Dear Bash Maintainers,
I encountered an issue in Bash and would like to report it. crash.txt
is attached to the email.
Steps to reproduce
$ export
UBSAN_OPTIONS=halt_on_error=1,abort_on_error=1,print_stacktrace=true,sy
mbolize=true,print_stacktrace=1,report_error_type=1,symbolize=1
$ CC=clang-19 CFLAGS=" -g -fsanitize=undefined -O0 " ./configure
--enable-largefile --without-bash-malloc
$ make
$ ./bash crash.txt
Expected Behaviour
Any messages without ubsan ERROR.
Actual Behaviour
expr.c:584:15: runtime error: left shift of negative value -6
#0 0x5680e791347d in expassign /upstream/bash/expr.c:584:15
#1 0x5680e79116d4 in expcomma /upstream/bash/expr.c:500:11
#2 0x5680e790f460 in subexpr /upstream/bash/expr.c:482:9
#3 0x5680e790eb0c in evalexp /upstream/bash/expr.c:448:9
#4 0x5680e7989fcb in param_expand /upstream/bash/subst.c:10870:13
#5 0x5680e796ba6a in expand_word_internal
/upstream/bash/subst.c:11524:12
#6 0x5680e79b0e12 in shell_expand_word_list
/upstream/bash/subst.c:13082:18
#7 0x5680e797ff10 in expand_word_list_internal
/upstream/bash/subst.c:13249:14
#8 0x5680e797fe11 in expand_words /upstream/bash/subst.c:12577:11
#9 0x5680e78be359 in execute_simple_command
/upstream/bash/execute_cmd.c:4617:15
#10 0x5680e78b81cf in execute_command_internal
/upstream/bash/execute_cmd.c:938:4
#11 0x5680e78b62ae in execute_command
/upstream/bash/execute_cmd.c:456:12
#12 0x5680e7855c6a in reader_loop /upstream/bash/eval.c:183:8
#13 0x5680e784ecbc in main /upstream/bash/shell.c:834:3
#14 0x7b0c69a99249 in __libc_start_call_main
csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#15 0x7b0c69a99304 in __libc_start_main
csu/../csu/libc-start.c:360:3
#16 0x5680e78220c0 in _start (/upstream/bash/bash+0x2320c0)
(BuildId: 358c36748e122fdaa94e8571f8fe1c61f5bfc3ee)
SUMMARY: UndefinedBehaviorSanitizer: invalid-shift-base expr.c:584:15
Aborted (core dumped)
Additional Notes
When I do
$ ./bash -c " echo $((-5 << 2)) "
or
$ ./bash -c "set -o posix; declare -i iv=-5; echo $(( iv <<= 2)) "
I don't see any ubsan errors. If you made the constructions so
consistent, then the behaviour with the attached file appears to be
unintentionally undefined.
Bash Version
commit
a8a1c2fac029404d3f42cd39f5a20f24b6e4fe4b
root@fb1d7dcac77a:/upstream/bash# ./bash --version
GNU bash, version 5.3.3(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2025 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
Also, the behaviour is repeating on release bash 5.2 version.
System Info
Linux astra 6.1.90-1-generic #astra2+ci15 SMP PREEMPT_DYNAMIC Tue Jul
23 09:49:19 MSK 2024 x86_64 GNU/Linux
Debian clang version 19.1.4 (1~deb12u1)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-19/bin
Crash.txt:
set +o posix
declare -i iv jv
iv=$(( 3 + 5 * 32 ))
echo $iv
iv=iv+3
echo $iv
iv=2
jv=iv
let "jv *= 2"
echo $jv
jv=$(( $jv << 2 ))
echo $jv
let jv="$jv / 2"
echo $jv
jho $(( iv && $jv ))
echv=$((iv+ $jv))
echo $iv
echo $((iv -= jv))
echo $iv
echo $(( iv == jv ))
echo $(( iv != $jv ))
echo $(( iv < jv ))
echo $(( $iv > $jv ))
echo $(( iv <= $jv ))
echo $(( $iv >= jv ))
echo $jv
echo $(( ~$jv ))
echo $(( ~1 ))
echo $(( ! 0 ))
echo $(( jv % 2 ))
echo $(( $iv % 4 ))
echo here
echo $(( iv <<= 16 ))
set +o posix
declare -i iv jv
iv=$(( 3 + 5 * 32 ))
echo $iv
iv=iv+3
echo $iv
iv=2
jv=iv
let "jv *= 2"
echo $jv
jv=$(( $jv << 2 ))
echo $jv
let jv="$jv / 2"
echo $jv
jho $(( iv && $jv ))
echv=$((iv+ $jv))
echo $iv
echo $((iv -= jv))
echo $iv
echo $(( iv == jv ))
echo $(( iv != $jv ))
echo $(( iv < jv ))
echo $(( $iv > $jv ))
echo $(( iv <= $jv ))
echo $(( $iv >= jv ))
echo $jv
echo $(( ~$jv ))
echo $(( ~1 ))
echo $(( ! 0 ))
echo $(( jv % 2 ))
echo $(( $iv % 4 ))
echo here
echo $(( iv <<= 16 ))
