From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 8CF583858012; Wed, 31 Mar 2021 09:00:53 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 8CF583858012 From: "keith.halligan at microfocus dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug c++/99845] New: gcc8: Overloaded operator new[](size_t, const std::nothrow_t&) is seg faulting when the allocation fails Date: Wed, 31 Mar 2021 09:00:53 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: c++ X-Bugzilla-Version: 8.3.1 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: keith.halligan at microfocus dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Mar 2021 09:00:53 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D99845 Bug ID: 99845 Summary: gcc8: Overloaded operator new[](size_t, const std::nothrow_t&) is seg faulting when the allocation fails Product: gcc Version: 8.3.1 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: keith.halligan at microfocus dot com Target Milestone: --- Created attachment 50490 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D50490&action=3Dedit Disassembly of the crash In our code we're facing a crash on gcc (c++) 8. The example program below demonstrates the crash. The crash seems to come from some incorrect machine instructions that follow calling operator new[](). The issue occurs when a new(nothrow) fails to allocate a block of memory, and the 0/null value is t= hen dereferenced, on the other hand if the allocation succeeds, the memory addr= ess is valid and can be sucessfully dereferenced. The example code uses a few levels of "operator new[]() - std::nothrow_t version" before we finally call out to the c++ runtime version of operator new(size_t, const std::nothrow_t&). =3D=3D // File: new_crash.cpp #include #include #include class MemAlloc { public: MemAlloc() {} void* operator new[](size_t sz, const std::nothrow_t& nt) { return ::operator new(sz, nt); } }; template class VarArray : public MemAlloc { public: VarArray() {} ~VarArray(){} static T* allocbuf(uint32_t nelems) { return new(std::nothrow) T[static_cast(nelems)]; } void* operator new[](size_t sz, const std::nothrow_t& nt) { return MemAlloc::operator new[](sz, nt); } }; class MyType { public: void* operator new[](size_t sz, const std::nothrow_t& nt) { return MemAlloc::operator new[](sz, nt); } uint32_t m_id; VarArray m_int_seq; }; class MyTypeList : private VarArray { public: using VarArray::allocbuf; using VarArray::operator new[]; }; int main()=20 { const uint32_t max_uint32t =3D std::numeric_limits::max(); MyType *type_list =3D MyTypeList::allocbuf(max_uint32t); if (type_list) { delete[] type_list; }=20=20=20=20=20=20=20=20 return 0; } =3D=3D Compiled via: g++ -o m64 -O2 new_crash new_crash.cpp Disassembly (attached) generated via: objdump -M X86-64 -M att -d -C --no-show-raw-insn new_crash > new_crash.dis at -O2 level: 0000000000400650
: 400650: sub $0x8,%rsp 400654: mov $0x600dd8,%esi 400659: movabs $0x800000000,%rdi 400663: callq 400640 400668: mov $0xffffffff,%edx 40066d: mov %rdx,(%rax) ^^^^ Dereferening $rax leads to seg fault as it cont= ains a zero value at -O0 level: 00000000004008dd ::allocbuf(unsigned int)>: 4008dd: push %rbp 4008de: mov %rsp,%rbp 4008e1: push %r13 4008e3: push %r12 4008e5: push %rbx 4008e6: sub $0x18,%rsp 4008ea: mov %edi,-0x24(%rbp) 4008ed: mov -0x24(%rbp),%ebx 4008f0: movabs $0xfffffffffffffff,%rax 4008fa: cmp %rax,%rbx 4008fd: ja 40092c ::allocbuf(unsigned int)+0x4= f> 4008ff: lea 0x1(%rbx),%rax 400903: shl $0x3,%rax 400907: mov $0x600dd8,%esi 40090c: mov %rax,%rdi 40090f: callq 400878 400914: mov %rax,%r12 400917: mov %rbx,(%r12) ^^^^ Dereferening $r12, which has a zero value which originated in $rax --=20 Compilation (verbose): Using built-in specs. COLLECT_GCC=3Dg++ COLLECT_LTO_WRAPPER=3D/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper OFFLOAD_TARGET_NAMES=3Dnvptx-none OFFLOAD_TARGET_DEFAULT=3D1 Target: x86_64-redhat-linux Configured with: ../configure --enable-bootstrap --enable-languages=3Dc,c++,fortran,lto --prefix=3D/usr --mandir=3D/usr/shar= e/man --infodir=3D/usr/share/info --with-bugurl=3Dhttp://bugzilla.redhat.com/bugz= illa --enable-shared --enable-threads=3Dposix --enable-checking=3Drelease --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --with-linker-hash-style=3Dgnu --enable-plugin --enable-initfini-array --wi= th-isl --disable-libmpx --enable-offload-targets=3Dnvptx-none --without-cuda-driver --enable-gnu-indirect-function --enable-cet --with-tune=3Dgeneric --with-arch_32=3Dx86-64 --build=3Dx86_64-redhat-linux Thread model: posix gcc version 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC)=20 COLLECT_GCC_OPTIONS=3D'-v' '-save-temps' '-m64' '-O2' '-o' 'new_crash' '-shared-libgcc' '-mtune=3Dgeneric' '-march=3Dx86-64' /usr/libexec/gcc/x86_64-redhat-linux/8/cc1plus -E -quiet -v -D_GNU_SOURCE new_crash.cpp -m64 -mtune=3Dgeneric -march=3Dx86-64 -O2 -fpch-preprocess -o new_crash.ii ignoring nonexistent directory "/usr/lib/gcc/x86_64-redhat-linux/8/include-fixed" ignoring nonexistent directory "/usr/lib/gcc/x86_64-redhat-linux/8/../../../../x86_64-redhat-linux/include" #include "..." search starts here: #include <...> search starts here: /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8 /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/x86_64-redhat-= linux /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/backward /usr/lib/gcc/x86_64-redhat-linux/8/include /usr/local/include /usr/include End of search list. COLLECT_GCC_OPTIONS=3D'-v' '-save-temps' '-m64' '-O2' '-o' 'new_crash' '-shared-libgcc' '-mtune=3Dgeneric' '-march=3Dx86-64' /usr/libexec/gcc/x86_64-redhat-linux/8/cc1plus -fpreprocessed new_crash.ii -quiet -dumpbase new_crash.cpp -m64 -mtune=3Dgeneric -march=3Dx86-64 -auxba= se new_crash -O2 -version -o new_crash.s GNU C++14 (GCC) version 8.3.1 20191121 (Red Hat 8.3.1-5) (x86_64-redhat-lin= ux) compiled by GNU C version 8.3.1 20191121 (Red Hat 8.3.1-5), GMP ver= sion 6.1.2, MPFR version 3.1.6-p2, MPC version 1.0.2, isl version isl-0.16.1-GMP GGC heuristics: --param ggc-min-expand=3D100 --param ggc-min-heapsize=3D131= 072 GNU C++14 (GCC) version 8.3.1 20191121 (Red Hat 8.3.1-5) (x86_64-redhat-lin= ux) compiled by GNU C version 8.3.1 20191121 (Red Hat 8.3.1-5), GMP ver= sion 6.1.2, MPFR version 3.1.6-p2, MPC version 1.0.2, isl version isl-0.16.1-GMP GGC heuristics: --param ggc-min-expand=3D100 --param ggc-min-heapsize=3D131= 072 Compiler executable checksum: 6b667c67be32d4821a98ef9960b6da95 COLLECT_GCC_OPTIONS=3D'-v' '-save-temps' '-m64' '-O2' '-o' 'new_crash' '-shared-libgcc' '-mtune=3Dgeneric' '-march=3Dx86-64' as -v --64 -o new_crash.o new_crash.s GNU assembler version 2.30 (x86_64-redhat-linux) using BFD version version 2.30-79.el8 COMPILER_PATH=3D/usr/libexec/gcc/x86_64-redhat-linux/8/:/usr/libexec/gcc/x8= 6_64-redhat-linux/8/:/usr/libexec/gcc/x86_64-redhat-linux/:/usr/lib/gcc/x86= _64-redhat-linux/8/:/usr/lib/gcc/x86_64-redhat-linux/ LIBRARY_PATH=3D/usr/lib/gcc/x86_64-redhat-linux/8/:/usr/lib/gcc/x86_64-redh= at-linux/8/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gc= c/x86_64-redhat-linux/8/../../../:/lib/:/usr/lib/ COLLECT_GCC_OPTIONS=3D'-v' '-save-temps' '-m64' '-O2' '-o' 'new_crash' '-shared-libgcc' '-mtune=3Dgeneric' '-march=3Dx86-64' /usr/libexec/gcc/x86_64-redhat-linux/8/collect2 -plugin /usr/libexec/gcc/x86_64-redhat-linux/8/liblto_plugin.so -plugin-opt=3D/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper -plugin-opt=3D-fresolution=3Dnew_crash.res -plugin-opt=3D-pass-through=3D-l= gcc_s -plugin-opt=3D-pass-through=3D-lgcc -plugin-opt=3D-pass-through=3D-lc -plugin-opt=3D-pass-through=3D-lgcc_s -plugin-opt=3D-pass-through=3D-lgcc -= -build-id --no-add-needed --eh-frame-hdr --hash-style=3Dgnu -m elf_x86_64 -dynamic-li= nker /lib64/ld-linux-x86-64.so.2 -o new_crash /usr/lib/gcc/x86_64-redhat-linux/8/../../../../lib64/crt1.o /usr/lib/gcc/x86_64-redhat-linux/8/../../../../lib64/crti.o /usr/lib/gcc/x86_64-redhat-linux/8/crtbegin.o -L/usr/lib/gcc/x86_64-redhat-linux/8 -L/usr/lib/gcc/x86_64-redhat-linux/8/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/x86_64-redhat-linux/8/../../.. new_crash= .o -lstdc++ -lm -lgcc_s -lgcc -lc -lgcc_s -lgcc /usr/lib/gcc/x86_64-redhat-linux/8/crtend.o /usr/lib/gcc/x86_64-redhat-linux/8/../../../../lib64/crtn.o COLLECT_GCC_OPTIONS=3D'-v' '-save-temps' '-m64' '-O2' '-o' 'new_crash' '-shared-libgcc' '-mtune=3Dgeneric' '-march=3Dx86-64' -- Apologies if I chose the wrong component to file this bug under, perhaps li= bgcc would be better, it seems relevant to the c++ code generating backend, chan= ge as required.=