Fix shift-overflow in const-generic bitfield accessors

dimbleby · Copilot · dimbleby · commit 501b34c7c8a6 · 2026-05-16T18:18:50.000+01:00
When BIT_WIDTH equals the native word size (e.g. a 64-bit field on a
64-bit target), `(1usize &lt;&lt; BIT_WIDTH) - 1` shifted by the full width
of usize, panicking in debug builds and producing a wrong mask in
release. Affected `get_const`, `set_const`, `raw_get_const` and
`raw_set_const`.

Guard the value mask with `BIT_WIDTH &lt; usize::BITS` and compute
the runtime `set`. Add a regression test exercising width = 64.

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/bindgen/codegen/bitfield_unit.rs b/bindgen/codegen/bitfield_unit.rs
@@ -346,7 +346,9 @@ impl<const N: usize> __BindgenBitfieldUnit<[u8; N]> {
             }
 
             val >>= bit_shift;
-            val &= (1usize << BIT_WIDTH) - 1;
+            if (BIT_WIDTH as u32) < usize::BITS {
+                val &= (1usize << BIT_WIDTH) - 1;
+            }
 
             if cfg!(target_endian = "big") {
                 val = val.reverse_bits() >>
@@ -409,7 +411,9 @@ impl<const N: usize> __BindgenBitfieldUnit<[u8; N]> {
         // The compiler eliminates the unused branch since BIT_WIDTH is const.
         if BIT_WIDTH as usize + bit_shift <= usize::BITS as usize {
             let mut val = val as usize;
-            val &= (1usize << BIT_WIDTH) - 1;
+            if (BIT_WIDTH as u32) < usize::BITS {
+                val &= (1usize << BIT_WIDTH) - 1;
+            }
 
             if cfg!(target_endian = "big") {
                 val = val.reverse_bits() >>
@@ -418,7 +422,12 @@ impl<const N: usize> __BindgenBitfieldUnit<[u8; N]> {
 
             val <<= bit_shift;
 
-            let field_mask = ((1usize << BIT_WIDTH) - 1) << bit_shift;
+            let field_mask =
+                if BIT_WIDTH as usize + bit_shift >= usize::BITS as usize {
+                    !0usize << bit_shift
+                } else {
+                    ((1usize << BIT_WIDTH) - 1) << bit_shift
+                };
 
             let mut i = 0;
             while i < bytes_needed {
@@ -519,7 +528,9 @@ impl<const N: usize> __BindgenBitfieldUnit<[u8; N]> {
             }
 
             val >>= bit_shift;
-            val &= (1usize << BIT_WIDTH) - 1;
+            if (BIT_WIDTH as u32) < usize::BITS {
+                val &= (1usize << BIT_WIDTH) - 1;
+            }
 
             if cfg!(target_endian = "big") {
                 val = val.reverse_bits() >>
@@ -588,7 +599,9 @@ impl<const N: usize> __BindgenBitfieldUnit<[u8; N]> {
         // Use usize for fields that fit, u64 only when necessary.
         if BIT_WIDTH as usize + bit_shift <= usize::BITS as usize {
             let mut val = val as usize;
-            val &= (1usize << BIT_WIDTH) - 1;
+            if (BIT_WIDTH as u32) < usize::BITS {
+                val &= (1usize << BIT_WIDTH) - 1;
+            }
 
             if cfg!(target_endian = "big") {
                 val = val.reverse_bits() >>
@@ -597,7 +610,12 @@ impl<const N: usize> __BindgenBitfieldUnit<[u8; N]> {
 
             val <<= bit_shift;
 
