2>ETwrbcz~%}Q+&``>kl@yz7}y+@H%2a<
zqsT+eFT6!7S@K>VJbsVagi#S8&=w%FFHyC7M&93Kj!WZ-xDD$XWkIW9dk1dQD~{8Q
z4~*V$wuR<{^=~D!Ux|>=@si@VSSn@YAoC;_muR)BjkbC1&t3|BVs3YnX(GkzAq78F
zxgaRhew}aiT=#{?XEDzs!K*UXC#NrR$hc7rjYqZcmp3K%SgufN4{smI<5N`ec|>@W
zZn+J@8q%CUvO<?gT`&v$ik?{at!JMwZSYsBro|4^H!pN-zq%}a=PH-qo{f%|`pN2S
zIel}#n-4`++R3*pgV|0(uQF``mLr}@PU=hH@hwNsa%iu9jCBqJ$Iy<bFpPC*@vNlK
z2sWpA!t}`(c8u28^W0;7G!tsdp4&xqEu2j(9qMOQ9&FBhvX+N&wf!Txj&lA)n+{j|
zofMc%h5^1)ra>2qQIlR&_Iq{+l#>)0YAIU{4Pg}EWvU5E?U*A6C1;0Qqog2(va7Ra
zRKPHplXQ+YXXnX1U@fODg+7Q)@wn^OgtCM<{B5~5HZ?);S=8X3@2eC#5xUWo;#Ra`
z=+h-{kG=;Sy*VnZMK+(;r!{hwu}d!>j5yL9QXs;33sa-dcro-0(S=yX5zZAC&J<ot
zfR|mJj8_jGd2>3v{n005X!yRIWR85>=i6<rs(s)W-1Ay;_$qL7(5I%R!>G-Jrmx#~
zY)h6q4-rgHRkjO#=x8*0k~WUS>#$%4_r?r!TrS!tWv2=NOEeI<z@}p#IK9PT%X5O1
zx*|YS&X#gP@EtraM-0<V8qXH>FB@UqzMV3rQxmzV?JE-La)ER{g7W*oO0SR*qc~SO
zYm7{4&)^H+&bxb~$>ICwXD@rsX4c-U-=3l&Fqg49m%M~q7wUHRJur8;TXdKG*wr%x
zg>ZNNg0Z!Ijz)1XBYkq2&~C@2bU}7poy%Uz?qNiye<hwEBq;24vGI1t{Y>(}kIM3~
z(&ZdagDSHV->he*N>pZeOJ<8~3vbt!SdaKvi0tCs*e1;mK33Pi{=(aB$}shcx+KYD
zDQ=_X;RcdBES_&U!^X;GWBiub`mTC8VbpJTfW>vxqX|<Fmx*Q6mNlckF~Ki!kt@GW
zc(XgUf?@*aR(q<c|CG*?D{WbYCzvzuOm6j#Z9RThd|3aiaR*i*3KTJIAroU3$XvO{
z5uI6y&t6!jC#ad@a3<X9^fW!&-t~Denf!Re&s$YB7rSj5X6{EtnqxrH!nQz{+h=k*
z-mKJn!v!{$8G9lQPpB<jZ++;@jK0Y*Z7;O-d{LP20qpU#=F|(e=(#y5-^aYD-JFkR
zjc>UR_|e(sig-VnBf7r1gHrbeM4~#ce)%fdHOB??!*%q(i>{dSKKAvp?(4?nbd>&A
zChY#I8@<MXKiPM}@QwWcAQ;4(V<e8@Vrl1y{5xOxmDfi`&@&Rb1%Tuvf?;XrEC%;-
zQboEVovlT!5LUKG8{+FlN;1Gv06TyM00giRpGo$zh{#8NkrH+B)1jnQl9Qx_lO2)S
zc)21GuC9)DRtS`xi?i5mVp@c?izV_;N%H@~$;csq-zy(t34gO6I!NnR)Zaq>toqwC
z1Mwn8^q+F*_b8Ge`er1QA<=(OJH7wdj3ki0842b?^nZ~{-*)|-VEPMBygVoRKjhQ*
zy?@6)e}W$!`CG}qve94n|0f^)nWB@J;$PV5f7L+h&!2Wc)PVoit-pTufA;H7{AuvN
pcJKEBNWYe(j{n)CKNHjt6MXMjJuQl(q!keHh$RZt&%`wV;C~+sH>>~v

