[Bug tree-optimization/101977] New: array subscript 0 is outside array bounds

[Bug tree-optimization/101977] New: array subscript 0 is outside array bounds

[amodra at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101977

            Bug ID: 101977
           Summary: array subscript 0 is outside array bounds
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: amodra at gmail dot com
  Target Milestone: ---

Seen on attempting to build binutils for x86_64-linux with current mainline gcc

/home/alan/build/gcc-virgin/gcc/xgcc -B/home/alan/build/gcc-virgin/gcc/
-DHAVE_CONFIG_H -I. -I/home/alan/src/binutils-gdb/bfd
-DBINDIR=\"/usr/local/bin\" -DLIBDIR=\"/usr/local/lib\" -I.
-I/home/alan/src/binutils-gdb/bfd -I/home/alan/src/binutils-gdb/bfd/../include
-DHAVE_all_vecs -W -Wall -Wstrict-prototypes -Wmissing-prototypes -Wshadow
-Wstack-usage=262144 -Werror -I/home/alan/src/binutils-gdb/bfd/../zlib -g -O2
-MT section.lo -MD -MP -MF .deps/section.Tpo -c
/home/alan/src/binutils-gdb/bfd/section.c -o section.o
In function ‘bfd_get_next_section_by_name’,
    inlined from ‘bfd_get_linker_section’ at
/home/alan/src/binutils-gdb/bfd/section.c:976:11:
/home/alan/src/binutils-gdb/bfd/section.c:936:8: error: array subscript 0 is
outside array bounds of ‘asection[31160040665049918]’ {aka ‘struct
bfd_section[31160040665049918]’} [-Werror=array-bounds]
  936 |   hash = sh->root.hash;
      |   ~~~~~^~~~~~~~~~~~~~~

[Bug tree-optimization/101977] array subscript 0 is outside array bounds

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101977

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2021-08-19
             Status|UNCONFIRMED                 |ASSIGNED

--- Comment #1 from Martin Sebor <msebor at gcc dot gnu.org> ---
Stepping through the GCC code it looks like the same problem as in pr101600. 
The warning doesn't reset the base0 flag when processing a PHI node involving
null pointers and those that don't point to known objects.  Here's a simple C
test case.  The one in pr101600 is C++ so I'll keep this open just to remember
to add both.

$ cat z.c && gcc -O2 -S -Wall -fdump-tree-vrp1=/dev/stdout z.c
struct A { int i; };
struct B { struct A a1; struct A a2; };

void f (struct A *p, int i)
{
  struct A *q = i < 0 ? 0 : 0 < i ? p : 0;
  struct B *r = (struct B*)((char *)q - __builtin_offsetof (struct B, a2));
  r->a1.i = 0;
}

;; Function f (f, funcdef_no=0, decl_uid=1949, cgraph_uid=1, symbol_order=0)

;; 1 loops found
;;
;; Loop 0
;;  header 0, latch 1
;;  depth 0, outer -1
;;  nodes: 0 1 2 3 4 6
;; 2 succs { 3 6 }
;; 3 succs { 6 4 }
;; 4 succs { 6 }
;; 6 succs { 1 }

SSA replacement table
N_i -> { O_1 ... O_j } means that N_i replaces O_1, ..., O_j

i_6 -> { i_2(D) }
Incremental SSA update started at block: 2
Number of blocks in CFG: 7
Number of blocks to update: 2 ( 29%)



Value ranges after VRP:

iftmp.0_1: struct A * VARYING
i_2(D): int VARYING
p_3(D): struct A * VARYING
i_6: int [0, +INF]  EQUIVALENCES: { i_2(D) } (1 elements)


z.c: In function ‘f’:
z.c:8:4: warning: array subscript 0 is outside array bounds of ‘struct
A[2305843009213693951]’ [-Warray-bounds]
    8 |   r->a1.i = 0;
      |    ^~
z.c:4:19: note: at offset -4 into object ‘p’ of size [0, 9223372036854775807]
    4 | void f (struct A *p, int i)
      |         ~~~~~~~~~~^
void f (struct A * p, int i)
{
  struct A * iftmp.0_1;

  <bb 2> [local count: 1073741824]:
  if (i_2(D) >= 0)
    goto <bb 3>; [59.00%]
  else
    goto <bb 5>; [41.00%]

  <bb 3> [local count: 633507681]:
  if (i_2(D) != 0)
    goto <bb 5>; [50.00%]
  else
    goto <bb 4>; [50.00%]

  <bb 4> [local count: 316753840]:

  <bb 5> [local count: 1073741824]:
  # iftmp.0_1 = PHI <0B(4), 0B(2), p_3(D)(3)>  <<< p_3(D)(3) is an function
argument
  MEM[(struct B *)iftmp.0_1 + -4B].a1.i = 0;   <<< -Warray-bounds
  return;

}

As an aside, the usual practice is to include a test case or a translation unit
when reporting a bug.  I reproduced the warning myself by building Binutils so
I don't need the details we normally ask for, but it would be nice to at least
mention what you believe is wrong, if only as a courtesy, and how you convinced
yourself of it.

