https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99532
Bug ID: 99532
Summary: missing warning on placement new into smaller space
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: msebor at gcc dot gnu.org
Target Milestone: ---
Neither of the two buffer overflows below is diagnosed but they both should be.
The difference between the two is that the first uses direct access to the
array (i.e,, COMPONENT_REF) while the second direct access to the enclosing
object (MEM_REF). The missing warning for the former is due to pr99502 but the
latter is something else.
$ cat x.C && gcc -O2 -S -Wall -fdump-tree-vrp1=/dev/stdout x.C
void* operator new (__SIZE_TYPE__, void *p) { return p; }
struct A4 { char a[4]; };
struct A8 { char a[8]; };
void* f ()
{
void *p = __builtin_malloc (3);
return new (p) A4 (); // missing warning
}
void* g ()
{
void *p = __builtin_malloc (7);
return new (p) A8 (); // missing warning
}
;; Function operator new (_ZnwmPv, funcdef_no=0, decl_uid=2348, cgraph_uid=1,
symbol_order=0)
;; 1 loops found
;;
;; Loop 0
;; header 0, latch 1
;; depth 0, outer -1
;; nodes: 0 1 2
;; 2 succs { 1 }
Value ranges after VRP:
void * operator new (long unsigned int D.2346, void * p)
{
<bb 2> [local count: 1073741824]:
return p_1(D);
}
;; Function f (_Z1fv, funcdef_no=1, decl_uid=2356, cgraph_uid=2,
symbol_order=1)
;; 2 loops found
;;
;; Loop 0
;; header 0, latch 1
;; depth 0, outer -1
;; nodes: 0 1 2
;; 2 succs { 1 }
SSA replacement table
N_i -> { O_1 ... O_j } means that N_i replaces O_1, ..., O_j
p_11 -> { p_5 }
Incremental SSA update started at block: 2
Number of blocks in CFG: 16
Number of blocks to update: 1 ( 6%)
Value ranges after VRP:
p_5: void * VARYING
p_11: void * [1B, +INF] EQUIVALENCES: { p_5 } (1 elements)
void * f ()
{
void * p;
<bb 2> [local count: 268435456]:
p_5 = __builtin_malloc (3);
MEM[(struct A4 *)p_5].a[0] = 0;
MEM[(struct A4 *)p_5].a[1] = 0;
MEM[(struct A4 *)p_5].a[2] = 0;
MEM[(struct A4 *)p_5].a[3] = 0;
return p_5;
}
;; Function g (_Z1gv, funcdef_no=2, decl_uid=2385, cgraph_uid=3,
symbol_order=2)
;; 1 loops found
;;
;; Loop 0
;; header 0, latch 1
;; depth 0, outer -1
;; nodes: 0 1 2
;; 2 succs { 1 }
SSA replacement table
N_i -> { O_1 ... O_j } means that N_i replaces O_1, ..., O_j
p_5 -> { p_3 }
Incremental SSA update started at block: 2
Number of blocks in CFG: 3
Number of blocks to update: 1 ( 33%)
Value ranges after VRP:
p_3: void * VARYING
p_5: void * [1B, +INF] EQUIVALENCES: { p_3 } (1 elements)
void * g ()
{
void * p;
<bb 2> [local count: 1073741824]:
p_3 = __builtin_malloc (7);
MEM[(struct A8 *)p_3] = {};
return p_3;
}
