[Bug analyzer/111095] New: -Wanalyzer-out-of-bounds false negative with `return l_1322[9];`

[Bug analyzer/111095] New: -Wanalyzer-out-of-bounds false negative with `return l_1322[9];`

[dale.mengli.ming at proton dot me]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111095

            Bug ID: 111095
           Summary: -Wanalyzer-out-of-bounds false negative with `return
                    l_1322[9];`
           Product: gcc
           Version: 14.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: dale.mengli.ming at proton dot me
  Target Milestone: ---

Hi,in this case(https://godbolt.org/z/sKPxGrG8z), the array `l_1322` has a
capacity of 7. However, in relation to the `return l_1322[9]` statement, it
appears(with -O1, -O2, -O3) that the analyzer don't report any related
warnings.

Thanks for taking the time to look at this case, even though I'm not sure if
it's helpful for improving the analyzer.

[Bug analyzer/111095] -Wanalyzer-out-of-bounds false negative with `return l_1322[9];` at -O1 and above

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111095

David Malcolm <dmalcolm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
     Ever confirmed|0                           |1
            Summary|-Wanalyzer-out-of-bounds    |-Wanalyzer-out-of-bounds
                   |false negative with `return |false negative with `return
                   |l_1322[9];`                 |l_1322[9];` at -O1 and
                   |                            |above
   Last reconfirmed|                            |2023-09-06

--- Comment #1 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
Thanks for filing this bug.

This looks similar to bug 111213.

Adding -fdump-ipa-analyzer=stderr shows that at -O1 and above, the entire body
of the function is optimized away before the analyzer even sees it (presumably
due to undefined behavior).

My hypothesis is that the optimizer sees the undefined behavior and optimizes
the function away (but I haven't checked the details).

If that's the case, that's a strong argument that the analyzer should run
earlier. I'll open a bug about that.

[Bug analyzer/111095] -Wanalyzer-out-of-bounds false negative with `return l_1322[9];` at -O1 and above

[dmalcolm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111095

--- Comment #2 from David Malcolm <dmalcolm at gcc dot gnu.org> ---
(In reply to David Malcolm from comment #1)
[...]
> I'll open a bug about that.

Filed as bug 111312; made this one block that one.

[Bug analyzer/111095] -Wanalyzer-out-of-bounds false negative with `return l_1322[9];` at -O1 and above

[dale.mengli.ming at proton dot me]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111095

--- Comment #3 from mengli ming <dale.mengli.ming at proton dot me> ---
(In reply to David Malcolm from comment #1)
> Thanks for filing this bug.
> 
> This looks similar to bug 111213.
> 
> Adding -fdump-ipa-analyzer=stderr shows that at -O1 and above, the entire
> body of the function is optimized away before the analyzer even sees it
> (presumably due to undefined behavior).
> 
> My hypothesis is that the optimizer sees the undefined behavior and
> optimizes the function away (but I haven't checked the details).
> 
> If that's the case, that's a strong argument that the analyzer should run
> earlier. I'll open a bug about that.

Thank you for the detailed explanation, David. I appreciate it.

[Bug analyzer/111095] -Wanalyzer-out-of-bounds false negative with `return l_1322[9];` at -O1 and above

[dale.mengli.ming at proton dot me]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111095

--- Comment #4 from mengli ming <dale.mengli.ming at proton dot me> ---
(In reply to David Malcolm from comment #1)
> Thanks for filing this bug.
> 
> This looks similar to bug 111213.
> 
> Adding -fdump-ipa-analyzer=stderr shows that at -O1 and above, the entire
> body of the function is optimized away before the analyzer even sees it
> (presumably due to undefined behavior).
> 
> My hypothesis is that the optimizer sees the undefined behavior and
> optimizes the function away (but I haven't checked the details).
> 
> If that's the case, that's a strong argument that the analyzer should run
> earlier. I'll open a bug about that.

Hi David, Under the -O0 optimization level, I found another issue with this
case. 

After commenting out irrelevant code like `for (int i = 0; i < 1; i++) ;` or
`union a h;`, the analyzer reports an out-of-bound warning. Moreover, changing
`*g = 0;` to `*g = 1;` also triggers the out-of-bound warning. It's puzzling.

[Bug analyzer/111095] -Wanalyzer-out-of-bounds false negative with `return l_1322[9];` at -O1 and above

[dale.mengli.ming at proton dot me]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111095

--- Comment #5 from mengli ming <dale.mengli.ming at proton dot me> ---
Created attachment 56202
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56202&action=edit
Under the `-O0` optimization level, irrelevant code affects whether the
analyzer will report an out-of-bound warning.