[Bug tree-optimization/97556] [11 Regression] ICE at -O2 and -O3 in 32-bit mode on x86_64-pc-linux-gnu in size_remaining, at builtins.c:235 since r11-3827

jakub at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Mon Oct 26 10:28:14 GMT 2020


https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97556

--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
I think the problem is that compute_objsize doesn't bother to check for any
kind of overflow on any arithmetics it does.
E.g. in:
4815              offset_int sz = wi::to_offset (tpsize);
4816              orng[0] *= sz;
4817              orng[1] *= sz;
when orng[0] is 1000000000 and orng[1] is -1 and sz is 3, everything is
multiplied by 3, so we end up with 3000000000 and -3.  Later on the upper bound
is set to
311           offset_int maxoff = wi::to_offset (TYPE_MAX_VALUE
(ptrdiff_type_node));
312           offrng[1] = maxoff;
and size_remaining then asserts something that the computation can't really
guarantee.

Adjusted testcase that ICEs with -O2 -m64 the same way:
char a[1][3];
int b;

void f () {
  unsigned long long c = 7000000000000000000ULL;
  if (b)
    goto L;
  while (b) {
    c = ~0ULL;
  L:
    a[c][0] = 0;
  }
}


More information about the Gcc-bugs mailing list