[Bug c++/110620] New: spurious array-bounds

[Bug c++/110620] New: spurious array-bounds

[cuzdav at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110620

            Bug ID: 110620
           Summary: spurious array-bounds
           Product: gcc
           Version: 12.1.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: cuzdav at gmail dot com
  Target Milestone: ---

[Bug tree-optimization/110620] spurious array-bounds

[cuzdav at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110620

--- Comment #1 from Chris Uzdavinis <cuzdav at gmail dot com> ---
Starting with Gcc12.1 (at least on x86) and through all versions up to the
trunk (post 13.1)
This warning hits with optimization -O2 or higher.

https://godbolt.org/z/q3T39Wf8c


    #include <vector>

    void foo(std::vector<std::pair<int,int>>& vec) {
        if (vec.size() > 5) {
            vec[3].first = 0;
        }
    }

    int main() {
        auto v1 = std::vector{std::pair(1, 2)};
        foo(v1);
    }

What is interesting to me is that the analyzer is missing the fact that size is
explicitly tested, and the index is a constant expression that is lower.

There are a lot of array-bounds bugs reported, and all have similarities and
I'm not sure if this is a dupe or not, though I went through the open ones in 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56456
And did not see an example quite like this.


In function 'void foo(std::vector<std::pair<int, int> >&)',
    inlined from 'int main()' at <source>:11:8:
<source>:5:22: error: array subscript 3 is outside array bounds of
'std::pair<int, int> [1]' [-Werror=array-bounds=]
    5 |         vec[3].first = 0;
In file included from
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/x86_64-linux-gnu/bits/c++allocator.h:33,
                 from
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/allocator.h:46,
                 from
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/vector:63,
                 from <source>:1:
In member function '_Tp* std::__new_allocator<_Tp>::allocate(size_type, const
void*) [with _Tp = std::pair<int, int>]',
    inlined from 'constexpr _Tp* std::allocator< <template-parameter-1-1>
>::allocate(std::size_t) [with _Tp = std::pair<int, int>]' at
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/allocator.h:198:40,
    inlined from 'static constexpr _Tp*
std::allocator_traits<std::allocator<_Up> >::allocate(allocator_type&,
size_type) [with _Tp = std::pair<int, int>]' at
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/alloc_traits.h:482:28,
    inlined from 'constexpr std::_Vector_base<_Tp, _Alloc>::pointer
std::_Vector_base<_Tp, _Alloc>::_M_allocate(std::size_t) [with _Tp =
std::pair<int, int>; _Alloc = std::allocator<std::pair<int, int> >]' at
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/stl_vector.h:378:33,
    inlined from 'constexpr void std::vector<_Tp,
_Alloc>::_M_range_initialize(_ForwardIterator, _ForwardIterator,
std::forward_iterator_tag) [with _ForwardIterator = const std::pair<int, int>*;
_Tp = std::pair<int, int>; _Alloc = std::allocator<std::pair<int, int> >]' at
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/stl_vector.h:1687:25,
    inlined from 'constexpr std::vector<_Tp,
_Alloc>::vector(std::initializer_list<_Tp>, const allocator_type&) [with _Tp =
std::pair<int, int>; _Alloc = std::allocator<std::pair<int, int> >]' at
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/stl_vector.h:677:21,
    inlined from 'int main()' at <source>:10:42:
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/new_allocator.h:147:55:
note: at offset 24 into object of size 8 allocated by 'operator new'
  147 |         return static_cast<_Tp*>(_GLIBCXX_OPERATOR_NEW(__n *
sizeof(_Tp)));
      |                                                       ^
cc1plus: all warnings being treated as errors
Compiler returned: 1

[Bug tree-optimization/110620] spurious array-bounds

[cuzdav at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110620

--- Comment #2 from Chris Uzdavinis <cuzdav at gmail dot com> ---
Created attachment 55516
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55516&action=edit
preprocessed code

[Bug tree-optimization/110620] spurious array-bounds

[cuzdav at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110620

--- Comment #3 from Chris Uzdavinis <cuzdav at gmail dot com> ---
Starting with Gcc12.1 (at least on x86) and through all versions up to the
trunk (post 13.1)
This warning hits with optimization -O2 or higher.

https://godbolt.org/z/q3T39Wf8c


    #include <vector>

    void foo(std::vector<std::pair<int,int>>& vec) {
        if (vec.size() > 5) {
            vec[3].first = 0;
        }
    }

    int main() {
        auto v1 = std::vector{std::pair(1, 2)};
        foo(v1);
    }

What is interesting to me is that the analyzer is missing the fact that size is
explicitly tested, and the index is a constant expression that is lower.

There are a lot of array-bounds bugs reported, and all have similarities and
I'm not sure if this is a dupe or not, though I went through the open ones in 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=56456
And did not see an example quite like this.


In function 'void foo(std::vector<std::pair<int, int> >&)',
    inlined from 'int main()' at <source>:11:8:
<source>:5:22: error: array subscript 3 is outside array bounds of
'std::pair<int, int> [1]' [-Werror=array-bounds=]
    5 |         vec[3].first = 0;
In file included from
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/x86_64-linux-gnu/bits/c++allocator.h:33,
                 from
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/allocator.h:46,
                 from
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/vector:63,
                 from <source>:1:
In member function '_Tp* std::__new_allocator<_Tp>::allocate(size_type, const
void*) [with _Tp = std::pair<int, int>]',
    inlined from 'constexpr _Tp* std::allocator< <template-parameter-1-1>
>::allocate(std::size_t) [with _Tp = std::pair<int, int>]' at
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/allocator.h:198:40,
    inlined from 'static constexpr _Tp*
std::allocator_traits<std::allocator<_Up> >::allocate(allocator_type&,
size_type) [with _Tp = std::pair<int, int>]' at
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/alloc_traits.h:482:28,
    inlined from 'constexpr std::_Vector_base<_Tp, _Alloc>::pointer
std::_Vector_base<_Tp, _Alloc>::_M_allocate(std::size_t) [with _Tp =
std::pair<int, int>; _Alloc = std::allocator<std::pair<int, int> >]' at
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/stl_vector.h:378:33,
    inlined from 'constexpr void std::vector<_Tp,
_Alloc>::_M_range_initialize(_ForwardIterator, _ForwardIterator,
std::forward_iterator_tag) [with _ForwardIterator = const std::pair<int, int>*;
_Tp = std::pair<int, int>; _Alloc = std::allocator<std::pair<int, int> >]' at
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/stl_vector.h:1687:25,
    inlined from 'constexpr std::vector<_Tp,
_Alloc>::vector(std::initializer_list<_Tp>, const allocator_type&) [with _Tp =
std::pair<int, int>; _Alloc = std::allocator<std::pair<int, int> >]' at
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/stl_vector.h:677:21,
    inlined from 'int main()' at <source>:10:42:
/opt/compiler-explorer/gcc-13.1.0/include/c++/13.1.0/bits/new_allocator.h:147:55:
note: at offset 24 into object of size 8 allocated by 'operator new'
  147 |         return static_cast<_Tp*>(_GLIBCXX_OPERATOR_NEW(__n *
sizeof(_Tp)));
      |                                                       ^
cc1plus: all warnings being treated as errors
Compiler returned: 1

[Bug tree-optimization/110620] spurious array-bounds

[cuzdav at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110620

--- Comment #4 from Chris Uzdavinis <cuzdav at gmail dot com> ---
(Sorry I was getting bugzilla errors about collisions when adding comments, but
they seemed to have gone through after all.)

[Bug tree-optimization/110620] spurious array-bounds

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110620

--- Comment #5 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
From the looks of it is just not optimizing enough before the warning happens.

The final optimized code does not have the store in it.

The store for the vector to create the size of one element vector happens and
then a copy loop happens and then loads from start/finish to figure out the
size of the vector but that is not optimized until dom2 which is after vrp2
already ran ...

[Bug tree-optimization/110620] spurious array-bounds

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110620

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2023-07-11
     Ever confirmed|0                           |1

--- Comment #6 from Richard Biener <rguenth at gcc dot gnu.org> ---
Confirmed.  We diagnose

  _41 = operator new (8);

  <bb 3> [local count: 1014634345]:
  # iftmp.3_28 = PHI <_41(2)>
...
  <bb 9> [local count: 507317173]: 
  MEM[(struct value_type &)iftmp.3_28 + 24].first = 0;

and this access _is_ out of bounds, it's just in an unreachable path we
have not yet proved to be unreachable.