all: Fix signed shifts and NULL access errors from -fsanitize=undefined.

jepler · dpgeorge · commit 413f34cd8f24 · 2021-06-24T23:01:04.000+10:00
Fixes the following (the line numbers match commit 0e87459): ../../extmod/crypto-algorithms/sha256.c:49:19: runtime error: left shif... ../../extmod/moduasyncio.c:106:35: runtime error: member access within ... ../../py/binary.c:210:13: runtime error: left shift of negative value -... ../../py/mpz.c:744:16: runtime error: negation of -9223372036854775808 ... ../../py/objint.c:109:22: runtime error: left shift of 1 by 31 places c... ../../py/objint_mpz.c:374:9: runtime error: left shift of 4611686018427... ../../py/objint_mpz.c:374:9: runtime error: left shift of negative valu... ../../py/parsenum.c:106:14: runtime error: left shift of 46116860184273... ../../py/runtime.c:395:33: runtime error: left shift of negative value ... ../../py/showbc.c:177:28: runtime error: left shift of negative value -... ../../py/vm.c:321:36: runtime error: left shift of negative value -1``` Testing was done on an amd64 Debian Buster system using gcc-8.3 and these settings: CFLAGS += -g3 -Og -fsanitize=undefined LDFLAGS += -fsanitize=undefined The introduced TASK_PAIRHEAP macro's conditional (x ? &x->i : NULL) assembles (under amd64 gcc 8.3 -Os) to the same as &x->i, since i is the initial field of the struct. However, for the purposes of undefined behavior analysis the conditional is needed. Signed-off-by: Jeff Epler <jepler@gmail.com>
diff --git a/extmod/crypto-algorithms/sha256.c b/extmod/crypto-algorithms/sha256.c
@@ -46,7 +46,7 @@ static void sha256_transform(CRYAL_SHA256_CTX *ctx, const BYTE data[])
 	WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
 
 	for (i = 0, j = 0; i < 16; ++i, j += 4)
-		m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
+		m[i] = ((uint32_t)data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
 	for ( ; i < 64; ++i)
 		m[i] = SIG1(m[i - 2]) + m[i - 7] + SIG0(m[i - 15]) + m[i - 16];
 
diff --git a/extmod/moduasyncio.c b/extmod/moduasyncio.c
@@ -31,6 +31,9 @@
 
 #if MICROPY_PY_UASYNCIO
 
+// Used when task cannot be guaranteed to be non-NULL.
+#define TASK_PAIRHEAP(task) ((task) ? &(task)->pairheap : NULL)
+
 #define TASK_STATE_RUNNING_NOT_WAITED_ON (mp_const_true)
 #define TASK_STATE_DONE_NOT_WAITED_ON (mp_const_none)
 #define TASK_STATE_DONE_WAS_WAITED_ON (mp_const_false)
@@ -110,7 +113,7 @@ STATIC mp_obj_t task_queue_push_sorted(size_t n_args, const mp_obj_t *args) {
         assert(mp_obj_is_small_int(args[2]));
         task->ph_key = args[2];
     }
-    self->heap = (mp_obj_task_t *)mp_pairheap_push(task_lt, &self->heap->pairheap, &task->pairheap);
+    self->heap = (mp_obj_task_t *)mp_pairheap_push(task_lt, TASK_PAIRHEAP(self->heap), TASK_PAIRHEAP(task));
     return mp_const_none;
 }
 STATIC MP_DEFINE_CONST_FUN_OBJ_VAR_BETWEEN(task_queue_push_sorted_obj, 2, 3, task_queue_push_sorted);
diff --git a/py/binary.c b/py/binary.c
@@ -202,7 +202,7 @@ long long mp_binary_get_int(size_t size, bool is_signed, bool big_endian, const
         delta = 1;
     }
 
