From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 89F07385702F; Sat, 21 Aug 2021 18:21:43 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 89F07385702F From: "msebor at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug tree-optimization/102006] A false warning "Array subscript -N is outside array bounds warning" Date: Sat, 21 Aug 2021 18:21:43 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: tree-optimization X-Bugzilla-Version: 11.1.0 X-Bugzilla-Keywords: diagnostic X-Bugzilla-Severity: normal X-Bugzilla-Who: msebor at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: blocked cc keywords component Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 21 Aug 2021 18:21:43 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D102006 Martin Sebor changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |56456 CC| |msebor at gcc dot gnu.org Keywords| |diagnostic Component|c++ |tree-optimization --- Comment #5 from Martin Sebor --- I ca confirm the warning but not yet that it's a bug or limitation in GCC. The IL does show an access via an out-of-bounds pointer to a local object: (struct Element *)&holder + -32B, so it's working as designed. I can't tel= l if the access itself, adjusted for the offset of the member, is valid (i.e., what's D.146911's offset within holder), but even if it is, the warning validates pointers without considering subsequent adjustments so if somethi= ng earlier ends up emitting one that's out-of-bounds the warning will trigger. The out-of-bounds offset first shows up in the fixup_cfg3 dump. ListHolder= is multiply derived from the same base class whose members freely cast the this pointer to the derived class so maybe that somehow results in the intermedi= ate negative offset. The translation unit is almost 90,000 of twisty C++ code = so it will take a bit of time to reduce to something manageable. void List_TestFunc (const struct TestContext & context) { ... struct ListHolder holder; ... [local count: 1073741824]: _15 =3D MEM[(struct base_single_link *)&holder].pNext; if (_15 !=3D 0B) goto ; [85.10%] else goto ; [14.90%] [local count: 913754293]: iftmp.2_16 =3D &MEM[(struct Element *)_15 + -32B].D.146911; [local count: 1073741821]: # i$m_p_24 =3D PHI goto ; [100.00%] ... [local count: 9761289345]: # i$m_p_21 =3D PHI if (&MEM[(struct Element *)&holder + -32B].D.146911 !=3D i$m_p_21) <<< -Warray-bounds goto ; [89.00%] else goto ; [11.00%] Referenced Bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D56456 [Bug 56456] [meta-bug] bogus/missing -Warray-bounds=