https://gcc.gnu.org/bugzilla/show_bug.cgi?id=120981

            Bug ID: 120981
           Summary: Vectorizer introduces UB address calculation
           Product: gcc
           Version: 16.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: kristerw at gcc dot gnu.org
  Target Milestone: ---

The vectorizer introduces an invalid address calculation for the function below
when compiled for AArch64 with "-O3 -march=armv9.5-a -fno-strict-aliasing".

void f(int n, int y, char *arr_2, char *arr_6) {
  for (int i = y; i < n; i++)
    arr_6[i] = arr_6[i] ? (arr_2[i] ? 3 : 8) : 1;
}

The problem occurs when arr_6[i] is always 0. arr_2 does not in that case need
to be a valid pointer as it is not accessed, but the vectorized code must
performs the address calculation, and it is possible that the address
calculation overflows or results in 0, which both are UB.

The input to the vectorizer seems to correctly have worked around this in the
.LOOP_VECTORIZED code, where the address calculations are done by first casting
the pointer to unsigned long. But the vectorizer changes this to use pointer
arithmetic, which may trigger the UB.

Reply via email to