public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’
@ 2023-03-21 13:58 ubizjak at gmail dot com
2023-03-21 14:01 ` [Bug c/109233] " ubizjak at gmail dot com
` (14 more replies)
0 siblings, 15 replies; 16+ messages in thread
From: ubizjak at gmail dot com @ 2023-03-21 13:58 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
Bug ID: 109233
Summary: warning: array subscript 5 is above array bounds of
‘struct tg3_napi[5]’
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: ubizjak at gmail dot com
Target Milestone: ---
There is another bogus array bounds warning when compiling linux in:
drivers/net/ethernet/broadcom/tg3.c: In function ‘tg3_init_one’:
drivers/net/ethernet/broadcom/tg3.c:17787:51: error: array subscript 5 is above
array bounds of ‘struct tg3_napi[5]’ [-Werror=array-bounds=]
17787 | struct tg3_napi *tnapi = &tp->napi[i];
| ~~~~~~~~^~~
In file included from drivers/net/ethernet/broadcom/tg3.c:72:
drivers/net/ethernet/broadcom/tg3.h:3203:41: note: while referencing ‘napi’
3203 | struct tg3_napi napi[TG3_IRQ_MAX_VECS];
| ^~~~
drivers/net/ethernet/broadcom/tg3.c:17787:51: error: array subscript 5 is above
array bounds of ‘struct tg3_napi[5]’ [-Werror=array-bounds=]
17787 | struct tg3_napi *tnapi = &tp->napi[i];
| ~~~~~~~~^~~
drivers/net/ethernet/broadcom/tg3.h:3203:41: note: while referencing ‘napi’
3203 | struct tg3_napi napi[TG3_IRQ_MAX_VECS];
| ^~~~
cc1: all warnings being treated as errors
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
@ 2023-03-21 14:01 ` ubizjak at gmail dot com
2023-03-21 14:05 ` ubizjak at gmail dot com
` (13 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: ubizjak at gmail dot com @ 2023-03-21 14:01 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
--- Comment #1 from Uroš Bizjak <ubizjak at gmail dot com> ---
Created attachment 54719
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54719&action=edit
Preprocessed file
-O2 -Warray-bounds:
In function ‘tg3_init_one’,
inlined from ‘tg3_init_one’ at
drivers/net/ethernet/broadcom/tg3.c:17542:12:
drivers/net/ethernet/broadcom/tg3.c:17787:37: warning: array subscript 5 is
above array bounds of ‘struct tg3_napi[5]’ [-Warray-bounds=]
In file included from drivers/net/ethernet/broadcom/tg3.c:72:
drivers/net/ethernet/broadcom/tg3.h: In function ‘tg3_init_one’:
drivers/net/ethernet/broadcom/tg3.h:3203:18: note: while referencing ‘napi’
In function ‘tg3_init_one’,
inlined from ‘tg3_init_one’ at
drivers/net/ethernet/broadcom/tg3.c:17542:12:
drivers/net/ethernet/broadcom/tg3.c:17787:37: warning: array subscript 5 is
above array bounds of ‘struct tg3_napi[5]’ [-Warray-bounds=]
drivers/net/ethernet/broadcom/tg3.h: In function ‘tg3_init_one’:
drivers/net/ethernet/broadcom/tg3.h:3203:18: note: while referencing ‘napi’
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
2023-03-21 14:01 ` [Bug c/109233] " ubizjak at gmail dot com
@ 2023-03-21 14:05 ` ubizjak at gmail dot com
2023-03-22 10:27 ` ubizjak at gmail dot com
` (12 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: ubizjak at gmail dot com @ 2023-03-21 14:05 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
--- Comment #2 from Uroš Bizjak <ubizjak at gmail dot com> ---
As can be seen from the preprocessed file, tp->irq_max is set to:
tp->irq_max = 1;
or
tp->irq_max = (4 + 1);
and the compilation warns in tg3_init_one at:
for (i = 0; i < tp->irq_max; i++) {
struct tg3_napi *tnapi = &tp->napi[i];
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
2023-03-21 14:01 ` [Bug c/109233] " ubizjak at gmail dot com
2023-03-21 14:05 ` ubizjak at gmail dot com
@ 2023-03-22 10:27 ` ubizjak at gmail dot com
2023-03-22 10:38 ` [Bug c/109233] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591 jakub at gcc dot gnu.org
` (11 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: ubizjak at gmail dot com @ 2023-03-22 10:27 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
--- Comment #3 from Uroš Bizjak <ubizjak at gmail dot com> ---
Created attachment 54729
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54729&action=edit
Minimized testcase
WIP, but *substantially* minimized.