-            let field_mask = ((1usize << BIT_WIDTH) - 1) << bit_shift;
+            let field_mask =
+                if BIT_WIDTH as usize + bit_shift >= usize::BITS as usize {
+                    !0usize << bit_shift
+                } else {
+                    ((1usize << BIT_WIDTH) - 1) << bit_shift
+                };
 
             let mut i = 0;
             while i < bytes_needed {
diff --git a/bindgen/codegen/bitfield_unit_tests.rs b/bindgen/codegen/bitfield_unit_tests.rs
@@ -367,3 +367,73 @@ fn bitfield_unit_raw_const_methods() {
     // Compare by reading back
     assert_eq!(unit_const.get(0, 16), unit_runtime.get(0, 16));
 }
+
+// Regression: const-generic accessors must not shift-overflow when
+// BIT_WIDTH equals the native word size (usize::BITS). Previously
+// `(1usize << BIT_WIDTH) - 1` panicked in debug builds for 64-bit
+// fields on 64-bit targets (and 32-bit fields on 32-bit targets).
+#[test]
+fn bitfield_unit_const_full_word_width() {
+    let storage = [0x12u8, 0x34, 0x56, 0x78, 0x9A, 0xBC, 0xDE, 0xF0];
+    let unit = __BindgenBitfieldUnit::<[u8; 8]>::new(storage);
+
+    // Width == 64 on 64-bit hosts, and width == 32 exercises the
+    // boundary on 32-bit hosts (still safe on 64-bit, just routes
+    // through a different branch).
+    assert_eq!(unit.get_const::<0, 64>(), unit.get(0, 64));
+    assert_eq!(unit.get_const::<0, 32>(), unit.get(0, 32));
+
+    unsafe {
+        assert_eq!(
+            __BindgenBitfieldUnit::raw_get_const::<0, 64>(&unit),
+            unit.get(0, 64),
+        );
+    }
+
+    let mut unit_const = __BindgenBitfieldUnit::<[u8; 8]>::new([0; 8]);
+    let mut unit_runtime = __BindgenBitfieldUnit::<[u8; 8]>::new([0; 8]);
+    let value = 0xDEAD_BEEF_CAFE_BABE_u64;
+
+    unit_const.set_const::<0, 64>(value);
+    unit_runtime.set(0, 64, value);
+    assert_eq!(unit_const.get(0, 64), unit_runtime.get(0, 64));
+
+    let mut unit_raw = __BindgenBitfieldUnit::<[u8; 8]>::new([0; 8]);
+    unsafe {
+        __BindgenBitfieldUnit::raw_set_const::<0, 64>(&mut unit_raw, value);
+    }
+    assert_eq!(unit_raw.get(0, 64), value);
+
+    // Exercise the new `field_mask = !0 << bit_shift` branch with a
+    // non-zero bit_shift (BIT_WIDTH + bit_shift == usize::BITS but
+    // BIT_WIDTH < usize::BITS, so the value-mask still runs).
+    let mut unit_shifted_const =
+        __BindgenBitfieldUnit::<[u8; 9]>::new([0xAA; 9]);
+    let mut unit_shifted_runtime =
+        __BindgenBitfieldUnit::<[u8; 9]>::new([0xAA; 9]);
+    unit_shifted_const.set_const::<1, 63>(value & ((1u64 << 63) - 1));
+    unit_shifted_runtime.set(1, 63, value & ((1u64 << 63) - 1));
+    assert_eq!(
+        unit_shifted_const.get(0, 64),
+        unit_shifted_runtime.get(0, 64),
+    );
+    assert_eq!(
+        unit_shifted_const.get_const::<1, 63>(),
+        unit_shifted_runtime.get(1, 63),
+    );
+
+    let mut unit_shifted_raw = __BindgenBitfieldUnit::<[u8; 9]>::new([0xAA; 9]);
+    let mut unit_shifted_raw_runtime =
+        __BindgenBitfieldUnit::<[u8; 9]>::new([0xAA; 9]);
+    unsafe {
+        __BindgenBitfieldUnit::raw_set_const::<1, 63>(
+            &mut unit_shifted_raw,
+            value & ((1u64 << 63) - 1),
+        );
+    }
+    unit_shifted_raw_runtime.set(1, 63, value & ((1u64 << 63) - 1));
+    assert_eq!(
+        unit_shifted_raw.get(0, 64),
+        unit_shifted_raw_runtime.get(0, 64),
+    );
+}
