From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 1B00C385840F; Thu, 17 Mar 2022 16:00:16 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1B00C385840F
From: "msebor at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug middle-end/104965] [11/12 Regression] Yet another
 -Warray-bounds false positive
Date: Thu, 17 Mar 2022 16:00:16 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: middle-end
X-Bugzilla-Version: 12.0
X-Bugzilla-Keywords: diagnostic
X-Bugzilla-Severity: normal
X-Bugzilla-Who: msebor at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 11.3
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-104965-4-bk1V0QDbmP@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-104965-4@http.gcc.gnu.org/bugzilla/>
References: <bug-104965-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Mar 2022 16:00:16 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D104965

Martin Sebor <msebor at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |msebor at gcc dot gnu.org

--- Comment #3 from Martin Sebor <msebor at gcc dot gnu.org> ---
It looks like an escape analysis limitation.  With this simpler test case u=
sing
different types to rule out aliasing assumptions:

#include <string>

int main()
{
  std::basic_string<short> s;
  auto p =3D new int[s.size ()]{ };
  char c =3D 0;
  if (s.size())
    c =3D *p;
  delete[] p;
  return c;
}

pr104965.C:9:9: warning: array subscript 0 is outside array bounds of =E2=
=80=98void
[0]=E2=80=99 [-Warray-bounds]
    9 |     c =3D *p;
      |         ^~
pr104965.C:6:34: note: object of size 0 allocated by =E2=80=98operator new =
[]=E2=80=99
    6 |   auto p =3D new short[s.size ()]{ };
      |                                  ^

One of the stores to the local s escapes its address which is then assumed =
to
have been clobbered by operator new:

  <bb 2> [local count: 1073741824]:
  s =3D{v} {CLOBBER};
  MEM[(struct _Alloc_hider *)&s] =3D{v} {CLOBBER};
  MEM[(struct _Alloc_hider *)&s]._M_p =3D &s.D.33279._M_local_buf;
  s._M_string_length =3D 0;
  MEM[(char_type &)&s + 16] =3D 0;
  _5 =3D operator new [] (0);

  <bb 3> [local count: 1073741824]:
  _10 =3D s._M_string_length;
  if (_10 !=3D 0)
    goto <bb 4>; [50.00%]
  else
    goto <bb 5>; [50.00%]

  <bb 4> [local count: 536870913]:
  _1 =3D MEM[(int *)_5];
  c_6 =3D (char) _1;=