https://gcc.gnu.org/bugzilla/show_bug.cgi?id=101600
--- Comment #2 from Martin Sebor <msebor at gcc dot gnu.org> --- There's another bug here that can be reproduced with the following slightly modified version of the original test case: $ cat pr101600-c2.C && /build/gcc-master/gcc/xgcc -B /build/gcc-master/gcc -O2 -S -Wall pr101600-c2.C struct S1 { virtual ~S1(); }; struct S2 { int m; }; struct S3 { virtual ~S3(); }; struct S4: S1, S2, S3 {}; int f1(); void f2 (S3 *); S4 s4; void f3 (void) { S2 *p = &s4; for (int i = f1(); f1();) { if (i == 0) { p = nullptr; break; } } f2 (static_cast<S4 *>(p)); } pr101600-c2.C: In function ‘void f3()’: pr101600-c2.C:25:6: warning: array subscript 0 is outside array bounds of ‘S2 [2305843009213693951]’ [-Warray-bounds] 25 | f2 (static_cast<S4 *>(p)); | ~~~^~~~~~~~~~~~~~~~~~~~~~ pr101600-c2.C:4:8: note: at offset -8 into object ‘S4::<anonymous>’ of size 4 4 | struct S4: S1, S2, S3 {}; | ^~ A simpler (but contrived) C test case goes something like this: $ cat u.c && gcc -O2 -S -Wall u.c struct A { int i, j; } a; int f (void); void g (int); void h (void) { void *p = &a.j; for (int i = f (); f (); ) if (!i) { p = 0; break; } int o = __builtin_offsetof (struct A, j); struct A *q = (struct A*)((char*)p - o); g (q->i); } u.c: In function ‘h’: u.c:20:7: warning: array subscript 0 is outside array bounds of ‘void[9223372036854775807]’ [-Warray-bounds] 20 | g (q->i); | ^~ u.c:1:19: note: at offset -4 into object ‘j’ of size 4 1 | struct A { int i, j; } a; | ^