Opened 11 months ago

Last modified 8 months ago

#9306 new bug

Crash when shifting Integers too far left

Reported by: dfeuer Owned by: ekmett
Priority: normal Milestone:
Component: Core Libraries Version: 7.8.3
Keywords: Cc: hvr, ekmett
Operating System: Unknown/Multiple Architecture: Unknown/Multiple
Type of failure: Runtime crash Test Case:
Blocked By: Blocking:
Related Tickets: Differential Revisions:

Description (last modified by dfeuer)

When shifting an Integer very far left, the RTS crashes. On x86_64:

Prelude Data.Bits> 1 shiftL 100000000000000000000000 == 1
gmp: overflow in mpz type
Aborted

I found the bug in 7.6.3, but it's been verified to be present also in 7.8.3. The crash also occurs when running similar code compiled by ghc.

Attachments (1)

shiftcrash.hs (263 bytes) - added by dfeuer 11 months ago.
Crash the RTS by shifting an Integer too far.

Download all attachments as: .zip

Change History (6)

Changed 11 months ago by dfeuer

Crash the RTS by shifting an Integer too far.

comment:1 Changed 11 months ago by hvr

The problem here is that the shift amount is of type Int, so fromIntegral (maxBound::Int) + 1 is actually minBound, so the code

okay = 1000 `shiftR` (fromIntegral (maxBound::Int) + 1) :: Integer
tooFar = 1 `shiftR` (fromIntegral (maxBound::Int) + 2) :: Integer

is the same as

okay = 1000 `shiftR` minBound :: Integer
tooFar = 1 `shiftR` (minBound + 1) :: Integer

And both should have overflowed, as you are effectively requesting a left-shift by a *huge* amount

comment:2 follow-up: Changed 11 months ago by dfeuer

  • Description modified (diff)
  • Summary changed from Crash when shifting Integers too much to Crash when shifting Integers too far left

comment:3 Changed 11 months ago by simonpj

It's not clear what to do here. After all, arbitrary precision integers are supposed to be, well, arbitrary precision. If it "worked" you'd probably get a heap overflow instead. What should the maximum size of a shift be?

If anyone has good ideas, go for it!

Simon

comment:4 in reply to: ↑ 2 Changed 11 months ago by hvr

Replying to dfeuer:

...just a minor nit-pick about the code-example:

Literal 100000000000000000000000 is out of the Int range -9223372036854775808..9223372036854775807

comment:5 Changed 8 months ago by thoughtpolice

  • Component changed from libraries/base to Core Libraries
  • Owner set to ekmett

Moving over to new owning component 'Core Libraries'.

Note: See TracTickets for help on using tickets.