[Bug middle-end/32135] [4.3 Regression] bogus array-ref fold triggering array overflow warning

[hubicka at gcc dot gnu dot org]

------- Comment #4 from hubicka at gcc dot gnu dot org  2008-01-11 15:25 -------
I am testing the attached patch.  It disables the transformation and produce:
  in_cols.0 = (char *) in_cols;
  D.1180 = in_cols.0 + 500;

perhaps more canonical way would be
  in_cols.0 = in_cols + 500;
  d.1180 = (char *)in_cost.0
or for nonzero offset in the second index
  in_cols.0 = in_cols + 500;
  d.1180 = &in_cost.0[nonzero_offset];
But it would need maybe_fold... to produce non-gimple or we would need to do
the transform in gimplifier itself.

Honza

Index: tree-ssa-ccp.c
===================================================================
--- tree-ssa-ccp.c      (revision 131461)
+++ tree-ssa-ccp.c      (working copy)
@@ -1588,6 +1588,7 @@ maybe_fold_offset_to_array_ref (tree bas
 {
   tree min_idx, idx, idx_type, elt_offset = integer_zero_node;
   tree array_type, elt_type, elt_size;
+  tree domain_type;

   /* If BASE is an ARRAY_REF, we can pick up another offset (this time
      measured in units of the size of elements type) from that ARRAY_REF).
@@ -1659,9 +1660,10 @@ maybe_fold_offset_to_array_ref (tree bas
      low bound, if any, convert the index into that type, and add the
      low bound.  */
   min_idx = build_int_cst (idx_type, 0);
-  if (TYPE_DOMAIN (array_type))
+  domain_type = TYPE_DOMAIN (TREE_TYPE (base));
+  if (domain_type)
     {
-      idx_type = TYPE_DOMAIN (array_type);
+      idx_type = domain_type;
       if (TYPE_MIN_VALUE (idx_type))
        min_idx = TYPE_MIN_VALUE (idx_type);
       else
@@ -1681,6 +1683,24 @@ maybe_fold_offset_to_array_ref (tree bas
   /* Make sure to possibly truncate late after offsetting.  */
   idx = fold_convert (idx_type, idx);

+  /* We don't want to construct access past array bounds. For example
+     char *(c[4]);
+
+     c[3][2]; should not be simplified into (*c)[14] or tree-vrp will give
false
+     warning.  */
+  if (domain_type && TYPE_MAX_VALUE (domain_type) 
+      && TREE_CODE (TYPE_MAX_VALUE (domain_type)) == INTEGER_CST)
+    {
+      tree up_bound = TYPE_MAX_VALUE (domain_type);
+
+      if (tree_int_cst_lt (up_bound, idx)
+         /* Accesses after the end of arrays of size 0 (gcc
+            extension) and 1 are likely intentional ("struct
+            hack").  */
+         || compare_tree_int (up_bound, 1) > 0)
+       return NULL_TREE;
+    }
+
   return build4 (ARRAY_REF, elt_type, base, idx, NULL_TREE, NULL_TREE);
 }


-- 

hubicka at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|2008-01-11 14:12:54         |2008-01-11 15:25:44
               date|                            |


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=32135