Overflow in calculating size of allocation
Section [expr.new]
Jens Maurer

Created on 2007-03-08.00:00:00 last changed 162 months ago


Date: 2008-09-15.00:00:00

[Voted into the WP at the September, 2008 meeting (resolution in paper N2757).]

Date: 2008-06-15.00:00:00

Proposed resolution (June, 2008):

Change [expr.new] paragraph 8 as follows:

If the value of the expression in a direct-new-declarator is such that the size of the allocated object would exceed the implementation-defined limit, no storage is obtained and the new-expression terminates by throwing an exception of a type that would match a handler (14.4 [except.handle]) of type std::length_error (19.2.6 [length.error]). Otherwise, if When the value of the that expression in a direct-new-declarator is zero, the allocation function is called to allocate an array with no elements.

[Drafting note: std::length_error is thrown by std::string and std::vector and thus appears to be the right choice for the exception to be thrown here.]

Date: 2008-06-15.00:00:00

Notes from the June, 2008 meeting:

The CWG felt that this situation should not be treated like an out-of-memory situation and thus an exception of type std::bad_alloc (or, alternatively, returning a null pointer for a throw() allocator) would not be appropriate.

Date: 2008-03-15.00:00:00

Proposed resolution (March, 2008):

As suggested.

Date: 2008-03-15.00:00:00

Note (March, 2008):

The Evolution Working Group has accepted the intent of issue 256 and referred it to CWG for action for C++0x (see paper J16/07-0033 = WG21 N2173).

Date: 2007-03-08.00:00:00

Issue 256 was closed without action, principally on the the grounds that an implementation could provide a means (command-line option, #pragma, etc.) for requesting that the allocation size be checked for validity, but that “it would not be appropriate to require this overhead for every array allocation in every program.”

This rationale may be giving too much weight to the overhead such a check would add, especially when compared to the likely cost of actually doing the storage allocation. In particular, the test essentially amounts to something like

    if (max_allocation_size / sizeof(T) < num_elements)
        throw std::bad_alloc();

(noting that max_allocation_size/sizeof(T) is a compile-time constant). It might make more sense to turn the rationale around and require the check, assuming that implementations could provide a mechanism for suppressing it if needed.

Suggested resolution:

In [expr.new] paragraph 7, add the following words before the example:

If the value of the expression is such that the size of the allocated object would exceed the implementation-defined limit, an exception of type std::bad_alloc is thrown and no storage is obtained.
Date User Action Args
2008-10-05 00:00:00adminsetmessages: + msg1813
2008-10-05 00:00:00adminsetstatus: review -> cd1
2008-06-29 00:00:00adminsetmessages: + msg1697
2008-06-29 00:00:00adminsetmessages: + msg1696
2008-05-18 00:00:00adminsetmessages: + msg1653
2008-05-18 00:00:00adminsetstatus: open -> review
2008-03-17 00:00:00adminsetmessages: + msg1622
2007-03-08 00:00:00admincreate