ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=5824974367752192

Fuzzer: libfuzzer_ots_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  ots::ots_cmap_parse
  ProcessGeneric
  ProcessTTF
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395746:395813

Minimized Testcase (0.80 Kb): https://cluster-fuzz.appspot.com/download/AMIfv970peI861019BR_qzRy9iSPuG2TfObWNpWn8mwVaksCmrL3NVk65FUl1TxUmP6eUJ8PLRPd8A7FtdlX-nFfHMvaVcxGY1bkI8OjZ5zgHz3dWf7AaQQ12mJBYiW15b2f5bfGCP-ddSPw0nMQoh6KEl6mT2BcKQ

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4961523286147072

Fuzzer: libfuzzer_ots_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  ots::ots_cmap_parse
  ProcessGeneric
  ProcessTTF
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395746:395813

Minimized Testcase (0.80 Kb): https://cluster-fuzz.appspot.com/download/AMIfv966LQwzbS0_8gXi3poajA0rFHEith1oionc0N_gXM83D0r9RouO8S9T8QEUcyJkNd_7M3x3hcoInUasXkSYCNbJDq8UhoYsy2RwixVtep8Ewro3j2YfluidGr9geq9gZfEKAuL1vWznWheFa-kSyy8to4ARdw

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

ClusterFuzz has detected this testcase as flaky and is unable to reproduce it in the original crash revision. Skipping fixed testing check and marking it as potentially fixed.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4961523286147072

Fuzzer: libfuzzer_ots_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  ots::ots_cmap_parse
  ProcessGeneric
  ProcessTTF
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395746:395813

Minimized Testcase (0.80 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95W9veCqjFfUp3o5w8bEAV5pBIDoWpKQb7LJ_-27JvSWNSUkUG7zGXQ8hFGh_E1RYlz8W9cmCEBBBlhZS66CQk-dC4nRECUFs0L15tF32UNhXkK7q5O-omTdUAu1BUu90qR8Hs2vdFJMkyavGLNazUwPMyscw?testcase_id=4961523286147072

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4725561851379712

Fuzzer: libfuzzer_ots_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  ots::ots_cmap_parse
  ProcessGeneric
  ProcessTTF
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395746:395813

Minimized Testcase (0.80 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Y-ocInjSZxEK2iEIsQ43UkLH21aL6bblLXiwgsLI_rsxvoZc5B6pldgsCNb3aRWqTWHXmIjscPI1x3xtPOBYgAqs7KKxXS5p_F7ZQ8Kni09oymy1BzJK4yvs3IROpcByBGgPM45w-iJSRpcgsaOLPRDsWUw?testcase_id=4725561851379712

Filer: mmoroz

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4909192175681536

Fuzzer: libfuzzer_ots_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  ots::ots_cmap_parse
  ProcessGeneric
  ProcessTTF
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395746:395813

Minimized Testcase (0.80 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97cfd0RcGx5KTk9uS1ASs3Wf2wwzFvxNv9_-uUDzxIi2uE_cBWECJ8Szf0ClLyshU2pWt5z-vLIeQcaPgRQy1deNoqcRwDUYQwtmRI2ADAzVWjIBj3sI_Q8BiANnnvmvXeUTImj6uOFyYreK1-xNTLIz1dgFw?testcase_id=4909192175681536

Filer: rnimmagadda

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

Gentle Ping.

@behdad: Could you please provide some update on this issue.

Thank you.

Can a C lawyer point me out to the part of spec that says "runtime error: left shift of 768 by 24 places cannot be represented in type int" is undefined behavior?

@behdad here you are: https://bugs.chromium.org/p/chromium/issues/detail?id=614648#c4

---- cut ----

> Is this kind of shift indeed an undefined behavior? Is this a false positive?

It depends on which language mode you're in. In C and C++98, it is undefined behavior. 145 * 2**24 does not fit in an int (the C / C++98 rule is that you cannot shift a 1 into the sign bit).

In C++11, this case has defined behavior, but left-shifting by 25 places would have undefined behavior (you cannot shift a 1 out of the sign bit in C++11).


> Is the value promoted to signed type somewhere?

Yes, the integral promotions are performed on the left-hand side, so we're left-shifting a value of type 'int'. (Otherwise this would be unconditionally undefined behavior because 24 is greater than the bit-width of 'unsigned char'.) 