gcc -O2 -Warray-bounds:
tg3-6.c: In function ‘tg3_init_one’:
tg3-6.c:51:37: warning: array subscript 5 is above array bounds of ‘struct
tg3_napi[5]’ [-Warray-bounds=]
51 | struct tg3_napi *tnapi = &tp->napi[i];
| ~~~~~~~~^~~
tg3-6.c:22:19: note: while referencing ‘napi’
22 | struct tg3_napi napi[(4 + 1)];
| ^~~~
tg3-6.c:51:37: warning: array subscript 5 is above array bounds of ‘struct
tg3_napi[5]’ [-Warray-bounds=]
51 | struct tg3_napi *tnapi = &tp->napi[i];
| ~~~~~~~~^~~
tg3-6.c:22:19: note: while referencing ‘napi’
22 | struct tg3_napi napi[(4 + 1)];
| ^~~~
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
` (2 preceding siblings ...)
2023-03-22 10:27 ` ubizjak at gmail dot com
@ 2023-03-22 10:38 ` jakub at gcc dot gnu.org
2023-03-22 10:40 ` [Bug c/109233] [12/13 Regression] " jakub at gcc dot gnu.org
` (10 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: jakub at gcc dot gnu.org @ 2023-03-22 10:38 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|warning: array subscript 5 |warning: array subscript 5
|is above array bounds of |is above array bounds of
|‘struct tg3_napi[5]’ |‘struct tg3_napi[5]’ since
| |r12-2591
CC| |jakub at gcc dot gnu.org
--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Both the original and minimized testcase started to warn with
r12-2591-g2e96b5f14e4025691b57d2301d71a
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] [12/13 Regression] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
` (3 preceding siblings ...)
2023-03-22 10:38 ` [Bug c/109233] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591 jakub at gcc dot gnu.org
@ 2023-03-22 10:40 ` jakub at gcc dot gnu.org
2023-03-22 10:43 ` ubizjak at gmail dot com
` (9 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: jakub at gcc dot gnu.org @ 2023-03-22 10:40 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Target Milestone|--- |12.3
Last reconfirmed| |2023-03-22
Status|UNCONFIRMED |NEW
Summary|warning: array subscript 5 |[12/13 Regression] warning:
|is above array bounds of |array subscript 5 is above
|‘struct tg3_napi[5]’ since |array bounds of ‘struct
|r12-2591 |tg3_napi[5]’ since r12-2591
Priority|P3 |P2
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] [12/13 Regression] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
` (4 preceding siblings ...)
2023-03-22 10:40 ` [Bug c/109233] [12/13 Regression] " jakub at gcc dot gnu.org
@ 2023-03-22 10:43 ` ubizjak at gmail dot com
2023-03-22 12:10 ` ubizjak at gmail dot com
` (8 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: ubizjak at gmail dot com @ 2023-03-22 10:43 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
--- Comment #5 from Uroš Bizjak <ubizjak at gmail dot com> ---
Created attachment 54731
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54731&action=edit
Even more minimized testcase.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] [12/13 Regression] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
` (5 preceding siblings ...)
2023-03-22 10:43 ` ubizjak at gmail dot com
@ 2023-03-22 12:10 ` ubizjak at gmail dot com
2023-03-22 14:13 ` marxin at gcc dot gnu.org
` (7 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: ubizjak at gmail dot com @ 2023-03-22 12:10 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
Uroš Bizjak <ubizjak at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #54729|0 |1
is obsolete| |
Attachment #54731|0 |1
is obsolete| |
--- Comment #6 from Uroš Bizjak <ubizjak at gmail dot com> ---
Created attachment 54733
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54733&action=edit
Minimized testcase
Minimized testcase for the testsuite.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] [12/13 Regression] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
` (6 preceding siblings ...)
