[Bug c++/67927] New: array new expression with excessive number of elements not diagnosed

[Bug c++/67927] New: array new expression with excessive number of elements not diagnosed

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67927

            Bug ID: 67927
           Summary: array new expression with excessive number of elements
                    not diagnosed
           Product: gcc
           Version: 6.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: msebor at gcc dot gnu.org
  Target Milestone: ---

This is similar to bug 67913.

A new expression is considered erroneous if the value of the expression in its
noptr-new-declarator is such that the size of the allocated object would exceed
the implementation-defined limit (it's safe to assume that the limit doesn't
exceed the size of the address space).  If the expression is a constant
expression, the program is ill-formed.  The following program is not diagnosed
by GCC even though it contains two such ill-formed expressions.

void* operator new[] (unsigned long, void *p) { return p; }

void foo (void)
{
    char c [1];
    new int [__SIZE_MAX__];
    new (c) int [__SHRT_MAX__][__SHRT_MAX__];
}

(Clang diagnoses the first but not the second, even though both expressions are
invalid; the second one for other reasons besides exceeding the
implementation-defined size limit.)

[Bug c++/67927] array new expression with excessive number of elements not diagnosed

[msebor at gcc dot gnu.org]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="UTF-8", Size: 3568 bytes --]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67927

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |ASSIGNED
   Last reconfirmed|                            |2015-10-14
     Ever confirmed|0                           |1

--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
While creating a test for a fix for this, I came across the following
diagnostic issued by grokdeclarator in cp/decl.c, showing that some invalid new
expressions are already being diagnosed.  (The ‘type name’ is wrong because the
array doesn't have a name, and is the result of the function setting the NAME
variable to "type name" when it's null.)

$ cat a.cpp && g++ -c a.cpp
void foo (void)
{
    new int [4][__SIZE_MAX__];
}
a.cpp: In function ‘void foo()’:
a.cpp:3:29: error: size of array ‘type name’ is too large
     new int [4][__SIZE_MAX__];
                             ^
>From gcc-bugs-return-499514-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Wed Oct 14 00:32:50 2015
Return-Path: <gcc-bugs-return-499514-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 122541 invoked by alias); 14 Oct 2015 00:32:50 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 122488 invoked by uid 48); 14 Oct 2015 00:32:45 -0000
From: "aoliva at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug debug/58315] [4.9/5 Regression] Excessive memory use with -g
Date: Wed, 14 Oct 2015 00:32:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: debug
X-Bugzilla-Version: 4.8.1
X-Bugzilla-Keywords: memory-hog
X-Bugzilla-Severity: normal
X-Bugzilla-Who: aoliva at gcc dot gnu.org
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: FIXED
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: aoliva at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 5.3
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: attachments.isobsolete attachments.created
Message-ID: <bug-58315-4-ie4j2xxdzS@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-58315-4@http.gcc.gnu.org/bugzilla/>
References: <bug-58315-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2015-10/txt/msg01069.txt.bz2
Content-length: 623

https://gcc.gnu.org/bugzilla/show_bug.cgi?idX315

Alexandre Oliva <aoliva at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #36472|0                           |1
        is obsolete|                            |

--- Comment #40 from Alexandre Oliva <aoliva at gcc dot gnu.org> ---
Created attachment 36505
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id6505&actioníit
backported patch for the 4.9 branch

Yeah, sorry, I messed up somehow.  Here's the backported patch I meant to post.

[Bug c++/67927] array new expression with excessive number of elements not diagnosed

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67927

--- Comment #2 from Martin Sebor <msebor at gcc dot gnu.org> ---
Complete patch posted for review:
https://gcc.gnu.org/ml/gcc-patches/2015-10/msg01803.html