Skip to content

Fix the fuzz

Charles Schlosserrequested to merge
chuckyschluz/eigen-chucky:fix_the_fuzz into master

Reference issue

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=66419

What does this implement/fix?

If getRandomBits(/*int numRandomBits*/ 0) is called (as is the case for 80-bit random<long double>), then const BitsType mask = BitsType(-1) >> (ScalarBits - numRandomBits); invokes undefined behavior as we are shifting an integer by its width. Possible remedies:

a) if(numRandomBits == 0) return 0 Easy to read, but adds a branch.

b) const BitsType mask = BitsType(-1) >> ((ScalarBits - numRandomBits) & (ScalarBits - 1)); If the shift is equal to ScalarBits, mask it out. Otherwise, do nothing. This results in much cleaner assembly. In fact, this changes nothing for Clang and gcc. My guess is that the major compilers account for this theoretical UB. Hopefully the fuzzer respects this.

Additional information

Edited by Charles Schlosser

Merge request reports