2023-03-22 12:10 ` ubizjak at gmail dot com
@ 2023-03-22 14:13 ` marxin at gcc dot gnu.org
2023-03-22 14:37 ` jakub at gcc dot gnu.org
` (6 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: marxin at gcc dot gnu.org @ 2023-03-22 14:13 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
--- Comment #7 from Martin Liška <marxin at gcc dot gnu.org> ---
Note, the linux kernel disables the -Werror of the warning for GCC 11 and 12:
https://github.com/torvalds/linux/blob/a1effab7a3a35a837dd9d2b974a1bc4939df1ad5/init/Kconfig#L893-L904
while they still hope it can be enabled for GCC 13.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] [12/13 Regression] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
` (7 preceding siblings ...)
2023-03-22 14:13 ` marxin at gcc dot gnu.org
@ 2023-03-22 14:37 ` jakub at gcc dot gnu.org
2023-03-22 14:39 ` jakub at gcc dot gnu.org
` (5 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: jakub at gcc dot gnu.org @ 2023-03-22 14:37 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
--- Comment #8 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Slightly further reduced:
/* { dg-do compile } */
/* { dg-options "-O2 -Warray-bounds" } */
struct S { unsigned x, y, z; };
struct T { struct S f[5]; unsigned h; };
void foo (void);
void
bar (struct T *t)
{
for (int i = 0; i < t->h; i++)
{
struct S *s = &t->f[i]; /* { dg-bogus "array subscript 5 is above array
bounds" } */
if (i <= 4)
s->y = 1;
s->z = 2;
if (i)
s->x = 3;
}
}
I guess what is going on is that we thread the body,
if (i > 4)
{
s->z = 2;
goto do_x;
}
else
{
s->y = 1;
s->z = 2;
if (i)
{
do_x:
s->x = 3;
}
}
because if i > 4, we know we don't want to store s->y and know we don't need to
check if i is non-zero further.
Next evrp determines that the range of the i_4 index is [0, 5] for some reason
rather than the [0, 4] for which it is well defined, perhaps because of the
dead
s_15 = &t_10(D)->f[i_4];
statement that nothing has DCEd yet or what, and everything goes wrong from
that point,
as evrp because of that folds the
MEM <struct T> [(struct S *)t_10(D)].f[i_4].z = 2;
statement done only for i_4 > 4 into
MEM <struct T> [(struct S *)t_10(D)].f[5].z = 2;
and later we warn on that very statement.
Now, a question on the kernel side is obviously why when
#define TG3_RSS_MAX_NUM_QS 4
#define TG3_IRQ_MAX_VECS_RSS (TG3_RSS_MAX_NUM_QS + 1)
#define TG3_IRQ_MAX_VECS TG3_IRQ_MAX_VECS_RSS
...
struct tg3_napi napi[TG3_IRQ_MAX_VECS];
it has the
for (i = 0; i < tp->irq_max; i++) {
struct tg3_napi *tnapi = &tp->napi[i];
tnapi->tp = tp;
tnapi->tx_pending = TG3_DEF_TX_RING_PENDING;
tnapi->int_mbox = intmbx;
if (i <= 4)
intmbx += 0x8;
else
intmbx += 0x4;
rather than just doing intmbx == 0x8; always. That introduction of the dead
code there confuses the warning.
And on the ranger side why we have determined the [0, 5] range rather than [0,
4], whether it is related to inaccurate number of iterations estimation, or
ranger using it incorrectly, ...
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] [12/13 Regression] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
` (8 preceding siblings ...)
2023-03-22 14:37 ` jakub at gcc dot gnu.org
@ 2023-03-22 14:39 ` jakub at gcc dot gnu.org
2023-03-22 15:02 ` aldyh at gcc dot gnu.org
` (4 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: jakub at gcc dot gnu.org @ 2023-03-22 14:39 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
--- Comment #9 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
(In reply to Jakub Jelinek from comment #8)
> rather than just doing intmbx == 0x8; always.
intmbx += 0x8; of course, sorry for the typo.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] [12/13 Regression] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
` (9 preceding siblings ...)
