cmd/compile: don't pull constant offsets out of pointer arithmetic

This could lead to manufacturing a pointer that points outside
its original allocation.

Bug was introduced in CL 629858.

Fixes #71932

Change-Id: Ia86ab0b65ce5f80a8e0f4f4c81babd07c5904f8d
Reviewed-on: https://go-review.googlesource.com/c/go/+/652078
Reviewed-by: Keith Randall <khr@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>

1 files changed, 50 insertions, 0 deletions

diff --git a/test/fixedbugs/issue71932.go b/test/fixedbugs/issue71932.go
new file mode 100644
index 0000000000..d69b2416bb
--- /dev/null
+++ b/test/fixedbugs/issue71932.go
@@ -0,0 +1,50 @@
+// run
+
+// Copyright 2025 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package main
+
+import "runtime"
+
+const C = 16
+
+type T [C * C]byte
+
+func main() {
+	var ts []*T
+
+	for i := 0; i < 100; i++ {
+		t := new(T)
+		// Save every even object.
+		if i%2 == 0 {
+			ts = append(ts, t)
+		}
+	}
+	// Make sure the odd objects are collected.
+	runtime.GC()
+
+	for _, t := range ts {
+		f(t, C, C)
+	}
+}
+
+//go:noinline
+func f(t *T, i, j uint) {
+	if i == 0 || i > C || j == 0 || j > C {
+		return // gets rid of bounds check below (via prove pass)
+	}
+	p := &t[i*j-1]
+	*p = 0
+	runtime.GC()
+	*p = 0
+
+	// This goes badly if compiled to
+	//   q := &t[i*j]
+	//   *(q-1) = 0
+	//   runtime.GC()
+	//   *(q-1) = 0
+	// as at the GC call, q is an invalid pointer
+	// (it points past the end of t's allocation).
+}