fix: rotate-by-32 UB in *_opcode_rorq + suppress padding noise

JoeMatt · claude · JoeMatt · commit 3c58cc90f51c · 2026-05-01T19:00:24.000-04:00
Round-2 sanitizer fix for PR #126: UBSAN at src/tom/gpu.c:1684 -- "shift exponent 32 too large for uint32_t". In gpu_opcode_rorq / dsp_opcode_rorq / DSP_rorq the rotation count comes from gpu_convert_zero[] / dsp_convert_zero[], which maps a 0 IMM_1 to 32 (rotate-by-0 means rotate-by-full-word, a no-op). But `RN >> 32` is UB regardless of what the post-shift result is, so the previous-commit fix (only masking the LHS) wasn't enough. Mask r1 to 0x1F before either shift -- maps 32 -> 0, preserving the no-op semantic. Three sites: - src/tom/gpu.c gpu_opcode_rorq - src/jerry/dsp.c dsp_opcode_rorq, DSP_rorq Also add `-clang-analyzer-optin.performance.Padding` to the disabled list in .clang-tidy -- it fires on inherited UAE/Virtual Jaguar struct layouts where reordering for tighter packing risks silent layout breaks in save-state / dlsym paths. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
diff --git a/.clang-tidy b/.clang-tidy
@@ -66,5 +66,8 @@ FormatStyle: none
 #   locals that are read via macros (BCOMPEN, DSTA2, ...) clang-tidy can't see
 #   the linkage for.  Removing these inits would introduce real bugs.
 # - DeprecatedOrUnsafeBufferHandling: MSVC-flavored noise about strcpy/sprintf.
+# - optin.performance.Padding: upstream UAE/Virtual Jaguar struct layouts
+#   inherited from 1990s emulator code; reordering for tighter packing risks
+#   silent layout breaks in save-state / dlsym paths and isn't free perf.
 # - optin.portability.UnixAPI: false positive on libretro_core_options.h calloc.
 # - valist.Uninitialized: false-positive prone on our log macros.
diff --git a/src/jerry/dsp.c b/src/jerry/dsp.c
@@ -1417,7 +1417,10 @@ INLINE static void dsp_opcode_ror(void)
 
 INLINE static void dsp_opcode_rorq(void)
 {
-	uint32_t r1 = dsp_convert_zero[IMM_1 & 0x1F];
+	/* dsp_convert_zero[0] returns 32 (rotate-by-0 means rotate-by-full-word,
+	 * a no-op).  Masking to 0x1F maps 32 -> 0, preserving that semantic and
+	 * avoiding `RN >> 32` UB in the rotate idiom below. */
+	uint32_t r1 = dsp_convert_zero[IMM_1 & 0x1F] & 0x1F;
 	uint32_t r2 = RN;
 	uint32_t res = (r2 >> r1) | (r2 << ((-r1) & 31));
 	RN = res;
@@ -2233,7 +2236,8 @@ INLINE static void DSP_ror(void)
 
 INLINE static void DSP_rorq(void)
 {
-	uint32_t r1 = dsp_convert_zero[PIMM1 & 0x1F];
+	/* See dsp_opcode_rorq above for why we mask to 0x1F. */
+	uint32_t r1 = dsp_convert_zero[PIMM1 & 0x1F] & 0x1F;
 	uint32_t r2 = PRN;
 	uint32_t res = (r2 >> r1) | (r2 << ((-r1) & 31));
 	PRES = res;
diff --git a/src/tom/gpu.c b/src/tom/gpu.c
@@ -1679,7 +1679,10 @@ INLINE static void gpu_opcode_ror(void)
 
 INLINE static void gpu_opcode_rorq(void)
 {
-   uint32_t r1 = gpu_convert_zero[IMM_1 & 0x1F];
+   /* gpu_convert_zero[0] returns 32 (rotate-by-0 means rotate-by-full-word
+    * which is a no-op).  Masking to 0x1F maps 32 -> 0, preserving that
+    * semantic and avoiding `RN >> 32` UB in the rotate idiom below. */
+   uint32_t r1 = gpu_convert_zero[IMM_1 & 0x1F] & 0x1F;
    uint32_t r2 = RN;
    uint32_t res = (r2 >> r1) | (r2 << ((-r1) & 31));
    RN = res;