[Bug tree-optimization/101977] [12 Regression] array subscript 0 is outside array bounds

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101977

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |12.0
           Assignee|unassigned at gcc dot gnu.org      |msebor at gcc dot gnu.org

[Bug tree-optimization/101977] [12 Regression] array subscript 0 is outside array bounds

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101977

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |patch

--- Comment #2 from Martin Sebor <msebor at gcc dot gnu.org> ---
Patch: https://gcc.gnu.org/pipermail/gcc-patches/2021-August/577985.html

[Bug tree-optimization/101977] [12 Regression] array subscript 0 is outside array bounds

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101977

--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Martin Sebor <msebor@gcc.gnu.org>:

https://gcc.gnu.org/g:820f0940d7ace1306430a9dcf1bd9577508a7a7e

commit r12-3124-g820f0940d7ace1306430a9dcf1bd9577508a7a7e
Author: Martin Sebor <msebor@redhat.com>
Date:   Tue Aug 24 10:49:11 2021 -0600

    Reset PHI base0 flag if it's clear in any argument [PR101977, ...]

    Resolves:
    PR middle-end/101600 - Spurious -Warray-bounds downcasting a polymorphic
pointer
    PR middle-end/101977 - bogus -Warray-bounds on a negative index into a
parameter in conditional with null

    gcc/ChangeLog:

            PR middle-end/101600
            PR middle-end/101977
            * gimple-ssa-warn-access.cc (maybe_warn_for_bound): Tighten up
            the phrasing of a warning.
            (check_access): Use the remaining size after subtracting any offset
            rather than the whole object size.
            * pointer-query.cc (access_ref::get_ref): Clear BASE0 flag if it's
            clear for any nonnull PHI argument.
            (compute_objsize): Clear argument.

    gcc/testsuite/ChangeLog:

            PR middle-end/101600
            PR middle-end/101977
            * g++.dg/pr100574.C: Prune out valid warning.
            * gcc.dg/pr20126.c: Same.
            * gcc.dg/Wstringop-overread.c: Adjust text of expected warnings.
            Add new instances.
            * gcc.dg/warn-strnlen-no-nul.c: Same.
            * g++.dg/warn/Warray-bounds-26.C: New test.
            * gcc.dg/Warray-bounds-88.c: New test.

[Bug tree-optimization/101977] [12 Regression] array subscript 0 is outside array bounds

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101977
Bug 101977 depends on bug 101600, which changed state.

Bug 101600 Summary: [12 Regression] Spurious -Warray-bounds downcasting a polymorphic pointer
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101600

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

[Bug tree-optimization/101977] [12 Regression] array subscript 0 is outside array bounds

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101977

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from Martin Sebor <msebor at gcc dot gnu.org> ---
Fixed.

[Bug tree-optimization/101977] [12 Regression] array subscript 0 is outside array bounds

[msebor at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101977

--- Comment #5 from Martin Sebor <msebor at gcc dot gnu.org> ---
The -Warray-bounds for section.c is gone but last night's build still shows a
large number of -Warray-bounds instances as well as other warnings for Binutils
&  GDB.  I haven't analyzed any of them.  The breakdown is below:

Diagnostic                        Count   Unique    Files
-Wimplicit-function-declaration       99       70       15
-Warray-bounds                       79        1        1
-Wpointer-sign                       54       54        8
-Wmaybe-uninitialized                43       37       22
-Wmissing-prototypes                 42       32        9
-Wincompatible-pointer-types         42       42        1
-Wpointer-to-int-cast                11       11        2
-Wparentheses                        11       11        3
-Wint-to-pointer-cast                 9        9        1
-Wformat=                             6        3        2
-Walloc-zero                          6        2        2
-Wconflicts-sr                        5        5        5
-Wunused-value                        3        1        1
-Wunused-function                     3        3        1
-Wstrict-aliasing                     3        3        1
-Wdangling-else                       2        2        1
-Wmisleading-indentation              1        1        1
-Wconflicts-rr                        1        1        1

[Bug tree-optimization/101977] [12 Regression] array subscript 0 is outside array bounds

[amodra at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101977

--- Comment #6 from Alan Modra <amodra at gmail dot com> ---
(In reply to Martin Sebor from comment #5)
> The -Warray-bounds for section.c is gone
Thanks for fixing that.

> but last night's build still shows
> a large number of -Warray-bounds instances as well as other warnings for
> Binutils &  GDB.
I built gcc and binutils+gdb just now and see that these are all in sim/ with
the exception of -Wconflicts-sr and -Wconflicts-rr bison warnings, and this
libstdc++ warning:

home/alan/build/gcc-virgin/prev-x86_64-linux/libstdc++-v3/include/bits/stl_algo.h:1869:32:
error: array subscript 19 is outside array bounds of ‘void [136]’
[-Werror=array-bounds]