-    long long val = 0;
+    unsigned long long val = 0;
     if (is_signed && *src & 0x80) {
         val = -1;
     }
diff --git a/py/mpz.c b/py/mpz.c
@@ -741,7 +741,7 @@ void mpz_set_from_ll(mpz_t *z, long long val, bool is_signed) {
     unsigned long long uval;
     if (is_signed && val < 0) {
         z->neg = 1;
-        uval = -val;
+        uval = -(unsigned long long)val;
     } else {
         z->neg = 0;
         uval = val;
diff --git a/py/objint.c b/py/objint.c
@@ -106,14 +106,14 @@ STATIC mp_fp_as_int_class_t mp_classify_fp_as_int(mp_float_t val) {
         #if MICROPY_FLOAT_IMPL == MICROPY_FLOAT_IMPL_DOUBLE
         e |= u.i[MP_ENDIANNESS_BIG] != 0;
         #endif
-        if ((e & ~(1 << MP_FLOAT_SIGN_SHIFT_I32)) == 0) {
+        if ((e & ~(1U << MP_FLOAT_SIGN_SHIFT_I32)) == 0) {
             // handle case of -0 (when sign is set but rest of bits are zero)
             e = 0;
         } else {
-            e += ((1 << MP_FLOAT_EXP_BITS) - 1) << MP_FLOAT_EXP_SHIFT_I32;
+            e += ((1U << MP_FLOAT_EXP_BITS) - 1) << MP_FLOAT_EXP_SHIFT_I32;
         }
     } else {
-        e &= ~((1 << MP_FLOAT_EXP_SHIFT_I32) - 1);
+        e &= ~((1U << MP_FLOAT_EXP_SHIFT_I32) - 1);
     }
     // 8 * sizeof(uintptr_t) counts the number of bits for a small int
     // TODO provide a way to configure this properly
diff --git a/py/runtime.c b/py/runtime.c
@@ -392,7 +392,7 @@ mp_obj_t mp_binary_op(mp_binary_op_t op, mp_obj_t lhs, mp_obj_t rhs) {
                         goto generic_binary_op;
                     } else {
                         // use standard precision
-                        lhs_val <<= rhs_val;
+                        lhs_val = (mp_uint_t)lhs_val << rhs_val;
                     }
                     break;
                 }
diff --git a/py/showbc.c b/py/showbc.c
@@ -174,7 +174,7 @@ const byte *mp_bytecode_print_str(const mp_print_t *print, const byte *ip) {
                 num--;
             }
             do {
-                num = (num << 7) | (*ip & 0x7f);
+                num = ((mp_uint_t)num << 7) | (*ip & 0x7f);
             } while ((*ip++ & 0x80) != 0);
             mp_printf(print, "LOAD_CONST_SMALL_INT " INT_FMT, num);
             break;
diff --git a/py/smallint.h b/py/smallint.h
@@ -37,7 +37,7 @@
 #if MICROPY_OBJ_REPR == MICROPY_OBJ_REPR_A || MICROPY_OBJ_REPR == MICROPY_OBJ_REPR_C
 
 #define MP_SMALL_INT_MIN ((mp_int_t)(((mp_int_t)MP_OBJ_WORD_MSBIT_HIGH) >> 1))
-#define MP_SMALL_INT_FITS(n) ((((n) ^ ((n) << 1)) & MP_OBJ_WORD_MSBIT_HIGH) == 0)
+#define MP_SMALL_INT_FITS(n) ((((n) ^ ((mp_uint_t)(n) << 1)) & MP_OBJ_WORD_MSBIT_HIGH) == 0)
 // Mask to truncate mp_int_t to positive value
 #define MP_SMALL_INT_POSITIVE_MASK ~(MP_OBJ_WORD_MSBIT_HIGH | (MP_OBJ_WORD_MSBIT_HIGH >> 1))
 
diff --git a/py/vm.c b/py/vm.c
@@ -312,7 +312,7 @@ FRAME_SETUP();
                     DISPATCH();
 
                 ENTRY(MP_BC_LOAD_CONST_SMALL_INT): {
-                    mp_int_t num = 0;
+                    mp_uint_t num = 0;
                     if ((ip[0] & 0x40) != 0) {
                         // Number is negative
                         num--;

Original file line number	Diff line number	Diff line change
`@@ -202,7 +202,7 @@ long long mp_binary_get_int(size_t size, bool is_signed, bool big_endian, const`
`202`	`202`	`delta = 1;`
`203`	`203`	`}`
`204`	`204`
`205`		`- long long val = 0;`
	`205`	`+ unsigned long long val = 0;`
`206`	`206`	`if (is_signed && *src & 0x80) {`
`207`	`207`	`val = -1;`
`208`	`208`	`}`
Original file line number	Diff line number	Diff line change
`@@ -392,7 +392,7 @@ mp_obj_t mp_binary_op(mp_binary_op_t op, mp_obj_t lhs, mp_obj_t rhs) {`
`392`	`392`	`goto generic_binary_op;`
`393`	`393`	`} else {`
`394`	`394`	`// use standard precision`
`395`		`- lhs_val <<= rhs_val;`
	`395`	`+ lhs_val = (mp_uint_t)lhs_val << rhs_val;`
`396`	`396`	`}`
`397`	`397`	`break;`
`398`	`398`	`}`
Original file line number	Diff line number	Diff line change
`@@ -174,7 +174,7 @@ const byte mp_bytecode_print_str(const mp_print_t print, const byte *ip) {`
`174`	`174`	`num--;`
`175`	`175`	`}`
`176`	`176`	`do {`
`177`		`- num = (num << 7) \| (*ip & 0x7f);`
	`177`	`+ num = ((mp_uint_t)num << 7) \| (*ip & 0x7f);`
`178`	`178`	`} while ((*ip++ & 0x80) != 0);`
`179`	`179`	`mp_printf(print, "LOAD_CONST_SMALL_INT " INT_FMT, num);`
`180`	`180`	`break;`