https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98255
--- Comment #3 from Martin Jambor <jamborm at gcc dot gnu.org> --- So SRA sees statements: n[0][2] = "\t\x02\b"; and later _11 = n[0][3][4294967294]; The latter loads a scalar sitting inside what the store above initialized (according to get_ref_base_and_extent) and so SRA creates a single char replacement for it which is initialized with: n$0$3$4294967294_24 = "\t\x02\b"[4294967294]; the RHS being: <array_ref 0x7ffff76420a8 type <integer_type 0x7ffff74e63f0 char sizes-gimplified public QI size <integer_cst 0x7ffff74cddc8 constant 8> unit-size <integer_cst 0x7ffff74cdde0 constant 1> align:8 warn_if_not_align:0 symtab:0 alias-set -1 canonical-type 0x7ffff74e63f0 precision:8 min <integer_cst 0x7ffff74cde10 -128> max <integer_cst 0x7ffff74cde40 127> pointer_to_this <pointer_type 0x7ffff74f1c78>> arg:0 <string_cst 0x7ffff76133d8 type <array_type 0x7ffff7601498 type <integer_type 0x7ffff74e63f0 char> sizes-gimplified BLK size <integer_cst 0x7ffff74eb180 constant 24> unit-size <integer_cst 0x7ffff7613138 constant 3> align:8 warn_if_not_align:0 symtab:0 alias-set 0 canonical-type 0x7ffff7601498 domain <integer_type 0x7ffff76013f0>> constant "\011\002\010"> arg:1 <integer_cst 0x7ffff76130a8 type <integer_type 0x7ffff74e6690 unsigned int> constant 4294967294> pr98255.c:20:21 start: pr98255.c:20:14 finish: pr98255.c:20:23> At expansion time, that the 4294967294 index is not however sign-expanded and so the program ends up loading from a bad memory address. Is "\t\x02\b"[4294967294] something the expander should sign-extend or should SRA avoid re-using array_refs with indices which change when sign-extended to a pointer width integer?