2023-03-22 14:39 ` jakub at gcc dot gnu.org
@ 2023-03-22 15:02 ` aldyh at gcc dot gnu.org
2023-03-22 17:16 ` amacleod at redhat dot com
` (3 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: aldyh at gcc dot gnu.org @ 2023-03-22 15:02 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
--- Comment #10 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
(In reply to Jakub Jelinek from comment #8)
> And on the ranger side why we have determined the [0, 5] range rather than
> [0, 4], whether it is related to inaccurate number of iterations estimation,
> or ranger using it incorrectly, ...
The [0, 5] is actually coming from SCEV, which ranger is using to refine the
range. Presumably, ranger is doing worse than SCEV, because it doesn't improve
it.
$ grep 'Loops range fo' a.c.*evrp
Loops range found for i_3: [irange] int [0, 5] NONZERO 0x7 and calculated
range :[irange] int [-2147483647, +INF]
Loops range found for i_3: [irange] int [0, 5] NONZERO 0x7 and calculated
range :[irange] int [0, 6] NONZERO 0x7
Perhaps Andrew can pontificate on the recalculations / iterations / etc.
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] [12/13 Regression] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
` (10 preceding siblings ...)
2023-03-22 15:02 ` aldyh at gcc dot gnu.org
@ 2023-03-22 17:16 ` amacleod at redhat dot com
2023-03-23 10:00 ` rguenth at gcc dot gnu.org
` (2 subsequent siblings)
14 siblings, 0 replies; 16+ messages in thread
From: amacleod at redhat dot com @ 2023-03-22 17:16 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
--- Comment #11 from Andrew Macleod <amacleod at redhat dot com> ---
(In reply to Aldy Hernandez from comment #10)
> (In reply to Jakub Jelinek from comment #8)
>
> > And on the ranger side why we have determined the [0, 5] range rather than
> > [0, 4], whether it is related to inaccurate number of iterations estimation,
> > or ranger using it incorrectly, ...
>
> The [0, 5] is actually coming from SCEV, which ranger is using to refine the
> range. Presumably, ranger is doing worse than SCEV, because it doesn't
> improve it.
>
> $ grep 'Loops range fo' a.c.*evrp
> Loops range found for i_3: [irange] int [0, 5] NONZERO 0x7 and calculated
> range :[irange] int [-2147483647, +INF]
> Loops range found for i_3: [irange] int [0, 5] NONZERO 0x7 and calculated
> range :[irange] int [0, 6] NONZERO 0x7
>
> Perhaps Andrew can pontificate on the recalculations / iterations / etc.
Im not sure what to add.
SCEV tells us its [0,5] .
Statement MEM <struct T> [(struct S *)t_9(D)].f[i_3].y = 1;
is executed at most 4 (bounded by 4) + 1 times in loop 1.
Induction variable (int) 0 + 1 * iteration does not wrap in statement MEM
<struct T> [(struct S *)t_9(D)].f[i_3].z = 2;
in loop 1.
Statement MEM <struct T> [(struct S *)t_9(D)].f[i_3].z = 2;
is executed at most 4 (bounded by 4) + 1 times in loop 1.
Induction variable (int) 0 + 1 * iteration does not wrap in statement MEM
<struct T> [(struct S *)t_9(D)].f[i_3].x = 3;
in loop 1.
Statement MEM <struct T> [(struct S *)t_9(D)].f[i_3].x = 3;
is executed at most 4 (bounded by 4) + 1 times in loop 1.
Induction variable (int) 0 + 1 * iteration does not wrap in statement MEM
<struct T> [(struct S *)t_9(D)].f[i_3].z = 2;
in loop 1.
Statement MEM <struct T> [(struct S *)t_9(D)].f[i_3].z = 2;
is executed at most 4 (bounded by 4) + 1 times in loop 1.
Trying to walk loop body to reduce the bound.
Found better loop bound 5
I see nothing else in the IL to help ranger make any other decision, so it
defers to SCEV, and the transformtion to rewrite the array index to [5] seems
spot on, its the only possible value that can be there... THe branch condition
is:
_1 = t_9(D)->h;
i.0_2 = (unsigned int) i_3;
if (_1 > i.0_2)
goto <bb 3>;
Ranger knows nothing of the value of _1, and with i_3 being [0,5] there is
nothing that I can see that ranger could do
Why does scev decide 5 is a better bound?
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] [12/13 Regression] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
` (11 preceding siblings ...)
2023-03-22 17:16 ` amacleod at redhat dot com
@ 2023-03-23 10:00 ` rguenth at gcc dot gnu.org
2023-03-27 6:13 ` ubizjak at gmail dot com
2023-05-08 12:26 ` [Bug c/109233] [12/13/14 " rguenth at gcc dot gnu.org
14 siblings, 0 replies; 16+ messages in thread
From: rguenth at gcc dot gnu.org @ 2023-03-23 10:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |hubicka at gcc dot gnu.org
--- Comment #12 from Richard Biener <rguenth at gcc dot gnu.org> ---
(In reply to Andrew Macleod from comment #11)
> (In reply to Aldy Hernandez from comment #10)
> > (In reply to Jakub Jelinek from comment #8)
> >
> > > And on the ranger side why we have determined the [0, 5] range rather than
> > > [0, 4], whether it is related to inaccurate number of iterations estimation,
> > > or ranger using it incorrectly, ...
> >
> > The [0, 5] is actually coming from SCEV, which ranger is using to refine the
> > range. Presumably, ranger is doing worse than SCEV, because it doesn't
> > improve it.
> >
> > $ grep 'Loops range fo' a.c.*evrp
> > Loops range found for i_3: [irange] int [0, 5] NONZERO 0x7 and calculated
> > range :[irange] int [-2147483647, +INF]
> > Loops range found for i_3: [irange] int [0, 5] NONZERO 0x7 and calculated
> > range :[irange] int [0, 6] NONZERO 0x7
> >
> > Perhaps Andrew can pontificate on the recalculations / iterations / etc.
>
> Im not sure what to add.
>
>
> SCEV tells us its [0,5] .
>
> Statement MEM <struct T> [(struct S *)t_9(D)].f[i_3].y = 1;
> is executed at most 4 (bounded by 4) + 1 times in loop 1.
> Induction variable (int) 0 + 1 * iteration does not wrap in statement MEM
> <struct T> [(struct S *)t_9(D)].f[i_3].z = 2;
> in loop 1.
> Statement MEM <struct T> [(struct S *)t_9(D)].f[i_3].z = 2;
> is executed at most 4 (bounded by 4) + 1 times in loop 1.
> Induction variable (int) 0 + 1 * iteration does not wrap in statement MEM
> <struct T> [(struct S *)t_9(D)].f[i_3].x = 3;
> in loop 1.
> Statement MEM <struct T> [(struct S *)t_9(D)].f[i_3].x = 3;
> is executed at most 4 (bounded by 4) + 1 times in loop 1.
> Induction variable (int) 0 + 1 * iteration does not wrap in statement MEM
> <struct T> [(struct S *)t_9(D)].f[i_3].z = 2;
> in loop 1.
> Statement MEM <struct T> [(struct S *)t_9(D)].f[i_3].z = 2;
> is executed at most 4 (bounded by 4) + 1 times in loop 1.
> Trying to walk loop body to reduce the bound.
> Found better loop bound 5
>
>
> I see nothing else in the IL to help ranger make any other decision, so it
> defers to SCEV, and the transformtion to rewrite the array index to [5]
> seems spot on, its the only possible value that can be there... THe branch
> condition is:
> _1 = t_9(D)->h;
> i.0_2 = (unsigned int) i_3;
> if (_1 > i.0_2)
> goto <bb 3>;
>
> Ranger knows nothing of the value of _1, and with i_3 being [0,5] there is
> nothing that I can see that ranger could do
>
> Why does scev decide 5 is a better bound?
