Opened 2 years ago

Closed 9 months ago

#9306 closed bug (duplicate)

Crash when shifting Integers too far left

Reported by: dfeuer Owned by:
Priority: normal Milestone:
Component: Core Libraries Version: 7.8.3
Keywords: Cc: hvr, ekmett
Operating System: Unknown/Multiple Architecture: Unknown/Multiple
Type of failure: Runtime crash Test Case:
Blocked By: Blocking:
Related Tickets: #10571 Differential Rev(s):
Wiki Page:

Description (last modified by dfeuer)

When shifting an Integer very far left, the RTS crashes. On x86_64:

Prelude Data.Bits> 1 shiftL 100000000000000000000000 == 1 gmp: overflow in mpz type Aborted

I found the bug in 7.6.3, but it's been verified to be present also in 7.8.3. The crash also occurs when running similar code compiled by ghc.

Attachments (1)

shiftcrash.hs (263 bytes) - added by dfeuer 2 years ago.
Crash the RTS by shifting an Integer too far.

Download all attachments as: .zip

Change History (8)

Changed 2 years ago by dfeuer

Crash the RTS by shifting an Integer too far.

comment:1 Changed 2 years ago by hvr

The problem here is that the shift amount is of type Int, so fromIntegral (maxBound::Int) + 1 is actually minBound, so the code

okay = 1000 `shiftR` (fromIntegral (maxBound::Int) + 1) :: Integer
tooFar = 1 `shiftR` (fromIntegral (maxBound::Int) + 2) :: Integer

is the same as

okay = 1000 `shiftR` minBound :: Integer
tooFar = 1 `shiftR` (minBound + 1) :: Integer

And both should have overflowed, as you are effectively requesting a left-shift by a *huge* amount

comment:2 follow-up: Changed 2 years ago by dfeuer

  • Description modified (diff)
  • Summary changed from Crash when shifting Integers too much to Crash when shifting Integers too far left

comment:3 Changed 2 years ago by simonpj

It's not clear what to do here. After all, arbitrary precision integers are supposed to be, well, arbitrary precision. If it "worked" you'd probably get a heap overflow instead. What should the maximum size of a shift be?

If anyone has good ideas, go for it!

Simon

comment:4 in reply to: ↑ 2 Changed 2 years ago by hvr

Replying to dfeuer:

...just a minor nit-pick about the code-example:

Literal 100000000000000000000000 is out of the Int range -9223372036854775808..9223372036854775807

comment:5 Changed 23 months ago by thoughtpolice

  • Component changed from libraries/base to Core Libraries
  • Owner set to ekmett

Moving over to new owning component 'Core Libraries'.

comment:6 Changed 12 months ago by thomie

  • Owner ekmett deleted

comment:7 Changed 9 months ago by thomie

  • Resolution set to duplicate
  • Status changed from new to closed

Fixed in #10571.

Note: See TracTickets for help on using tickets.