fix: improve safety checks for left shift operations

thevilledev · thevilledev · commit 354489111c21 · 2025-03-22T21:12:42.000+02:00
Add safety checks to prevent undefined behavior in bitwise left shift
operations.

These checks detect potential overflow conditions before they occur and throw
appropriate error messages to help users identify problematic code. The error
messages are consistent between runtime and static error handling.

Added tests.

Signed-off-by: Ville Vesilehto &lt;ville@vesilehto.fi&gt;
diff --git a/core/vm.cpp b/core/vm.cpp
@@ -2563,6 +2563,13 @@ class Interpreter {
                                     int64_t long_l = safeDoubleToInt64(lhs.v.d, ast.location);
                                     int64_t long_r = safeDoubleToInt64(rhs.v.d, ast.location);
                                     long_r = long_r % 64;
+
+                                    // Additional safety check for left shifts to prevent undefined behavior
+                                    if (long_r >= 1 && long_l >= (1LL << (63 - long_r))) {
+                                        throw makeError(ast.location,
+                                                      "numeric value outside safe integer range for bitwise operation.");
+                                    }
+
                                     scratch = makeNumber(long_l << long_r);
                                 } break;
 
@@ -3414,13 +3421,13 @@ inline int64_t safeDoubleToInt64(double value, const internal::LocationRange& lo
     }
 
     // Constants for safe double-to-int conversion
-    // IEEE 754 doubles can only precisely represent integers up to 2^53-1
+    // IEEE 754 doubles precisely represent integers up to 2^53, beyond which precision is lost
     constexpr int64_t DOUBLE_MAX_SAFE_INTEGER = (1LL << 53) - 1;
     constexpr int64_t DOUBLE_MIN_SAFE_INTEGER = -((1LL << 53) - 1);
 
