[Bug libstdc++/65131] New: Integer overflow in .size() for std::vector

[Bug libstdc++/65131] New: Integer overflow in .size() for std::vector

[fayard at insideloop dot io]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65131

            Bug ID: 65131
           Summary: Integer overflow in .size() for std::vector
           Product: gcc
           Version: 4.9.2
            Status: UNCONFIRMED
          Severity: major
          Priority: P3
         Component: libstdc++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: fayard at insideloop dot io

Hi,

The .size() method on the std::vector<T> might overflow. In the case where:
- The system has a pointer size of 32 bits
- sizeof(T) == 1
- The vector has been created with a size n >= 2^31
Then, as this->_M_impl._M_finish - this->_M_impl._M_start does not fit un a
std::ptrdiff_t, this difference has undefined behaviour.

      // [23.2.4.2] capacity
      /**  Returns the number of elements in the %vector.  */
      size_type
      size() const _GLIBCXX_NOEXCEPT
      { return size_type(this->_M_impl._M_finish - this->_M_impl._M_start); }

It turns out that max_size() does not prevent us from creating such an array.

      /**  Returns the size() of the largest possible %vector.  */
      size_type
      max_size() const _GLIBCXX_NOEXCEPT
      { return _Alloc_traits::max_size(_M_get_Tp_allocator()); }

As I am quite new to C++ so I prefer not to supply a patch. This bug is not
present in libc++ and they solved it this way.

      template <class _Tp, class _Allocator>
      typename vector<_Tp, _Allocator>::size_type
      vector<_Tp, _Allocator>::max_size() const _NOEXCEPT
      {
          return
_VSTD::min<size_type>(__alloc_traits::max_size(this->__alloc()),
numeric_limits<size_type>::max() / 2);  // end() >= begin(), always
      }

Best regards,
Francois

[Bug libstdc++/65131] Integer overflow in .size() for std::vector

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65131

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
The ABI says for all 32bit ABIs you cannot allocate more than half of the
address space.

[Bug libstdc++/65131] Integer overflow in .size() for std::vector

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65131

--- Comment #2 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
https://gcc.gnu.org/ml/gcc/2011-08/msg00221.html

[Bug libstdc++/65131] Integer overflow in .size() for std::vector

[fayard at insideloop dot io]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65131

--- Comment #3 from Francois Fayard <fayard at insideloop dot io> ---
Thanks for the info. It would be nice to reflect that in max_size().

[Bug libstdc++/65131] Integer overflow in .size() for std::vector

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65131

Jonathan Wakely <redi at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|major                       |normal

--- Comment #4 from Jonathan Wakely <redi at gcc dot gnu.org> ---
And you can't actually allocate 2^64 bytes of memory on x86_64 either.

In practice this doesn't really matter, noone uses max_size() this way.

[Bug libstdc++/65131] Integer overflow in .size() for std::vector

[fayard at insideloop dot io]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65131

--- Comment #5 from Francois Fayard <fayard at insideloop dot io> ---
They are so many people out there who claim that using an unsigned integer
(std::size_t) as an array index was a good choice because you can allocate
larger arrays than with the signed integer of the same size (std::ptrdiff_t)
that it would be nice to show them they can't :-)

max_size() is not clearly defined, but I still think it would be nice to put it
in max_size() as a "documentation".

[Bug libstdc++/65131] Integer overflow in .size() for std::vector

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65131

--- Comment #6 from Jonathan Wakely <redi at gcc dot gnu.org> ---
It seems like a waste of time. The internals of the standard library are not
the right place to dissuade people from their mistaken beliefs. Simply trying
to allocate such an array should be evidence enough.

[Bug libstdc++/65131] Integer overflow in .size() for std::vector

[fayard at insideloop dot io]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65131

--- Comment #7 from Francois Fayard <fayard at insideloop dot io> ---
I agree. Thanks for your comments.

[Bug libstdc++/65131] Integer overflow in .size() for std::vector

[hjl.tools at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65131

--- Comment #8 from H.J. Lu <hjl.tools at gmail dot com> ---
(In reply to Andrew Pinski from comment #1)
> The ABI says for all 32bit ABIs you cannot allocate more than half of the
> address space.

X32 can allocate more than 2GB via malloc and ILP32 on ARM64 may also be able
to.