From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 02B7D385802B; Mon,  1 Aug 2022 12:17:29 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 02B7D385802B
From: "rguenth at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug middle-end/106495] [13 Regression] Build fails
 gcc/tree-ssa-threadbackward.cc:22: gcc/vec.h:890:19: error: array subscript
 4294967294 is above array bounds of 'basic_block_def* [1]'
 [-Werror=array-bounds]
Date: Mon, 01 Aug 2022 12:17:29 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: middle-end
X-Bugzilla-Version: 13.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: rguenth at gcc dot gnu.org
X-Bugzilla-Status: ASSIGNED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: rguenth at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 13.0
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-106495-4-fAAG2LYEZO@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-106495-4@http.gcc.gnu.org/bugzilla/>
References: <bug-106495-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2022 12:17:30 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D106495

--- Comment #4 from Richard Biener <rguenth at gcc dot gnu.org> ---
  if (_233 !=3D 0B)
    goto <bb 113>; [70.00%]
  else
    goto <bb 111>; [30.00%]
;;    succ:       113 [70.0% (guessed)]  count:1263844 (estimated locally)
(TRUE_VALUE,EXECUTABLE)
;;                111 [30.0% (guessed)]  count:541647 (estimated locally)
(FALSE_VALUE,EXECUTABLE)

;;   basic block 111, loop depth 0, count 541647 (estimated locally), maybe=
 hot
;;    prev block 110, next block 112, flags: (NEW, REACHABLE, VISITED)
;;    pred:       110 [30.0% (guessed)]  count:541647 (estimated locally)
(FALSE_VALUE,EXECUTABLE)
  _286 =3D MEM[(struct vec *)0B].m_vecpfx.m_num;

so a NULL pointer check is not enough to make the NULL case cold.

threadfull1 exposes the path, vrp1 warns on it (it seems VRP1 at least no
longer performs any threading itself).

Before threadfull1 we have

;;   basic block 114, loop depth 0, count 1805491 (estimated locally), maybe
hot
;;    prev block 112, next block 115, flags: (NEW, REACHABLE, VISITED)
;;    pred:       108 [66.0% (guessed)]  count:1805489 (estimated locally)
(FALSE_VALUE,EXECUTABLE)
  _233 =3D m_path_142(D)->m_vec;
  if (_233 !=3D 0B)
    goto <bb 115>; [70.00%]
  else
    goto <bb 116>; [30.00%]
;;    succ:       115 [70.0% (guessed)]  count:1263844 (estimated locally)
(TRUE_VALUE,EXECUTABLE)
;;                116 [30.0% (guessed)]  count:541647 (estimated locally)
(FALSE_VALUE,EXECUTABLE)

;;   basic block 115, loop depth 0, count 1263844 (estimated locally), maybe
hot
;;    prev block 114, next block 116, flags: (NEW, REACHABLE, VISITED)
;;    pred:       114 [70.0% (guessed)]  count:1263844 (estimated locally)
(TRUE_VALUE,EXECUTABLE)
  _234 =3D MEM[(const struct vec *)_233].m_vecpfx.m_num;
;;    succ:       116 [always]  count:1263844 (estimated locally)
(FALLTHRU,EXECUTABLE)

;;   basic block 116, loop depth 0, count 1805491 (estimated locally), maybe
hot
;;    prev block 115, next block 117, flags: (NEW, REACHABLE, VISITED)
;;    pred:       114 [30.0% (guessed)]  count:541647 (estimated locally)
(FALSE_VALUE,EXECUTABLE)
;;                115 [always]  count:1263844 (estimated locally)
(FALLTHRU,EXECUTABLE)
  # iftmp.22_235 =3D PHI <0(114), _234(115)>
  _51 =3D iftmp.22_235 + 4294967294;
  _232 =3D _233->m_vecpfx.m_num;
  if (_51 >=3D _232)
    goto <bb 117>; [0.00%]
  else
    goto <bb 118>; [100.00%]
;;    succ:       117 [never]  count:0 (precise) (TRUE_VALUE,EXECUTABLE)
;;                118 [always]  count:1805491 (estimated locally)
(FALSE_VALUE,EXECUTABLE)

;;   basic block 117, loop depth 0, count 0 (precise), probably never execu=
ted
;;    prev block 116, next block 118, flags: (NEW, REACHABLE, VISITED)
;;    pred:       116 [never]  count:0 (precise) (TRUE_VALUE,EXECUTABLE)
  vec<basic_block_def*, va_heap,
vl_embed>::_ZN3vecIP15basic_block_def7va_heap8vl_embedEixEj.part.0 ();
;;    succ:

;;   basic block 118, loop depth 0, count 1805491 (estimated locally), maybe
hot
;;    prev block 117, next block 119, flags: (NEW, REACHABLE, VISITED)
;;    pred:       116 [always]  count:1805491 (estimated locally)
(FALSE_VALUE,EXECUTABLE)
  _52 =3D MEM <struct vec> [(struct basic_block_def * const
&)_233].m_vecdata[_51];

I can't see from the dumps what threadfull1 does but I think it must somehow
just key on

  # iftmp.22_235 =3D PHI <0(114), _234(115)>
  _51 =3D iftmp.22_235 + 4294967294;
  _232 =3D _233->m_vecpfx.m_num;
  if (_51 >=3D _232)
    goto <bb 117>; [0.00%]

simplifying 4294967294 >=3D _232 on the edge from 114?  But maybe the
wrong-doing already starts earlier, but disabling ethread doesn't hide the
diagnostic.=