<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/96206>96206</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
[C++] Negative expression of array bound in array new is converted to `std::size_t` without overflow checks
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
MitalAshok
</td>
</tr>
</table>
<pre>
```c++
void f() {
new int[-(__int128)0xFFFFFFFF'FFFFFFFF]; // (with 64 bit size_t)
new int[-0xFFFFFFFFLL]; // (with 32 bit size_t)
}
```
These expressions are invalid because they are negative (https://eel.is/c++draft/expr.new#8.1), which is required to make the program ill-formed if they are constant expressions like in the above example (https://eel.is/c++draft/expr.new#8.5) or throw `std::bad_array_new_length` if they were not constant-expressions.
However, this does compile and not throw `std::bad_array_new_length`. It just calls `::operator new[](sizeof(int))`: https://godbolt.org/z/sre36Yonc
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJycVE2PpDYQ_TXmUmpkiubrwGFmW61E2uSUS04tg4vGOwYT28DM_vrIwE7PRhMpCrLAn8-vXr1COKfuI1HNsmeWXSIx-97Y-jflhX5yvXmJGiPfapbzvbUMn0PjF8afFqMkdAxLhhWw4pgFABhpBTV6lj2fGJa3mxp9sm3jr9fjYVi8d7MLS58BGF4ZXoFhuSrfQ36GRnlw6jvdPMPqU_gH4Nev_4KT4mc4rLgcnR-xHcPt_UdPjoBeJ0vOKTM6EJZAjYvQSkJDrZgdge_pbVsY6S68Wijc2Xs_OZY-7SyIdKwcw-uhnLSi82H-dbLxSCvDtIyTwAq_wNqrtgflwNJfs7IkwRsYxMt2E0zW3K0YQGl96owdSILqHhxaMzovRv8Ta61eAu3tvGjMEmISw6T_L9MspNpY8L01K7CcOy8DQvrUCHkT1oq320jrTdN49z3L-TvFlYJOxr_zPH3gGX_U_hez0kI2COJ75UAactCaYVKaQIxyQ_nPBGL41cO32XlohdYuHNn3m4ms8MYGN-3uZ1gGk5hg6WCvkJRq3w8_a3U3sjHax8beGV6_M7w6S2n-pxnbPYZI1qms0kpEVCdFUpZVkVRV1NdFLirKuci7BKusTapWlOe8kshT3vHqHKkaOZ55jjzJME-ruMECMaVCpoK6kjfszGkQSsdaL0NgECnnZqqrHHkeadGQdls5I251EhYZYqhuW4czp2a-O3bmWjnvHiheeb39B74cNZ5d4Pcfvn7kCkwHm8zQmHmUwVz7cL8spHch63fvfszPUX85h1CVZvZgFrKdNiu0PbUvLpqtrv-hs_L93MStGRheA9Pjc5qs-UZtsOcWX7DtHv9S498BAAD__3qdgSc">