     // Check if the value is within the safe integer range
     if (value < DOUBLE_MIN_SAFE_INTEGER || value > DOUBLE_MAX_SAFE_INTEGER) {
-        throw internal::StaticError(loc, "numeric value outside safe integer range for bitwise operation");
+        throw internal::StaticError(loc, "numeric value outside safe integer range for bitwise operation.");
     }
     return static_cast<int64_t>(value);
 }
diff --git a/core/vm.h b/core/vm.h
@@ -137,7 +137,7 @@ std::vector<std::string> jsonnet_vm_execute_stream(
  * 2. Ensures the value is within the safe integer range (±(2^53-1))
  *
  * The safe integer range limitation is necessary because IEEE 754 double precision
- * floating point numbers can only precisely represent integers up to 2^53-1.
+ * floating point numbers can only precisely represent integers up to 2^53.
  * Beyond this range, precision is lost, which would lead to unpredictable results
  * in bitwise operations that depend on exact bit patterns.
  *
diff --git a/test_suite/error.integer_conversion.jsonnet b/test_suite/error.integer_conversion.jsonnet
@@ -0,0 +1,3 @@
+// Value just beyond MAX_SAFE_INTEGER (2^53)
+local beyond_max = 9007199254740992;  // 2^53
+beyond_max << 1  // Should throw error "numeric value outside safe integer range for bitwise operation"
diff --git a/test_suite/error.integer_conversion.jsonnet.golden b/test_suite/error.integer_conversion.jsonnet.golden
@@ -0,0 +1 @@
+STATIC ERROR: error.integer_conversion.jsonnet:3:1-16: numeric value outside safe integer range for bitwise operation.
diff --git a/test_suite/error.integer_left_shift.jsonnet b/test_suite/error.integer_left_shift.jsonnet
@@ -0,0 +1,3 @@
+// Test that left-shifting a value that would exceed int64_t range throws an error
+local large_value = 1 << 62;  // 2^62
+large_value << 2  // Would be 2^64, exceeding signed 64-bit integer range
diff --git a/test_suite/error.integer_left_shift.jsonnet.golden b/test_suite/error.integer_left_shift.jsonnet.golden
@@ -0,0 +1 @@
+STATIC ERROR: error.integer_left_shift.jsonnet:3:1-17: numeric value outside safe integer range for bitwise operation.
diff --git a/test_suite/error.integer_left_shift_runtime.jsonnet b/test_suite/error.integer_left_shift_runtime.jsonnet
@@ -0,0 +1,2 @@
+local large_value = 4503599627370496;
+large_value << 11
diff --git a/test_suite/error.integer_left_shift_runtime.jsonnet.golden b/test_suite/error.integer_left_shift_runtime.jsonnet.golden
@@ -0,0 +1,2 @@
+RUNTIME ERROR: numeric value outside safe integer range for bitwise operation.
+	error.integer_left_shift_runtime.jsonnet:2:1-18	
diff --git a/test_suite/safe_integer_conversion.jsonnet b/test_suite/safe_integer_conversion.jsonnet
@@ -0,0 +1,29 @@
+// Test values at boundary of safe integer range
+std.assertEqual(~9007199254740991, -9007199254740992) &&  // ~MAX_SAFE_INTEGER
+std.assertEqual(~(-9007199254740991), 9007199254740990) &&  // ~MIN_SAFE_INTEGER
+
+// Test basic values
+std.assertEqual(~0, -1) &&
+std.assertEqual(~1, -2) &&
+std.assertEqual(~(-1), 0) &&
+
+// Test shift operations with large values at safe boundary
+// MAX_SAFE_INTEGER (2^53-1) right shift by 4 bits
+std.assertEqual(9007199254740991 >> 4, 562949953421311) &&
+// MAX_SAFE_INTEGER (2^53-1) left shift by 1 bit (result is still precisely representable)
+std.assertEqual(9007199254740991 << 1, 18014398509481982) &&
+// (2^52-1) left shift by 1 bit (result is MAX_SAFE_INTEGER-1)
+std.assertEqual(4503599627370495 << 1, 9007199254740990) &&
+
+// Test larger values within safe range
+std.assertEqual(~123456789, -123456790) &&
+std.assertEqual(~(-987654321), 987654320) &&
+
+// Test other bitwise operations
+std.assertEqual(123 & 456, 72) &&
+std.assertEqual(123 | 456, 507) &&
+std.assertEqual(123 ^ 456, 435) &&
+std.assertEqual(123 << 2, 492) &&
+std.assertEqual(123 >> 2, 30) &&
+
+true
diff --git a/test_suite/safe_integer_conversion.jsonnet.golden b/test_suite/safe_integer_conversion.jsonnet.golden
@@ -0,0 +1 @@
+true

Original file line number	Diff line number	Diff line change
`@@ -137,7 +137,7 @@ std::vector<std::string> jsonnet_vm_execute_stream(`
`137`	`137`	`* 2. Ensures the value is within the safe integer range (±(2^53-1))`
`138`	`138`	`*`
`139`	`139`	`* The safe integer range limitation is necessary because IEEE 754 double precision`
`140`		`- * floating point numbers can only precisely represent integers up to 2^53-1.`
	`140`	`+ * floating point numbers can only precisely represent integers up to 2^53.`
`141`	`141`	`* Beyond this range, precision is lost, which would lead to unpredictable results`
`142`	`142`	`* in bitwise operations that depend on exact bit patterns.`
`143`	`143`	`*`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+// Value just beyond MAX_SAFE_INTEGER (2^53)`
	`2`	`+local beyond_max = 9007199254740992; // 2^53`
	`3`	`+beyond_max << 1 // Should throw error "numeric value outside safe integer range for bitwise operation"`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+STATIC ERROR: error.integer_conversion.jsonnet:3:1-16: numeric value outside safe integer range for bitwise operation.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+// Test that left-shifting a value that would exceed int64_t range throws an error`
	`2`	`+local large_value = 1 << 62; // 2^62`
	`3`	`+large_value << 2 // Would be 2^64, exceeding signed 64-bit integer range`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+STATIC ERROR: error.integer_left_shift.jsonnet:3:1-17: numeric value outside safe integer range for bitwise operation.`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+local large_value = 4503599627370496;`
	`2`	`+large_value << 11`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+RUNTIME ERROR: numeric value outside safe integer range for bitwise operation.`
	`2`	`+ error.integer_left_shift_runtime.jsonnet:2:1-18`