---- end cut ----

If you compile your sample in C mode, then ubsan correctly complains:

$ cat tmpubs.cc && clang++ -o tmpubs -x c tmpubs.cc -fsanitize=integer -fsanitize=undefined && ./tmpubs
int main(int argc, char* argv[]) {
  volatile unsigned char bytes[4] = {0xFF, 0xFF, 0xFF, 0xFF};
  volatile unsigned int val = bytes[0] << 24;
  return 0;
}
tmpubs.cc:3:40: runtime error: left shift of 255 by 24 places cannot be represented in type 'int'


The correct solution is to explicitly cast unsigned bytes to unsigned ints. 

Thanks.  Submitted patch upstream:
https://github.com/khaledhosny/ots/pull/111

Fixed upstream: https://github.com/khaledhosny/ots/pull/111
Reassigning to drott@ to roll ots.

Roll CL in https://codereview.chromium.org/2210893002 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/32ff5edef9ab6a3fda85a78c9871efef1fcdaa03

commit 32ff5edef9ab6a3fda85a78c9871efef1fcdaa03
Author: drott <drott@chromium.org>
Date: Thu Aug 04 10:05:11 2016

Roll OTS to 8d70cffebbfa

BUG= 614737 

Review-Url: https://codereview.chromium.org/2210893002
Cr-Commit-Position: refs/heads/master@{#409753}

[modify] https://crrev.com/32ff5edef9ab6a3fda85a78c9871efef1fcdaa03/third_party/ots/README
[modify] https://crrev.com/32ff5edef9ab6a3fda85a78c9871efef1fcdaa03/third_party/ots/README.chromium
[modify] https://crrev.com/32ff5edef9ab6a3fda85a78c9871efef1fcdaa03/third_party/ots/src/cmap.cc
[modify] https://crrev.com/32ff5edef9ab6a3fda85a78c9871efef1fcdaa03/third_party/ots/src/math.cc

ClusterFuzz has detected this issue as fixed in range 409727:409801.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4909192175681536

Fuzzer: libfuzzer_ots_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  ots::ots_cmap_parse
  ProcessGeneric
  ProcessTTF
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395746:395813
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=409727:409801

Minimized Testcase (0.80 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97cfd0RcGx5KTk9uS1ASs3Wf2wwzFvxNv9_-uUDzxIi2uE_cBWECJ8Szf0ClLyshU2pWt5z-vLIeQcaPgRQy1deNoqcRwDUYQwtmRI2ADAzVWjIBj3sI_Q8BiANnnvmvXeUTImj6uOFyYreK1-xNTLIz1dgFw?testcase_id=4909192175681536

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 409727:409801.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4725561851379712

Fuzzer: libfuzzer_ots_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  ots::ots_cmap_parse
  ProcessGeneric
  ProcessTTF
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395746:395813
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=409727:409801

Minimized Testcase (0.80 Kb): https://cluster-fuzz.appspot.com/download/AMIfv97Y-ocInjSZxEK2iEIsQ43UkLH21aL6bblLXiwgsLI_rsxvoZc5B6pldgsCNb3aRWqTWHXmIjscPI1x3xtPOBYgAqs7KKxXS5p_F7ZQ8Kni09oymy1BzJK4yvs3IROpcByBGgPM45w-iJSRpcgsaOLPRDsWUw?testcase_id=4725561851379712

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

ClusterFuzz has detected this issue as fixed in range 409727:409801.

Detailed report: https://cluster-fuzz.appspot.com/testcase?key=4961523286147072

Fuzzer: libfuzzer_ots_fuzzer
Job Type: libfuzzer_chrome_ubsan
Platform Id: linux

Crash Type: Undefined-shift
Crash Address: 
Crash State:
  ots::ots_cmap_parse
  ProcessGeneric
  ProcessTTF
  
Regressed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=395746:395813
Fixed: https://cluster-fuzz.appspot.com/revisions?job=libfuzzer_chrome_ubsan&range=409727:409801

Minimized Testcase (0.80 Kb): https://cluster-fuzz.appspot.com/download/AMIfv95W9veCqjFfUp3o5w8bEAV5pBIDoWpKQb7LJ_-27JvSWNSUkUG7zGXQ8hFGh_E1RYlz8W9cmCEBBBlhZS66CQk-dC4nRECUFs0L15tF32UNhXkK7q5O-omTdUAu1BUu90qR8Hs2vdFJMkyavGLNazUwPMyscw?testcase_id=4961523286147072

See https://chromium.googlesource.com/chromium/src/+/master/testing/libfuzzer/reproducing.md for more information.

If you suspect that the result above is incorrect, try re-doing that job on the test case report page.

Removing EditIssue view restrictions from ClusterFuzz filed bugs. If you believe that this issue should still be restricted, please reapply the label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot