From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id D266D3858427; Wed, 23 Mar 2022 09:32:39 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org D266D3858427
From: "w at 1wt dot eu" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug middle-end/98503] [11/12 regression] -Warray-bounds false
 positive with global variables at -O2 since r11-3306-g3f9a497d1b0dd9da
Date: Wed, 23 Mar 2022 09:32:39 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: middle-end
X-Bugzilla-Version: 11.0
X-Bugzilla-Keywords: diagnostic, patch
X-Bugzilla-Severity: normal
X-Bugzilla-Who: w at 1wt dot eu
X-Bugzilla-Status: RESOLVED
X-Bugzilla-Resolution: INVALID
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 11.3
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-98503-4-IEoYzXDZRu@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-98503-4@http.gcc.gnu.org/bugzilla/>
References: <bug-98503-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Mar 2022 09:32:39 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D98503

--- Comment #19 from Willy Tarreau <w at 1wt dot eu> ---
Hello Richard,

Thanks for looking at this old issue.

> that means next_step will do the bad access of 'head' using the struct ref
> type.

Actually there's no bad access, as if you look closely, next_step() restarts
from cur->list.n, hence undoes exactly what initial_step() did.

In addition for the special case here, the list happens to be at the beginn=
ing
of the struct so there's not even an offset of difference between the list =
head
and the member, so get_initial_step() really returns head here, and next_st=
ep()
will return exactly head as well, which does match the stop condition in the
following while() block and never causes any dereference of any unmapped ar=
ea.

I noticed I have left a mistake when writing the simplified reproducer, I
didn't initialise head, thus I thought it could have contributed to the war=
ning
in the reproducer, but retesting with:

    static struct list head =3D { .n =3D &head, .p =3D &head };

doesn't change anything.

Since then we've worked around this problem by using some ugly casts because
removing the warning could have more long-term consequences if it occasiona=
lly
allows to trigger on a real issue. Still I find it sad when a warning force=
s us
to introduce dangerous casts as a workaround.=