https://gcc.gnu.org/bugzilla/show_bug.cgi?id=99845
Bug ID: 99845 Summary: gcc8: Overloaded operator new[](size_t, const std::nothrow_t&) is seg faulting when the allocation fails Product: gcc Version: 8.3.1 Status: UNCONFIRMED Severity: normal Priority: P3 Component: c++ Assignee: unassigned at gcc dot gnu.org Reporter: keith.halligan at microfocus dot com Target Milestone: --- Created attachment 50490 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=50490&action=edit Disassembly of the crash In our code we're facing a crash on gcc (c++) 8. The example program below demonstrates the crash. The crash seems to come from some incorrect machine instructions that follow calling operator new[](). The issue occurs when a new(nothrow) fails to allocate a block of memory, and the 0/null value is then dereferenced, on the other hand if the allocation succeeds, the memory address is valid and can be sucessfully dereferenced. The example code uses a few levels of "operator new[]() - std::nothrow_t version" before we finally call out to the c++ runtime version of operator new(size_t, const std::nothrow_t&). == // File: new_crash.cpp #include <cstdint> #include <limits> #include <new> class MemAlloc { public: MemAlloc() {} void* operator new[](size_t sz, const std::nothrow_t& nt) { return ::operator new(sz, nt); } }; template <typename T> class VarArray : public MemAlloc { public: VarArray() {} ~VarArray(){} static T* allocbuf(uint32_t nelems) { return new(std::nothrow) T[static_cast<size_t>(nelems)]; } void* operator new[](size_t sz, const std::nothrow_t& nt) { return MemAlloc::operator new[](sz, nt); } }; class MyType { public: void* operator new[](size_t sz, const std::nothrow_t& nt) { return MemAlloc::operator new[](sz, nt); } uint32_t m_id; VarArray<int> m_int_seq; }; class MyTypeList : private VarArray<MyType> { public: using VarArray<MyType>::allocbuf; using VarArray<MyType>::operator new[]; }; int main() { const uint32_t max_uint32t = std::numeric_limits<uint32_t>::max(); MyType *type_list = MyTypeList::allocbuf(max_uint32t); if (type_list) { delete[] type_list; } return 0; } == Compiled via: g++ -o m64 -O2 new_crash new_crash.cpp Disassembly (attached) generated via: objdump -M X86-64 -M att -d -C --no-show-raw-insn new_crash > new_crash.dis at -O2 level: 0000000000400650 <main>: 400650: sub $0x8,%rsp 400654: mov $0x600dd8,%esi 400659: movabs $0x800000000,%rdi 400663: callq 400640 <operator new(unsigned long, std::nothrow_t const&)@plt> 400668: mov $0xffffffff,%edx 40066d: mov %rdx,(%rax) ^^^^ Dereferening $rax leads to seg fault as it contains a zero value at -O0 level: 00000000004008dd <VarArray<MyType>::allocbuf(unsigned int)>: 4008dd: push %rbp 4008de: mov %rsp,%rbp 4008e1: push %r13 4008e3: push %r12 4008e5: push %rbx 4008e6: sub $0x18,%rsp 4008ea: mov %edi,-0x24(%rbp) 4008ed: mov -0x24(%rbp),%ebx 4008f0: movabs $0xfffffffffffffff,%rax 4008fa: cmp %rax,%rbx 4008fd: ja 40092c <VarArray<MyType>::allocbuf(unsigned int)+0x4f> 4008ff: lea 0x1(%rbx),%rax 400903: shl $0x3,%rax 400907: mov $0x600dd8,%esi 40090c: mov %rax,%rdi 40090f: callq 400878 <MyType::operator new[](unsigned long, std::nothrow_t const&)> 400914: mov %rax,%r12 400917: mov %rbx,(%r12) ^^^^ Dereferening $r12, which has a zero value which originated in $rax -- Compilation (verbose): Using built-in specs. COLLECT_GCC=g++ COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper OFFLOAD_TARGET_NAMES=nvptx-none OFFLOAD_TARGET_DEFAULT=1 Target: x86_64-redhat-linux Configured with: ../configure --enable-bootstrap --enable-languages=c,c++,fortran,lto --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared --enable-threads=posix --enable-checking=release --enable-multilib --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-gcc-major-version-only --with-linker-hash-style=gnu --enable-plugin --enable-initfini-array --with-isl --disable-libmpx --enable-offload-targets=nvptx-none --without-cuda-driver --enable-gnu-indirect-function --enable-cet --with-tune=generic --with-arch_32=x86-64 --build=x86_64-redhat-linux Thread model: posix gcc version 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC) COLLECT_GCC_OPTIONS='-v' '-save-temps' '-m64' '-O2' '-o' 'new_crash' '-shared-libgcc' '-mtune=generic' '-march=x86-64' /usr/libexec/gcc/x86_64-redhat-linux/8/cc1plus -E -quiet -v -D_GNU_SOURCE new_crash.cpp -m64 -mtune=generic -march=x86-64 -O2 -fpch-preprocess -o new_crash.ii ignoring nonexistent directory "/usr/lib/gcc/x86_64-redhat-linux/8/include-fixed" ignoring nonexistent directory "/usr/lib/gcc/x86_64-redhat-linux/8/../../../../x86_64-redhat-linux/include" #include "..." search starts here: #include <...> search starts here: /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8 /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/x86_64-redhat-linux /usr/lib/gcc/x86_64-redhat-linux/8/../../../../include/c++/8/backward /usr/lib/gcc/x86_64-redhat-linux/8/include /usr/local/include /usr/include End of search list. COLLECT_GCC_OPTIONS='-v' '-save-temps' '-m64' '-O2' '-o' 'new_crash' '-shared-libgcc' '-mtune=generic' '-march=x86-64' /usr/libexec/gcc/x86_64-redhat-linux/8/cc1plus -fpreprocessed new_crash.ii -quiet -dumpbase new_crash.cpp -m64 -mtune=generic -march=x86-64 -auxbase new_crash -O2 -version -o new_crash.s GNU C++14 (GCC) version 8.3.1 20191121 (Red Hat 8.3.1-5) (x86_64-redhat-linux) compiled by GNU C version 8.3.1 20191121 (Red Hat 8.3.1-5), GMP version 6.1.2, MPFR version 3.1.6-p2, MPC version 1.0.2, isl version isl-0.16.1-GMP GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072 GNU C++14 (GCC) version 8.3.1 20191121 (Red Hat 8.3.1-5) (x86_64-redhat-linux) compiled by GNU C version 8.3.1 20191121 (Red Hat 8.3.1-5), GMP version 6.1.2, MPFR version 3.1.6-p2, MPC version 1.0.2, isl version isl-0.16.1-GMP GGC heuristics: --param ggc-min-expand=100 --param ggc-min-heapsize=131072 Compiler executable checksum: 6b667c67be32d4821a98ef9960b6da95 COLLECT_GCC_OPTIONS='-v' '-save-temps' '-m64' '-O2' '-o' 'new_crash' '-shared-libgcc' '-mtune=generic' '-march=x86-64' as -v --64 -o new_crash.o new_crash.s GNU assembler version 2.30 (x86_64-redhat-linux) using BFD version version 2.30-79.el8 COMPILER_PATH=/usr/libexec/gcc/x86_64-redhat-linux/8/:/usr/libexec/gcc/x86_64-redhat-linux/8/:/usr/libexec/gcc/x86_64-redhat-linux/:/usr/lib/gcc/x86_64-redhat-linux/8/:/usr/lib/gcc/x86_64-redhat-linux/ LIBRARY_PATH=/usr/lib/gcc/x86_64-redhat-linux/8/:/usr/lib/gcc/x86_64-redhat-linux/8/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib/gcc/x86_64-redhat-linux/8/../../../:/lib/:/usr/lib/ COLLECT_GCC_OPTIONS='-v' '-save-temps' '-m64' '-O2' '-o' 'new_crash' '-shared-libgcc' '-mtune=generic' '-march=x86-64' /usr/libexec/gcc/x86_64-redhat-linux/8/collect2 -plugin /usr/libexec/gcc/x86_64-redhat-linux/8/liblto_plugin.so -plugin-opt=/usr/libexec/gcc/x86_64-redhat-linux/8/lto-wrapper -plugin-opt=-fresolution=new_crash.res -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lgcc -plugin-opt=-pass-through=-lc -plugin-opt=-pass-through=-lgcc_s -plugin-opt=-pass-through=-lgcc --build-id --no-add-needed --eh-frame-hdr --hash-style=gnu -m elf_x86_64 -dynamic-linker /lib64/ld-linux-x86-64.so.2 -o new_crash /usr/lib/gcc/x86_64-redhat-linux/8/../../../../lib64/crt1.o /usr/lib/gcc/x86_64-redhat-linux/8/../../../../lib64/crti.o /usr/lib/gcc/x86_64-redhat-linux/8/crtbegin.o -L/usr/lib/gcc/x86_64-redhat-linux/8 -L/usr/lib/gcc/x86_64-redhat-linux/8/../../../../lib64 -L/lib/../lib64 -L/usr/lib/../lib64 -L/usr/lib/gcc/x86_64-redhat-linux/8/../../.. new_crash.o -lstdc++ -lm -lgcc_s -lgcc -lc -lgcc_s -lgcc /usr/lib/gcc/x86_64-redhat-linux/8/crtend.o /usr/lib/gcc/x86_64-redhat-linux/8/../../../../lib64/crtn.o COLLECT_GCC_OPTIONS='-v' '-save-temps' '-m64' '-O2' '-o' 'new_crash' '-shared-libgcc' '-mtune=generic' '-march=x86-64' -- Apologies if I chose the wrong component to file this bug under, perhaps libgcc would be better, it seems relevant to the c++ code generating backend, change as required.