From 0ad885d11e0c0da83cf53659a8bd2a3aff3a4049 Mon Sep 17 00:00:00 2001
From: rguenth <rguenth@138bc75d-0d04-0410-961f-82ee72b054a4>
Date: Wed, 26 May 2010 11:44:44 +0000
Subject: [PATCH] 2010-05-26  Richard Guenther  <rguenther@suse.de>

	PR middle-end/44069
	* tree-ssa-ccp.c (maybe_fold_stmt_addition): Avoid generating
	out-of-bounds array accesses.

	* g++.dg/torture/pr44069.C: New testcase.


git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/branches/gcc-4_5-branch@159865 138bc75d-0d04-0410-961f-82ee72b054a4
---
 gcc/ChangeLog                          |  6 ++++++
 gcc/testsuite/ChangeLog                |  5 +++++
 gcc/testsuite/g++.dg/torture/pr44069.C | 25 +++++++++++++++++++++++++
 gcc/tree-ssa-ccp.c                     | 12 ++++++++++++
 4 files changed, 48 insertions(+)
 create mode 100644 gcc/testsuite/g++.dg/torture/pr44069.C

diff --git a/gcc/ChangeLog b/gcc/ChangeLog
index 1276c8ca3d4..1603ccbbe70 100644
--- a/gcc/ChangeLog
+++ b/gcc/ChangeLog
@@ -1,5 +1,11 @@
 2010-05-26  Richard Guenther  <rguenther@suse.de>
 
+	PR middle-end/44069
+	* tree-ssa-ccp.c (maybe_fold_stmt_addition): Avoid generating
+	out-of-bounds array accesses.
+
+2010-05-26  Richard Guenther  <rguenther@suse.de>
+
 	Backport from mainline:
 	2010-04-15  Richard Guenther  <rguenther@suse.de>
 
diff --git a/gcc/testsuite/ChangeLog b/gcc/testsuite/ChangeLog
index 67c4f3fd1bb..734d0f70092 100644
--- a/gcc/testsuite/ChangeLog
+++ b/gcc/testsuite/ChangeLog
@@ -1,3 +1,8 @@
+2010-05-26  Richard Guenther  <rguenther@suse.de>
+
+	PR middle-end/44069
+	* g++.dg/torture/pr44069.C: New testcase.
+
 2010-05-24  Eric Botcazou  <ebotcazou@adacore.com>
 
 	PR ada/38394
diff --git a/gcc/testsuite/g++.dg/torture/pr44069.C b/gcc/testsuite/g++.dg/torture/pr44069.C
new file mode 100644
index 00000000000..99fcd173e27
--- /dev/null
+++ b/gcc/testsuite/g++.dg/torture/pr44069.C
@@ -0,0 +1,25 @@
+/* { dg-do run } */
+
+template <unsigned R, unsigned C>
+class M {
+public:
+    M(const int* arr) {
+	for (unsigned long r = 0; r < R; ++r)
+	  for (unsigned long c = 0; c < C; ++c)
+	    m[r*C+c] = arr[r*C+c];
+    }
+    int operator()(unsigned r, unsigned c) const
+      { return m[r*C+c]; }
+private:
+    int m[R*C];
+};
+extern "C" void abort (void);
+int main()
+{
+  int vals[2][2] = { { 1, 2 }, { 5, 6 } };
+  M<2,2> m( &(vals[0][0]) );
+  if (m(1,0) != 5)
+    abort ();
+  return 0;
+}
+
diff --git a/gcc/tree-ssa-ccp.c b/gcc/tree-ssa-ccp.c
index fcfdd18d1bf..b3ad99adce0 100644
--- a/gcc/tree-ssa-ccp.c
+++ b/gcc/tree-ssa-ccp.c
@@ -2294,6 +2294,18 @@ maybe_fold_stmt_addition (location_t loc, tree res_type, tree op0, tree op1)
 	  if (!is_gimple_assign (offset_def))
 	    return NULL_TREE;
 
+	  /* As we will end up creating a variable index array access
+	     in the outermost array dimension make sure there isn't
+	     a more inner array that the index could overflow to.  */
+	  if (TREE_CODE (TREE_OPERAND (op0, 0)) == ARRAY_REF)
+	    return NULL_TREE;
+
+	  /* Do not build array references of something that we can't
+	     see the true number of array dimensions for.  */
+	  if (!DECL_P (TREE_OPERAND (op0, 0))
+	      && !handled_component_p (TREE_OPERAND (op0, 0)))
+	    return NULL_TREE;
+
 	  if (gimple_assign_rhs_code (offset_def) == MULT_EXPR
 	      && TREE_CODE (gimple_assign_rhs2 (offset_def)) == INTEGER_CST
 	      && tree_int_cst_equal (gimple_assign_rhs2 (offset_def),
-- 
2.11.4.GIT