From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id B0CC53858001; Wed, 10 Mar 2021 22:56:50 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org B0CC53858001 From: "msebor at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug tree-optimization/99532] New: missing warning on placement new into smaller space Date: Wed, 10 Mar 2021 22:56:50 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: tree-optimization X-Bugzilla-Version: 11.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: msebor at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 10 Mar 2021 22:56:50 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D99532 Bug ID: 99532 Summary: missing warning on placement new into smaller space Product: gcc Version: 11.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: tree-optimization Assignee: unassigned at gcc dot gnu.org Reporter: msebor at gcc dot gnu.org Target Milestone: --- Neither of the two buffer overflows below is diagnosed but they both should= be. The difference between the two is that the first uses direct access to the array (i.e,, COMPONENT_REF) while the second direct access to the enclosing object (MEM_REF). The missing warning for the former is due to pr99502 but= the latter is something else. $ cat x.C && gcc -O2 -S -Wall -fdump-tree-vrp1=3D/dev/stdout x.C void* operator new (__SIZE_TYPE__, void *p) { return p; } struct A4 { char a[4]; }; struct A8 { char a[8]; }; void* f () { void *p =3D __builtin_malloc (3); return new (p) A4 (); // missing warning } void* g () { void *p =3D __builtin_malloc (7); return new (p) A8 (); // missing warning } ;; Function operator new (_ZnwmPv, funcdef_no=3D0, decl_uid=3D2348, cgraph_= uid=3D1, symbol_order=3D0) ;; 1 loops found ;; ;; Loop 0 ;; header 0, latch 1 ;; depth 0, outer -1 ;; nodes: 0 1 2 ;; 2 succs { 1 } Value ranges after VRP: void * operator new (long unsigned int D.2346, void * p) { [local count: 1073741824]: return p_1(D); } ;; Function f (_Z1fv, funcdef_no=3D1, decl_uid=3D2356, cgraph_uid=3D2, symbol_order=3D1) ;; 2 loops found ;; ;; Loop 0 ;; header 0, latch 1 ;; depth 0, outer -1 ;; nodes: 0 1 2 ;; 2 succs { 1 } SSA replacement table N_i -> { O_1 ... O_j } means that N_i replaces O_1, ..., O_j p_11 -> { p_5 } Incremental SSA update started at block: 2 Number of blocks in CFG: 16 Number of blocks to update: 1 ( 6%) Value ranges after VRP: p_5: void * VARYING p_11: void * [1B, +INF] EQUIVALENCES: { p_5 } (1 elements) void * f () { void * p; [local count: 268435456]: p_5 =3D __builtin_malloc (3); MEM[(struct A4 *)p_5].a[0] =3D 0; MEM[(struct A4 *)p_5].a[1] =3D 0; MEM[(struct A4 *)p_5].a[2] =3D 0; MEM[(struct A4 *)p_5].a[3] =3D 0; return p_5; } ;; Function g (_Z1gv, funcdef_no=3D2, decl_uid=3D2385, cgraph_uid=3D3, symbol_order=3D2) ;; 1 loops found ;; ;; Loop 0 ;; header 0, latch 1 ;; depth 0, outer -1 ;; nodes: 0 1 2 ;; 2 succs { 1 } SSA replacement table N_i -> { O_1 ... O_j } means that N_i replaces O_1, ..., O_j p_5 -> { p_3 } Incremental SSA update started at block: 2 Number of blocks in CFG: 3 Number of blocks to update: 1 ( 33%) Value ranges after VRP: p_3: void * VARYING p_5: void * [1B, +INF] EQUIVALENCES: { p_3 } (1 elements) void * g () { void * p; [local count: 1073741824]: p_3 =3D __builtin_malloc (7); MEM[(struct A8 *)p_3] =3D {}; return p_3; }=