This is the mail archive of the gcc-bugs@gcc.gnu.org mailing list for the GCC project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug middle-end/82286] Wrong array subscript is above array bounds

From: "marxin at gcc dot gnu.org" <gcc-bugzilla at gcc dot gnu dot org>
To: gcc-bugs at gcc dot gnu dot org
Date: Fri, 22 Sep 2017 08:30:47 +0000
Subject: [Bug middle-end/82286] Wrong array subscript is above array bounds
Auto-submitted: auto-generated
References: <bug-82286-4@http.gcc.gnu.org/bugzilla/>

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=82286

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |ASSIGNED
   Last reconfirmed|                            |2017-09-22
                 CC|                            |marxin at gcc dot gnu.org
           Assignee|unassigned at gcc dot gnu.org      |marxin at gcc dot gnu.org
     Ever confirmed|0                           |1

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
Confirmed, I reduced the test-case a bit:

$ cat pr82286.c
typedef struct
{
  float a[10][10];
} b;

float c;
b d;
int e = 0;

void
f ()
{
  int g;
  for (;;)
    for (g = 0; g < e; g++)
      c = d.a[e][g];
}

$ ./xgcc -B. ~/Programming/testcases/pr82286.c -O3 -Wall -c
-fdump-tree-all-details
/home/marxin/Programming/testcases/pr82286.c: In function ‘f’:
/home/marxin/Programming/testcases/pr82286.c:16:14: warning: array subscript is
above array bounds [-Warray-bounds]
       c = d.a[e][g];
           ~~~^~~

It's caused by loop unroller:

Loop 2 iterates at most 10 times.
Loop 2 likely iterates at most 10 times.
Estimating sizes for loop 2
 BB: 5, after_exit: 0
  size:   1 e.1_2 = e;
  size:   2 if (e.1_2 > g_3)
   Exit condition will be eliminated in last copy.
 BB: 4, after_exit: 1
  size:   1 _1 = d.a[e.1_2][g_3];
  size:   1 c = _1;
  size:   1 g_8 = g_3 + 1;
   Induction variable computation will be folded away.
size: 6-1, last_iteration: 3-2
  Loop size: 6
  Estimated size after unrolling: 34

Then we end with:

...
  <bb 12> [0.10%] [count: INV]:
  _60 = d.a[e.1_59][8];
  c = _60;
  e.1_65 = e;
  if (e.1_65 > 9)
    goto <bb 13>; [50.00%] [count: INV]
  else
    goto <bb 14>; [50.00%] [count: INV]

  <bb 13> [0.10%] [count: INV]:
  _66 = d.a[e.1_65][9];
  c = _66;
  e.1_2 = e;

  <bb 14> [50.00%] [count: INV]:
  goto <bb 3>; [100.00%] [count: INV]

Which is not correct, gcc_unreachable is somehow optimized out. I'll take a
look.

References:
- [Bug c/82286] New: Wrong array subscript is above array bounds
  - From: hermantenbrugge at home dot nl

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]