fix: rotate-by-zero UB in GPU/DSP ROR/RORQ opcodes

JoeMatt · claude · JoeMatt · commit cbc22bfef06f · 2026-05-01T18:52:45.000-04:00
UBSAN on PR #126 found: src/tom/gpu.c:1674: shift exponent 32 too large for uint32_t The classic rotate-right idiom (RN >> r1) | (RN << (32 - r1)) invokes UB when r1 == 0 (32-bit shift count of 32 is out of range). Replace with the standard portable pattern: (RN >> r1) | (RN << ((-r1) & 31)) which yields RN | RN == RN for r1 == 0 and is identical for r1 in [1, 31]. Modern GCC/clang pattern-match this idiom into a single rotate instruction (rorl on x86, ror on ARM). Six sites across two files: - src/tom/gpu.c gpu_opcode_ror, gpu_opcode_rorq - src/jerry/dsp.c dsp_opcode_ror, dsp_opcode_rorq, plus the prefetched (PRN) variants Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
diff --git a/src/jerry/dsp.c b/src/jerry/dsp.c
@@ -1409,7 +1409,7 @@ INLINE static void dsp_opcode_shrq(void)
 INLINE static void dsp_opcode_ror(void)
 {
 	uint32_t r1 = RM & 0x1F;
-	uint32_t res = (RN >> r1) | (RN << (32 - r1));
+	uint32_t res = (RN >> r1) | (RN << ((-r1) & 31));
 	SET_ZN(res); dsp_flag_c = (RN >> 31) & 1;
 	RN = res;
 }
@@ -1419,7 +1419,7 @@ INLINE static void dsp_opcode_rorq(void)
 {
 	uint32_t r1 = dsp_convert_zero[IMM_1 & 0x1F];
 	uint32_t r2 = RN;
-	uint32_t res = (r2 >> r1) | (r2 << (32 - r1));
+	uint32_t res = (r2 >> r1) | (r2 << ((-r1) & 31));
 	RN = res;
 	SET_ZN(res); dsp_flag_c = (r2 >> 31) & 0x01;
 }
@@ -2226,7 +2226,7 @@ INLINE static void DSP_resmac(void)
 INLINE static void DSP_ror(void)
 {
 	uint32_t r1 = PRM & 0x1F;
-	uint32_t res = (PRN >> r1) | (PRN << (32 - r1));
+	uint32_t res = (PRN >> r1) | (PRN << ((-r1) & 31));
 	SET_ZN(res); dsp_flag_c = (PRN >> 31) & 1;
 	PRES = res;
 }
@@ -2235,7 +2235,7 @@ INLINE static void DSP_rorq(void)
 {
 	uint32_t r1 = dsp_convert_zero[PIMM1 & 0x1F];
 	uint32_t r2 = PRN;
-	uint32_t res = (r2 >> r1) | (r2 << (32 - r1));
+	uint32_t res = (r2 >> r1) | (r2 << ((-r1) & 31));
 	PRES = res;
 	SET_ZN(res); dsp_flag_c = (r2 >> 31) & 0x01;
 }
diff --git a/src/tom/gpu.c b/src/tom/gpu.c
@@ -1671,7 +1671,7 @@ INLINE static void gpu_opcode_shrq(void)
 INLINE static void gpu_opcode_ror(void)
 {
    uint32_t r1 = RM & 0x1F;
-   uint32_t res = (RN >> r1) | (RN << (32 - r1));
+   uint32_t res = (RN >> r1) | (RN << ((-r1) & 31));
    SET_ZN(res); gpu_flag_c = (RN >> 31) & 1;
    RN = res;
 }
@@ -1681,7 +1681,7 @@ INLINE static void gpu_opcode_rorq(void)
 {
    uint32_t r1 = gpu_convert_zero[IMM_1 & 0x1F];
    uint32_t r2 = RN;
-   uint32_t res = (r2 >> r1) | (r2 << (32 - r1));
+   uint32_t res = (r2 >> r1) | (r2 << ((-r1) & 31));