It's the first bound it finds, based on the access. The issue is that
the accesses are after the exit test and we're doing adjustments to
the estimates in discover_iteration_bound_by_body_walk like
/* Exit terminates loop at given iteration, while non-exits produce
undefined
effect on the next iteration. */
if (!elt->is_exit)
{
bound += 1;
but note we're always setting elt->is_exit to false for bounds discovered
from array refs (see record_estimate call from record_nonwrapping_iv from
idx_infer_loop_bounds). I think there's either some duplicate accounting
or confusion as to what is_exit means though. Since we record the number
of latch executions the estimate from blocks dominated by the exit test
should be directly usable as estimate while those before the exit test
would need adjustment in the other direction?
is_exit is documented as
/* True if, after executing the statement BOUND + 1 times, we will
leave the loop; that is, all the statements after it are executed at most
BOUND times. */
bool is_exit;
the "that is, all the statements after it are executed at most BOUND times"
really suggests this is about an actual exit statement and not about
position relative to the exit. In the function of the above loop we
translate the stmt execution bound to a bound on the number of latch
executions (so the last time an exit stmt is executed it will exit the
loop, so no +1).
Note this is a tricky area and we have many related bugreports, but
testsuite coverage should be quite good here.
Btw, the actual thing is that the IV as analyzed by SCEV can get the
value 5, the actual array references will not be executed but we must
exit the loop in that case. That's something not covered by niter
analysis / SCEV directly but if you use max_stmt_executions () on
blocks following the exit test you should be able to determine that
i != 5 is always true. So the fix is probably somewhere in ranger
determining that on the exit test edge remaining in the loop, the
bounds on other IVs can be adjusted by one (but only on that edge).
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] [12/13 Regression] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
` (12 preceding siblings ...)
2023-03-23 10:00 ` rguenth at gcc dot gnu.org
@ 2023-03-27 6:13 ` ubizjak at gmail dot com
2023-05-08 12:26 ` [Bug c/109233] [12/13/14 " rguenth at gcc dot gnu.org
14 siblings, 0 replies; 16+ messages in thread
From: ubizjak at gmail dot com @ 2023-03-27 6:13 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
--- Comment #13 from Uroš Bizjak <ubizjak at gmail dot com> ---
(In reply to Martin Liška from comment #7)
> Note, the linux kernel disables the -Werror of the warning for GCC 11 and 12:
> https://github.com/torvalds/linux/blob/
> a1effab7a3a35a837dd9d2b974a1bc4939df1ad5/init/Kconfig#L893-L904
>
> while they still hope it can be enabled for GCC 13.
This is a grep for "error:" in make allyesconfig compilation (make -k):
./include/linux/fortify-string.h:57:33: error: ‘__builtin_memcpy’ pointer
overflow between offset 0 and size [-2147483648, -1] [-Werror=array-bounds=]
./include/linux/fortify-string.h:57:33: error: ‘__builtin_memcpy’ pointer
overflow between offset 0 and size [-2147483648, -1] [-Werror=array-bounds=]
fs/btrfs/sysfs.c:637:13: error: array subscript -50 is outside array bounds of
‘struct kobject[36028797018963967]’ [-Werror=array-bounds=]
fs/btrfs/sysfs.c:637:13: error: array subscript -64 is outside array bounds of
‘struct kobject[36028797018963967]’ [-Werror=array-bounds=]
fs/btrfs/sysfs.c:637:13: error: array subscript -63 is outside array bounds of
‘struct kobject[36028797018963967]’ [-Werror=array-bounds=]