literal 0
HcmV?d00001

diff --git a/tests/tests/swfs/avm2/cryptscore/test.swf b/tests/tests/swfs/avm2/cryptscore/test.swf
new file mode 100644
index 0000000000000000000000000000000000000000..342c64d3453be8754628cf9e58c46a47067a5fc8
GIT binary patch
literal 1189
zcmV;W1X}w;S5pk#1^@tfoRw7FQrkup-j!Bb$$#=MHZ~a37)U9>!qBvsW}1W$LMD)D
zpq)$xiWgg|)iD+$%WjkDMTV=+^oG6xFum+MB#$7-l-&2KcWj=3?pmHCG@Z^=Bb~E*
z&bQzB_D??oX&V6T5P%E>cVY?vU{ScZxEP6c28%OAbFsL-@yvL%{_N|GCv(fo&T8$O
z+orKx0xwcQhJ|3gX0(jL3;-{Zj?4q>iGpb$Fkb=kT4#61aPV#0ZW^SOT6CW7x$8CC
zF-q^6sB2sGkl7^d#<bBjT5elf;%?|Y^qymNiEC6G(yH6LR@;b@dcB8wV6|N)!AZV{
z?viH5D1B$R9|qfot8N%=x5Q20U0Qy)^Sx1X#hvyHByflMGORH>%f2~SmuhyW<%(9z
zRo_aGdW?t@g?;sPtG(AGPt{esYZ;48YcIgTWS2O$J^!S#>2yr9X>7V|M7wX>KbY-J
z(%mg@*0`27*RrtiPS-SP%X`EjyEDEk2bb11mL6^2eROMe39S;hA^U>l?WSETZ_oap
zGF&<<AoaS?l3a(>3}h8<6x4pIsE;;Wcdt?^k-EKOOxNt)(yjH`Qd!rpmv%Z<)3sXZ
zOOvm>oqY0ge4Xu~YZNaB@A%$d{6)Lv5{vES$Ysz<%QcuX*XkNRF!vuML+>A?O7Dp9
zJaKCc!wD5`lX{`IZ<T^{$8H&;+CL!SOKh<ZY7hLoWZ9oyd;ku}nXnWd7|P_Nob*W=
zDpT29_F8s2TgvL$nQU2vFpQz12IOEU9MPh&k1!N46fu;rfH6--Fw!uJVidzDj!^=m
zBt|KW1~5uvn89ce!z_k5EDd9n$B;3o7+%4!sD>eiAFEjb3!h@?I+i}e(&t#3SNYWx
z02I*A0u%!Q))kTRTm>+|S}^!r_3tkKLcSLySrq{cVct`?>0$U#5acGrO_-YqHyXS6
zP>iuMaRG>N5uij;l>r}~0x$_=#t0<@fC3W;LROkf@bq(-2kJ6I$s&@zdNV@vJXQet
zb2tj~wBW4(I$BK?lB_7b@@;A>c|QqAijGxNRb&o$W^AGe#vi67I__07cLzZ+f85aM
zgm==2)2obF5D}7YFycv{c#=+elV_&(^7ZK}qA8*x&}*Kl6*VovDwI6WjFULky<Y5y
zXtc~oL=hq>!${^lonH4$#WU3-&kTBI<mm7o07zu&e`5K0zsUSK9D_@A!8;+Ce$f|J
zI3^0c!HAUu5{R-jR_V=tDsoIzdW)sh0}`T(6R|%pF6h!pztB<VjNa`d)5j!8ml-m6
zdPE}ho_BIU!gPgclmxb<X-{V=<gIK~)~oVkFx-$>AF;H|7Cj((I%{GP1%ki8H{&$u
z>7)CvnOgzpZ~}zR;Z+!>p)KjY1or=+;Ud^Si#}jV&tX=G)5z)AU--8o=xv6!m7AJ8
zJ$#shG<I@g4v`@mXO7V&UKPP$ltGd{WNP;CRSy?F{dNEBbnIX)^*ftinq}vBIKwn4
zOubrS>c^>K0Iq&mujcjYh+Zw|)lt2gWbb1*>_3eJ!|_>tnNa)ZmjANAP1g7u*Us@q
D#|B4t

literal 0
HcmV?d00001

diff --git a/tests/tests/swfs/avm2/cryptscore/test.toml b/tests/tests/swfs/avm2/cryptscore/test.toml
new file mode 100644
index 000000000..e94c41b4e
--- /dev/null
+++ b/tests/tests/swfs/avm2/cryptscore/test.toml
@@ -0,0 +1,7 @@
+# This file tests that our Math.random() implementation works
+# correctly for some weird memory-obfuscation logic.
+# Flash Player's `Math.random()` implementation generates
+# a limited range of `Number`s in the range [0.0, 1.0), which
+# allows this swf to correctly compute the original value
+# (instead of a very close value due to rounding).
+num_ticks = 1
\ No newline at end of file