https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86532
--- Comment #27 from Martin Sebor <msebor at gcc dot gnu.org> --- I don't think it would be appropriate to introduce dependencies on the sanitizer for the same reason we can't do that for warnings. But as I mentioned in comment 16, I think performing these sorts of simplifications this early (this one it happens during parsing) prevents subsequent analysis from making use of the information that can be derived from in the original code. Deferring this non-constant folding until later (see bug 86434) would make it possible not only to detect some of these bugs but also transform them into traps/unreachable without any runtime overhead (when we know the non-constant offset's range is out-of-bounds). I did the comparison in signed because that's what the function returns but I do agree that folding to zero rather than arbitrary value. I opened bug 86572 for this idea. Let me propose making the change separately (here I just want to fix the wrong code without preventing existing optimizations). I would also be open to emitting __builtin_unreachable(). The chartype loop needs to change to avoid assuming the element type is necessarily an integer type. I can reproduce the problem on my local machine but I don't know why the full regression test run that I run on my team's server didn't expose this or the previous ICE. I'll look into it. I very much appreciate your testing and feedback. I would just ask you to comment on the patch on the list so we don't clutter with details that are not important to the record of the bug.
