Add assertions for dangerous bit shift that could trigger undefined

behaviour Change-Id: I051ed229d407eafcae1ea4b5fc745176a751e036
2026-01-18 16:27:34 +01:00 · 2017-11-30 13:55:11 +01:00
parent da2829b969
commit 3f0328f5b5
5 changed files with 31 additions and 2 deletions
--- a/liba/src/aeabi-rt/llsl.c
+++ b/liba/src/aeabi-rt/llsl.c
@@ -1,10 +1,17 @@
 /* See the "Run-time ABI for the ARM Architecture", Section 4.2 */
+#include <assert.h>

 typedef unsigned int uint32_t;

 long long __aeabi_llsl(long long value, int shift) {
  uint32_t low = (uint32_t)value << shift;
+  /* "Shift behavior is undefined if the right operand is negative, or greater
+   * than or equal to the length in bits of the promoted left operand" according
+   * to C++ spec. However, arm compiler fill the vacated bits with 0 */
+  assert(shift < 32 || low == 0);
  uint32_t high = ((uint32_t)(value >> 32) << shift);
+  // Same comment
+  assert(shift < 32 || high == 0);
  if (shift < 32) {
    high |= ((uint32_t)value >> (32 - shift));
  } else {
--- a/liba/src/aeabi-rt/llsr.c
+++ b/liba/src/aeabi-rt/llsr.c
@@ -1,14 +1,21 @@
 /* See the "Run-time ABI for the ARM Architecture", Section 4.2 */
+#include <assert.h>

 typedef unsigned int uint32_t;

 long long __aeabi_llsr(long long value, int shift) {
  uint32_t low = ((uint32_t)value >> shift);
+  /* "Shift behavior is undefined if the right operand is negative, or greater
+   * than or equal to the length in bits of the promoted left operand" according
+   * to C++ spec. However, arm compiler fill the vacated bits with 0 */
+  assert(shift < 32 || low == 0);
  if (shift < 32) {
    low |= ((uint32_t)(value >> 32) << (32 - shift));
  } else {
    low |= ((uint32_t)(value >> 32) >> (shift - 32));
  }
  uint32_t high = (uint32_t)(value >> 32) >> shift;
+  // Same comment
+  assert(shift < 32 || high == 0);
  return ((long long)high << 32) | low;
 }