security: arithmetic compound assignment panics on overflow (TM-DOS-043)

[chaliy]

Summary

execute_arithmetic_with_side_effects() at interpreter/mod.rs:1563-1565 uses native +, -, * operators instead of wrapping_* variants. In debug mode, i64 overflow causes a panic (process crash). The non-compound path in parse_arithmetic_impl correctly uses wrapping operations.

A second overflow site exists in evaluate_arithmetic_with_assign() at interpreter/mod.rs:7022-7043 for the <<= and >>= compound assignment paths, which don't clamp the shift amount (the non-compound path clamps to 0..=63 at :7455).

Impact — HIGH

Process crash (DoS) in debug mode. Silent wrapping in release mode (inconsistent with non-compound path).

Reproduction

# Panics in debug mode:
x=9223372036854775807; ((x+=1)); echo $x
# "attempt to add with overflow" at interpreter/mod.rs:1563

Recommended fix

Replace native operators with wrapping variants at mod.rs:1563-1565:

'+' => current.wrapping_add(rhs_value),
'-' => current.wrapping_sub(rhs_value),
'*' => current.wrapping_mul(rhs_value),

And clamp shift amounts at mod.rs:7042-7043:

"<<" => lhs_val.wrapping_shl((rhs_val & 63) as u32),
">>" => lhs_val.wrapping_shr((rhs_val & 63) as u32),

Also add overflow protection for / and % (i64::MIN / -1 and i64::MIN % -1).

Tests

Regression tests (currently #[ignore]):

• security_audit_compound_add_no_panic
• security_audit_compound_shift_clamped

Cross-references

• Threat model: TM-DOS-043
• Related: TM-DOS-029 (original arithmetic overflow threat)
• PR: test(security): deep security audit with regression tests #487