Skip to content

guard negative operands in MathLib::value shift operators #8639

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
metsw24-max wants to merge 2 commits into
base: main
Choose a base branch
from
+19 −2
Open

guard negative operands in MathLib::value shift operators #8639

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
5eadcbb
guard negative operands in MathLib::value shift operators
metsw24-max Jun 9, 2026
21951e6
test negative shift folding via template simplifier
metsw24-max Jun 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions lib/mathlib.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,7 @@ MathLib::value MathLib::value::shiftLeft(const MathLib::value &v) const
if (!isInt() || !v.isInt())
throw InternalError(nullptr, "Shift operand is not integer");
MathLib::value ret(*this);
if (v.mIntValue >= MathLib::bigint_bits) {
if (v.mIntValue < 0 || v.mIntValue >= MathLib::bigint_bits || ret.mIntValue < 0) {
return ret;
}
ret.mIntValue <<= v.mIntValue;
Expand All @@ -278,7 +278,7 @@ MathLib::value MathLib::value::shiftRight(const MathLib::value &v) const
if (!isInt() || !v.isInt())
throw InternalError(nullptr, "Shift operand is not integer");
MathLib::value ret(*this);
if (v.mIntValue >= MathLib::bigint_bits) {
if (v.mIntValue < 0 || v.mIntValue >= MathLib::bigint_bits) {
return ret;
}
ret.mIntValue >>= v.mIntValue;
Expand Down
17 changes: 17 additions & 0 deletions test/testsimplifytemplate.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -320,6 +320,8 @@ class TestSimplifyTemplate : public TestFixture {

TEST_CASE(templateArgPreserveType); // #13882 - type of template argument

TEST_CASE(template_shift_negative); // shift folding with a negative operand

TEST_CASE(dumpTemplateArgFrom);
}

Expand Down Expand Up @@ -6715,6 +6717,21 @@ class TestSimplifyTemplate : public TestFixture {
tok(code));
}

void template_shift_negative() {
// a large hex literal is not negative as a string but parses to a negative
// bigint, so folding the shift in simplifyNumericCalculations would left-shift
// a negative value / shift by a negative count, both UB. the operand must be
// returned unchanged. parentheses are needed so the numeric folding is reached.
const char code[] = "template <long long> struct S { };\n"
"S<(0x8000000000000000 << 1)> s1;\n"
"S<(1 << 0x8000000000000000)> s2;\n"
"S<(1 >> 0x8000000000000000)> s3;";
const char expected[] = "struct S<9223372036854775808U> ; struct S<1> ; "
"S<9223372036854775808U> s1 ; S<1> s2 ; S<1> s3 ; "
"struct S<9223372036854775808U> { } ; struct S<1> { } ;";
ASSERT_EQUALS(expected, tok(code));
}

void dumpTemplateArgFrom() {
const char code[] = "template<class T> void foo(T t) {}\n"
"foo<int>(23);";
Expand Down
Loading