    RN = res;
    SET_ZN(res); gpu_flag_c = (r2 >> 31) & 0x01;
 }

Original file line number	Diff line number	Diff line change
`@@ -1409,7 +1409,7 @@ INLINE static void dsp_opcode_shrq(void)`
`1409`	`1409`	`INLINE static void dsp_opcode_ror(void)`
`1410`	`1410`	`{`
`1411`	`1411`	`uint32_t r1 = RM & 0x1F;`
`1412`		`- uint32_t res = (RN >> r1) \| (RN << (32 - r1));`
	`1412`	`+ uint32_t res = (RN >> r1) \| (RN << ((-r1) & 31));`
`1413`	`1413`	`SET_ZN(res); dsp_flag_c = (RN >> 31) & 1;`
`1414`	`1414`	`RN = res;`
`1415`	`1415`	`}`
`@@ -1419,7 +1419,7 @@ INLINE static void dsp_opcode_rorq(void)`
`1419`	`1419`	`{`
`1420`	`1420`	`uint32_t r1 = dsp_convert_zero[IMM_1 & 0x1F];`
`1421`	`1421`	`uint32_t r2 = RN;`
`1422`		`- uint32_t res = (r2 >> r1) \| (r2 << (32 - r1));`
	`1422`	`+ uint32_t res = (r2 >> r1) \| (r2 << ((-r1) & 31));`
`1423`	`1423`	`RN = res;`
`1424`	`1424`	`SET_ZN(res); dsp_flag_c = (r2 >> 31) & 0x01;`
`1425`	`1425`	`}`
`@@ -2226,7 +2226,7 @@ INLINE static void DSP_resmac(void)`
`2226`	`2226`	`INLINE static void DSP_ror(void)`
`2227`	`2227`	`{`
`2228`	`2228`	`uint32_t r1 = PRM & 0x1F;`
`2229`		`- uint32_t res = (PRN >> r1) \| (PRN << (32 - r1));`
	`2229`	`+ uint32_t res = (PRN >> r1) \| (PRN << ((-r1) & 31));`
`2230`	`2230`	`SET_ZN(res); dsp_flag_c = (PRN >> 31) & 1;`
`2231`	`2231`	`PRES = res;`
`2232`	`2232`	`}`
`@@ -2235,7 +2235,7 @@ INLINE static void DSP_rorq(void)`
`2235`	`2235`	`{`
`2236`	`2236`	`uint32_t r1 = dsp_convert_zero[PIMM1 & 0x1F];`
`2237`	`2237`	`uint32_t r2 = PRN;`
`2238`		`- uint32_t res = (r2 >> r1) \| (r2 << (32 - r1));`
	`2238`	`+ uint32_t res = (r2 >> r1) \| (r2 << ((-r1) & 31));`
`2239`	`2239`	`PRES = res;`
`2240`	`2240`	`SET_ZN(res); dsp_flag_c = (r2 >> 31) & 0x01;`
`2241`	`2241`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1671,7 +1671,7 @@ INLINE static void gpu_opcode_shrq(void)`
`1671`	`1671`	`INLINE static void gpu_opcode_ror(void)`
`1672`	`1672`	`{`
`1673`	`1673`	`uint32_t r1 = RM & 0x1F;`
`1674`		`- uint32_t res = (RN >> r1) \| (RN << (32 - r1));`
	`1674`	`+ uint32_t res = (RN >> r1) \| (RN << ((-r1) & 31));`
`1675`	`1675`	`SET_ZN(res); gpu_flag_c = (RN >> 31) & 1;`
`1676`	`1676`	`RN = res;`
`1677`	`1677`	`}`
`@@ -1681,7 +1681,7 @@ INLINE static void gpu_opcode_rorq(void)`
`1681`	`1681`	`{`
`1682`	`1682`	`uint32_t r1 = gpu_convert_zero[IMM_1 & 0x1F];`
`1683`	`1683`	`uint32_t r2 = RN;`
`1684`		`- uint32_t res = (r2 >> r1) \| (r2 << (32 - r1));`
	`1684`	`+ uint32_t res = (r2 >> r1) \| (r2 << ((-r1) & 31));`
`1685`	`1685`	`RN = res;`
`1686`	`1686`	`SET_ZN(res); gpu_flag_c = (r2 >> 31) & 0x01;`
`1687`	`1687`	`}`