fs/btrfs/sysfs.c:637:13: error: array subscript -62 is outside array bounds of
‘struct kobject[36028797018963967]’ [-Werror=array-bounds=]
fs/btrfs/sysfs.c:637:13: error: array subscript -52 is outside array bounds of
‘struct kobject[36028797018963967]’ [-Werror=array-bounds=]
fs/btrfs/sysfs.c:637:13: error: array subscript -51 is outside array bounds of
‘struct kobject[36028797018963967]’ [-Werror=array-bounds=]
fs/btrfs/sysfs.c:637:13: error: array subscript -61 is outside array bounds of
‘struct kobject[36028797018963967]’ [-Werror=array-bounds=]
fs/btrfs/sysfs.c:637:13: error: array subscript -60 is outside array bounds of
‘struct kobject[36028797018963967]’ [-Werror=array-bounds=]
fs/btrfs/sysfs.c:637:13: error: array subscript -59 is outside array bounds of
‘struct kobject[36028797018963967]’ [-Werror=array-bounds=]
fs/btrfs/sysfs.c:637:13: error: array subscript -57 is outside array bounds of
‘struct kobject[36028797018963967]’ [-Werror=array-bounds=]
./include/linux/fortify-string.h:57:33: error: array subscript ‘unsigned
char[16][0]’ is partly outside array bounds of ‘u8[15]’ {aka ‘unsigned
char[15]’} [-Werror=array-bounds=]
drivers/net/ethernet/broadcom/tg3.c:17787:51: error: array subscript 5 is above
array bounds of ‘struct tg3_napi[5]’ [-Werror=array-bounds=]
drivers/net/ethernet/broadcom/tg3.c:17787:51: error: array subscript 5 is above
array bounds of ‘struct tg3_napi[5]’ [-Werror=array-bounds=]
drivers/net/wireless/ath/carl9170/cmd.c:125:30: error: array subscript ‘struct
carl9170_cmd[0]’ is partly outside array bounds of ‘unsigned char[4]’
[-Werror=array-bounds=]
drivers/net/wireless/ath/carl9170/cmd.c:126:30: error: array subscript ‘struct
carl9170_cmd[0]’ is partly outside array bounds of ‘unsigned char[4]’
[-Werror=array-bounds=]
drivers/net/wireless/ath/carl9170/cmd.c:125:30: error: array subscript ‘struct
carl9170_cmd[0]’ is partly outside array bounds of ‘unsigned char[20]’
[-Werror=array-bounds=]
drivers/net/wireless/ath/carl9170/cmd.c:126:30: error: array subscript ‘struct
carl9170_cmd[0]’ is partly outside array bounds of ‘unsigned char[20]’
[-Werror=array-bounds=]
drivers/net/wireless/ath/carl9170/cmd.c:161:12: error: array subscript ‘struct
carl9170_cmd[0]’ is partly outside array bounds of ‘unsigned char[20]’
[-Werror=array-bounds=]
drivers/net/wireless/ath/carl9170/cmd.c:162:12: error: array subscript ‘struct
carl9170_cmd[0]’ is partly outside array bounds of ‘unsigned char[20]’
[-Werror=array-bounds=]
drivers/net/wireless/ath/carl9170/cmd.c:163:12: error: array subscript ‘struct
carl9170_cmd[0]’ is partly outside array bounds of ‘unsigned char[20]’
[-Werror=array-bounds=]
drivers/net/wireless/ath/carl9170/cmd.c:164:12: error: array subscript ‘struct
carl9170_cmd[0]’ is partly outside array bounds of ‘unsigned char[20]’
[-Werror=array-bounds=]
drivers/net/wireless/ath/carl9170/cmd.c:125:30: error: array subscript ‘struct
carl9170_cmd[0]’ is partly outside array bounds of ‘unsigned char[8]’
[-Werror=array-bounds=]
drivers/net/wireless/ath/carl9170/cmd.c:126:30: error: array subscript ‘struct
carl9170_cmd[0]’ is partly outside array bounds of ‘unsigned char[8]’
[-Werror=array-bounds=]
drivers/net/wireless/ath/carl9170/cmd.c:220:12: error: array subscript ‘struct
carl9170_cmd[0]’ is partly outside array bounds of ‘unsigned char[8]’
[-Werror=array-bounds=]
drivers/media/tuners/mxl5005s.c:3429:72: error: array subscript 32 is above
array bounds of ‘u16[25]’ {aka ‘short unsigned int[25]’}
[-Werror=array-bounds=]
drivers/media/tuners/mxl5005s.c:3448:70: error: array subscript 32 is above
array bounds of ‘u16[25]’ {aka ‘short unsigned int[25]’}
