[Bug tree-optimization/101977] array subscript 0 is outside array bounds

["msebor at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101977

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2021-08-19
             Status|UNCONFIRMED                 |ASSIGNED

--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
Stepping through the GCC code it looks like the same problem as in pr101600. 
The warning doesn't reset the base0 flag when processing a PHI node involving
null pointers and those that don't point to known objects.  Here's a simple C
test case.  The one in pr101600 is C++ so I'll keep this open just to remember
to add both.

$ cat z.c && gcc -O2 -S -Wall -fdump-tree-vrp1=/dev/stdout z.c
struct A { int i; };
struct B { struct A a1; struct A a2; };

void f (struct A *p, int i)
{
  struct A *q = i < 0 ? 0 : 0 < i ? p : 0;
  struct B *r = (struct B*)((char *)q - __builtin_offsetof (struct B, a2));
  r->a1.i = 0;
}

;; Function f (f, funcdef_no=0, decl_uid=1949, cgraph_uid=1, symbol_order=0)

;; 1 loops found
;;
;; Loop 0
;;  header 0, latch 1
;;  depth 0, outer -1
;;  nodes: 0 1 2 3 4 6
;; 2 succs { 3 6 }
;; 3 succs { 6 4 }
;; 4 succs { 6 }
;; 6 succs { 1 }

SSA replacement table
N_i -> { O_1 ... O_j } means that N_i replaces O_1, ..., O_j

i_6 -> { i_2(D) }
Incremental SSA update started at block: 2
Number of blocks in CFG: 7
Number of blocks to update: 2 ( 29%)



Value ranges after VRP:

iftmp.0_1: struct A * VARYING
i_2(D): int VARYING
p_3(D): struct A * VARYING
i_6: int [0, +INF]  EQUIVALENCES: { i_2(D) } (1 elements)


z.c: In function ‘f’:
z.c:8:4: warning: array subscript 0 is outside array bounds of ‘struct
A[2305843009213693951]’ [-Warray-bounds]
    8 |   r->a1.i = 0;
      |    ^~
z.c:4:19: note: at offset -4 into object ‘p’ of size [0, 9223372036854775807]
    4 | void f (struct A *p, int i)
      |         ~~~~~~~~~~^
void f (struct A * p, int i)
{
  struct A * iftmp.0_1;

  <bb 2> [local count: 1073741824]:
  if (i_2(D) >= 0)
    goto <bb 3>; [59.00%]
  else
    goto <bb 5>; [41.00%]

  <bb 3> [local count: 633507681]:
  if (i_2(D) != 0)
    goto <bb 5>; [50.00%]
  else
    goto <bb 4>; [50.00%]

  <bb 4> [local count: 316753840]:

  <bb 5> [local count: 1073741824]:
  # iftmp.0_1 = PHI <0B(4), 0B(2), p_3(D)(3)>  <<< p_3(D)(3) is an function
argument
  MEM[(struct B *)iftmp.0_1 + -4B].a1.i = 0;   <<< -Warray-bounds
  return;

}

As an aside, the usual practice is to include a test case or a translation unit
when reporting a bug.  I reproduced the warning myself by building Binutils so
I don't need the details we normally ask for, but it would be nice to at least
mention what you believe is wrong, if only as a courtesy, and how you convinced
yourself of it.