From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id A5D1F385702B; Tue, 12 Oct 2021 16:35:53 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org A5D1F385702B From: "msebor at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug tree-optimization/102706] [12 regression] -O2 vectorization causes regression in Warray-bounds-48.c on many targets Date: Tue, 12 Oct 2021 16:35:53 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: tree-optimization X-Bugzilla-Version: 11.0 X-Bugzilla-Keywords: diagnostic X-Bugzilla-Severity: normal X-Bugzilla-Who: msebor at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc keywords bug_status everconfirmed blocked cf_reconfirmed_on Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 12 Oct 2021 16:35:53 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D102706 Martin Sebor changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |crazylht at gmail dot com Keywords| |diagnostic Status|UNCONFIRMED |NEW Ever confirmed|0 |1 Blocks| |56456 Last reconfirmed| |2021-10-12 --- Comment #1 from Martin Sebor --- Confirmed. The root cause is similar as in the test case in pr102462 comme= nt 4. Here, in addition to the expected -Warray-bounds (from the vrp1 pass) f= or the invalid subscripts (before vectorization) the code also triggers -Wstringop-overflow (from the strlen pass) for the two valid stores to p->a= x at indices 0 and 1 vectorized with the subsequent two stores. See the dumps below. Hongtao and I have been discussing the fallout of the autovectorization cha= nge in the context of the following review: https://gcc.gnu.org/pipermail/gcc-patches/2021-October/581371.html Hongtao, we could use this bug to track case (2) that you described in your reply this morning in the thread above. $ cat pr102706.c && /build/iq2000-elf/gcc-master/gcc/xgcc -B /build/iq200f/gcc-master/gcc -O2 -S -Wall -fdump-tree-vrp1=3D/dev/stdout -fdump-tree-strlen=3D/dev/stdout pr102706.c typedef __INT16_TYPE__ int16_t; typedef __INT32_TYPE__ int32_t; void sink (void*); /* Exercise a true flexible member. */ struct AX { int32_t n; int16_t ax[]; // { dg-message "while referencing 'ax'" "member" } }; static void warn_ax_local_buf (struct AX *p) { p->ax[0] =3D 4; p->ax[1] =3D 5; p->ax[2] =3D 6; // { dg-warning "\\\[-Warray-bounds" } p->ax[3] =3D 7; // { dg-warning "\\\[-Warray-bounds" } p->ax[4] =3D 8; // { dg-warning "\\\[-Warray-bounds" } } void g (void) { /* Verify out-of-bounds access to the local BUF is diagnosed. */ char ax_buf_p2[sizeof (struct AX) + 2 * sizeof (int16_t)]; warn_ax_local_buf ((struct AX*) ax_buf_p2); sink (ax_buf_p2); } ;; Function g (g, funcdef_no=3D1, decl_uid=3D1438, cgraph_uid=3D2, symbol_o= rder=3D1) ;; 1 loops found ;; ;; Loop 0 ;; header 0, latch 1 ;; depth 0, outer -1 ;; nodes: 0 1 2 ;; 2 succs { 1 } Value ranges after VRP: In function 'warn_ax_local_buf', inlined from 'g' at pr102706.c:28:3: pr102706.c:18:8: warning: array subscript 2 is above array bounds of 'int16_t[]' {aka 'short int[]'} [-Warray-bounds] 18 | p->ax[2] =3D 6; // { dg-warning "\\\[-Warray-bounds" } | ~~~~~^~~ pr102706.c: In function 'g': pr102706.c:11:11: note: while referencing 'ax' 11 | int16_t ax[]; // { dg-message "while referencing 'ax'" "membe= r" } | ^~ In function 'warn_ax_local_buf', inlined from 'g' at pr102706.c:28:3: pr102706.c:19:8: warning: array subscript 3 is above array bounds of 'int16_t[]' {aka 'short int[]'} [-Warray-bounds] 19 | p->ax[3] =3D 7; // { dg-warning "\\\[-Warray-bounds" } | ~~~~~^~~ pr102706.c: In function 'g': pr102706.c:11:11: note: while referencing 'ax' 11 | int16_t ax[]; // { dg-message "while referencing 'ax'" "membe= r" } | ^~ In function 'warn_ax_local_buf', inlined from 'g' at pr102706.c:28:3: pr102706.c:20:8: warning: array subscript 4 is above array bounds of 'int16_t[]' {aka 'short int[]'} [-Warray-bounds] 20 | p->ax[4] =3D 8; // { dg-warning "\\\[-Warray-bounds" } | ~~~~~^~~ pr102706.c: In function 'g': pr102706.c:11:11: note: while referencing 'ax' 11 | int16_t ax[]; // { dg-message "while referencing 'ax'" "membe= r" } | ^~ void g () { char ax_buf_p2[8]; [local count: 1073741824]: MEM[(struct AX *)&ax_buf_p2].ax[0] =3D 4; MEM[(struct AX *)&ax_buf_p2].ax[1] =3D 5; MEM[(struct AX *)&ax_buf_p2].ax[2] =3D 6; MEM[(struct AX *)&ax_buf_p2].ax[3] =3D 7; MEM[(struct AX *)&ax_buf_p2].ax[4] =3D 8; sink (&ax_buf_p2); ax_buf_p2 =3D{v} {CLOBBER}; return; } ;; Function g (g, funcdef_no=3D1, decl_uid=3D1438, cgraph_uid=3D2, symbol_o= rder=3D1) ;; 1 loops found ;; ;; Loop 0 ;; header 0, latch 1 ;; depth 0, outer -1 ;; nodes: 0 1 2 ;; 2 succs { 1 } In function 'warn_ax_local_buf', inlined from 'g' at pr102706.c:28:3: pr102706.c:16:12: warning: writing 4 bytes into a region of size 0 [-Wstringop-overflow=3D] 16 | p->ax[0] =3D 4; p->ax[1] =3D 5; | ~~~~~~~~~^~~ pr102706.c: In function 'g': pr102706.c:27:8: note: at offset 8 into destination object 'ax_buf_p2' of s= ize 8 27 | char ax_buf_p2[sizeof (struct AX) + 2 * sizeof (int16_t)]; | ^~~~~~~~~ void g () { int16_t * vectp.5; vector(2) short int * vectp_ax_buf_p2.4; char ax_buf_p2[8]; [local count: 1073741824]: MEM [(short int *)&ax_buf_p2 + 4B] =3D { 4, 5 }; MEM [(short int *)&ax_buf_p2 + 8B] =3D { 6, 7 }; MEM[(struct AX *)&ax_buf_p2].ax[4] =3D 8; sink (&ax_buf_p2); ax_buf_p2 =3D{v} {CLOBBER}; return; } Referenced Bugs: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D56456 [Bug 56456] [meta-bug] bogus/missing -Warray-bounds=