[-Werror=array-bounds=]
drivers/hwmon/lm85.c:1110:26: error: array subscript [0, 31] is outside array
bounds of ‘struct lm85_autofan[3]’ [-Werror=array-bounds=]
drivers/media/platform/nxp/imx-jpeg/mxc-jpeg.c:641:42: error: array subscript 2
is above array bounds of ‘u32[2]’ {aka ‘unsigned int[2]’}
[-Werror=array-bounds=]
drivers/net/ethernet/microchip/sparx5/sparx5_psfp.c:167:31: error: array
subscript 4 is above array bounds of ‘const struct sparx5_psfp_gce[4]’
[-Werror=array-bounds=]
drivers/infiniband/core/user_mad.c:564:50: error: array subscript ‘struct
ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’
[-Werror=array-bounds=]
drivers/infiniband/core/user_mad.c:566:42: error: array subscript ‘struct
ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’
[-Werror=array-bounds=]
drivers/infiniband/core/user_mad.c:618:25: error: array subscript ‘struct
ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’
[-Werror=array-bounds=]
drivers/infiniband/core/user_mad.c:622:44: error: array subscript ‘struct
ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’
[-Werror=array-bounds=]
drivers/infiniband/hw/bnxt_re/qplib_sp.c:229:29: error: array subscript 0 is
outside array bounds of ‘struct bnxt_qplib_sgid_tbl[230584300921369395]’
[-Werror=array-bounds=]
drivers/infiniband/hw/bnxt_re/qplib_sp.c:290:29: error: array subscript 0 is
outside array bounds of ‘struct bnxt_qplib_sgid_tbl[230584300921369395]’
[-Werror=array-bounds=]
drivers/platform/chrome/cros_ec_vbc.c:36:15: error: array subscript ‘struct
ec_params_vbnvcontext[1]’ is partly outside array bounds of ‘unsigned char[36]’
[-Werror=array-bounds=]
drivers/staging/rtl8712/rtl871x_xmit.c:949:40: error: array subscript 4 is
outside array bounds of ‘void[448]’ [-Werror=array-bounds=]
drivers/staging/rtl8712/rtl871x_xmit.c:950:39: error: array subscript 4 is
outside array bounds of ‘void[448]’ [-Werror=array-bounds=]
^ permalink raw reply [flat|nested] 16+ messages in thread
* [Bug c/109233] [12/13/14 Regression] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
` (13 preceding siblings ...)
2023-03-27 6:13 ` ubizjak at gmail dot com
@ 2023-05-08 12:26 ` rguenth at gcc dot gnu.org
14 siblings, 0 replies; 16+ messages in thread
From: rguenth at gcc dot gnu.org @ 2023-05-08 12:26 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=109233
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|12.3 |12.4
--- Comment #14 from Richard Biener <rguenth at gcc dot gnu.org> ---
GCC 12.3 is being released, retargeting bugs to GCC 12.4.
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2023-05-08 12:26 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-21 13:58 [Bug c/109233] New: warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ ubizjak at gmail dot com
2023-03-21 14:01 ` [Bug c/109233] " ubizjak at gmail dot com
2023-03-21 14:05 ` ubizjak at gmail dot com
2023-03-22 10:27 ` ubizjak at gmail dot com
2023-03-22 10:38 ` [Bug c/109233] warning: array subscript 5 is above array bounds of ‘struct tg3_napi[5]’ since r12-2591 jakub at gcc dot gnu.org
2023-03-22 10:40 ` [Bug c/109233] [12/13 Regression] " jakub at gcc dot gnu.org
2023-03-22 10:43 ` ubizjak at gmail dot com
2023-03-22 12:10 ` ubizjak at gmail dot com
2023-03-22 14:13 ` marxin at gcc dot gnu.org
2023-03-22 14:37 ` jakub at gcc dot gnu.org
2023-03-22 14:39 ` jakub at gcc dot gnu.org
2023-03-22 15:02 ` aldyh at gcc dot gnu.org
2023-03-22 17:16 ` amacleod at redhat dot com
2023-03-23 10:00 ` rguenth at gcc dot gnu.org
2023-03-27 6:13 ` ubizjak at gmail dot com
2023-05-08 12:26 ` [Bug c/109233] [12/13/14 " rguenth at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).