From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugs-return-213370-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 29675 invoked by alias); 16 Mar 2007 18:14:22 -0000
Received: (qmail 29634 invoked by uid 48); 16 Mar 2007 18:14:09 -0000
Date: Fri, 16 Mar 2007 18:14:00 -0000
Subject: [Bug tree-optimization/31227]  New: [4.3 Regression] -Warray-bounds doesn't play together with loop optimizations
X-Bugzilla-Reason: CC
Message-ID: <bug-31227-87@http.gcc.gnu.org/bugzilla/>
Reply-To: gcc-bugzilla@gcc.gnu.org
To: gcc-bugs@gcc.gnu.org
From: "jakub at gcc dot gnu dot org" <gcc-bugzilla@gcc.gnu.org>
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
X-SW-Source: 2007-03/txt/msg01568.txt.bz2

typedef __SIZE_TYPE__ size_t;

extern size_t strlen (const char *);

struct iovec
{
  void *iov_base;
  size_t iov_len;
};

struct S
{
  const char *abday[7];
  const char *day[7];
  const char *abmon[12];
  const char *mon[12];
  const char *am_pm[2];
};

extern void foo (size_t, struct iovec *);

void
bar (struct S *time)
{
  struct iovec iov[43];
  size_t cnt;
  iov[0].iov_base = (void *) "abc";
  iov[0].iov_len = 3;

  iov[1].iov_base = (void *) "def";
  iov[1].iov_len = 3;

  for (cnt = 0; cnt <= 7; ++cnt)
    {
      iov[2 + cnt].iov_base = (void *) (time->abday[cnt] ?: "");
      iov[2 + cnt].iov_len = strlen (iov[2 + cnt].iov_base) + 1;
    }

  for (; cnt <= 14; ++cnt)
    {
      iov[2 + cnt].iov_base = (void *) (time->day[cnt - 7] ?: "");
      iov[2 + cnt].iov_len = strlen (iov[2 + cnt].iov_base) + 1;
    }

  for (; cnt <= 26; ++cnt)
    {
      iov[2 + cnt].iov_base = (void *) (time->abmon[cnt - 14] ?: "");
      iov[2 + cnt].iov_len = strlen (iov[2 + cnt].iov_base) + 1;
    }

  for (; cnt <= 38; ++cnt)
    {
      iov[2 + cnt].iov_base = (void *) (time->mon[cnt - 26] ?: "");
      iov[2 + cnt].iov_len = strlen (iov[2 + cnt].iov_base) + 1;
    }

  for (; cnt <= 40; ++cnt)
    {
      iov[2 + cnt].iov_base =  (void *) (time->am_pm[cnt - 38] ?: "");
      iov[2 + cnt].iov_len = strlen (iov[2 + cnt].iov_base) + 1;
    }

  foo (2 + cnt, iov);
}

issues at -O2 -Wall bogus warnings:
/tmp/w.c:24: warning: array subscript is above array bounds
/tmp/w.c:24: warning: array subscript is above array bounds

Apparently tree loop optimizations decide to use &time->abmon[14] and
&time->mon[30] pointers (which are outside of the range of the arrays) and then
dereferences that pointer - 112B (96B is the size of abmon array and 16B are
extra 2 pointers because the other array is biased by 2).

The testcase is extracted from glibc.


-- 
           Summary: [4.3 Regression] -Warray-bounds doesn't play together
                    with loop optimizations
           Product: gcc
           Version: 4.3.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: jakub at gcc dot gnu dot org


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=31227