Tcl Source Code

Analogous to [b0f84119c8] for left-shifting a value represented by a Tcl_WideInt (and not a long or a bignum) when Tcl_WideInt is long long (because long is only 32-bit):

• Left-shifting by 0 causes signed integer overflow (undefined behavior detected by UBSan -fsanitize=shift-base) in the expression:

      ((Tcl_WideInt)1) << (CHAR_BIT*sizeof(Tcl_WideInt) - 1 - shift)
  

  i.e. 1 is shifted left (64-1-0)=63 times, which overflows; and signed integer overflow (undefined behavior detected by UBSan -fsanitize=signed-integer-overflow) when the overflowed result WIDE_MIN of the above expression is negated.

• If the left-shifted value is negative, then there is left-shifting of a negative value (undefined behavior detected by UBSan -fsanitize=shift-base).

Example command (left operand is in the range [WIDE_MIN,LONG_MIN) ∪ (LONG_MAX,WIDE_MAX]); the test suite does not contain an affected example):

% ::tcl::mathop::<< -0x80000001 0
tcl/generic/tclExecute.c:8665:4: runtime error: left shift of 1 by 63 places cannot be represented in type 'long long int'
tcl/generic/tclExecute.c:8664:6: runtime error: negation of -9223372036854775808 cannot be represented in type 'long long int'; cast to an unsigned type to negate this value to itself
tcl/generic/tclExecute.c:8666:7: runtime error: left shift of negative value -2147483649
-2147483649

The attached patch avoids this by casting to Tcl_WideUInt in a couple of places before shifting.

Fixed [8a68239de9dfc6ce|here]. Thanks!