https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66992
Bug ID: 66992
Summary: [4.9/5/6 Regression] Incorrect array subscript is
above bounds warning
Product: gcc
Version: 4.9.4
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: jakub at gcc dot gnu.org
Target Milestone: ---
On
struct tcp_sack_block
{
unsigned start_seq;
unsigned end_seq;
};
struct tcp_sock
{
struct tcp_sack_block sel_acks[4];
unsigned char num_sacks;
unsigned rcv_nxt;
};
static inline _Bool
before (unsigned seq1, unsigned seq2)
{
return (signed) (seq1 - seq2) < 0;
}
static void
tcp_sack_remove (struct tcp_sock *tp)
{
struct tcp_sack_block *sp = &tp->sel_acks[0];
int num_sacks = tp->num_sacks;
int this_sack;
for (this_sack = 0; this_sack < num_sacks;)
{
if (!before (tp->rcv_nxt, sp->start_seq))
{
int i;
for (i = this_sack + 1; i < num_sacks; i++)
{
tp->sel_acks[i - 1] = tp->sel_acks[i];
}
num_sacks--;
continue;
}
this_sack++;
sp++;
}
tp->num_sacks = num_sacks;
}
struct tcp_sock mysock = {.num_sacks = 4 };
int
main ()
{
tcp_sack_remove (&mysock);
return 0;
}
distilled from Linux kernel at -O3 -Wall, we get incorrect warning. The
problem is (starting with r192538) too conservative # of iterations analysis
for the loop, the loop can only execute the body at most 3 times, because
otherwise it reaches undefined behavior either in the sel_acks[i - 1] access,
or sel_acks[i] access. But we actually compute # of iterations 5 on the
condition (thus 4 iterations of the body), and then not surprisingly VRP1 warns
about the last iteration assignment which is always invalid.
