https://gcc.gnu.org/bugzilla/show_bug.cgi?id=117912
--- Comment #25 from GCC Commits <cvs-commit at gcc dot gnu.org> --- The releases/gcc-14 branch has been updated by Richard Biener <rgue...@gcc.gnu.org>: https://gcc.gnu.org/g:02b1172dad4c444953868f411fc8dd4483f320e7 commit r14-11196-g02b1172dad4c444953868f411fc8dd4483f320e7 Author: Richard Biener <rguent...@suse.de> Date: Thu Dec 5 10:47:13 2024 +0100 tree-optimization/117912 - bogus address equivalences for __builtin_object_size VN again is the culprit for exploiting address equivalences before __builtin_object_size got the chance to do its job. This time it isn't about union members but adjacent structure fields where an address to one after the last element of an array field can spill over to the next field. The following protects all out-of-bound accesses on the upper bound side (singling out TYPE_MAX_VALUE + 1 is more expensive). It ignores other out-of-bound addresses that would invoke UB. Zero-sized arrays are a bit awkward because the C++ represents them with a -1U upper bound. There's a similar issue for zero-sized components whose address can be the same as the adjacent field in C. PR tree-optimization/117912 * tree-ssa-sccvn.cc (copy_reference_ops_from_ref): For addresses of zero-sized components do not set ->off if the object size pass didn't run. For OOB ARRAY_REF accesses in address expressions avoid setting ->off if the object size pass didn't run. (valueize_refs_1): Likewise. * c-c++-common/torture/pr117912-1.c: New testcase. * c-c++-common/torture/pr117912-2.c: Likewise. * c-c++-common/torture/pr117912-3.c: Likewise. (cherry picked from commit 233972ab3b5338d7a5d1d7af9108c1f366170e44)