https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97556
--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
I think the problem is that compute_objsize doesn't bother to check for any
kind of overflow on any arithmetics it does.
E.g. in:
4815 offset_int sz = wi::to_offset (tpsize);
4816 orng[0] *= sz;
4817 orng[1] *= sz;
when orng[0] is 1000000000 and orng[1] is -1 and sz is 3, everything is
multiplied by 3, so we end up with 3000000000 and -3. Later on the upper bound
is set to
311 offset_int maxoff = wi::to_offset (TYPE_MAX_VALUE
(ptrdiff_type_node));
312 offrng[1] = maxoff;
and size_remaining then asserts something that the computation can't really
guarantee.
Adjusted testcase that ICEs with -O2 -m64 the same way:
char a[1][3];
int b;
void f () {
unsigned long long c = 7000000000000000000ULL;
if (b)
goto L;
while (b) {
c = ~0ULL;
L:
a[c][0] = 0;
}
}
