Bug 106292 - Wrong code with -O3
Summary: Wrong code with -O3
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: tree-optimization (show other bugs)
Version: 13.0
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords: wrong-code
Depends on:
Blocks: yarpgen
  Show dependency treegraph
 
Reported: 2022-07-14 07:55 UTC by Vsevolod Livinskii
Modified: 2022-07-14 08:29 UTC (History)
5 users (show)

See Also:
Host:
Target:
Build:
Known to work: 11.0
Known to fail:
Last reconfirmed:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Vsevolod Livinskii 2022-07-14 07:55:33 UTC
The wrong optimization causes out-of-bounds array access, which leads to a Segmentation fault. Unfortunately, I was not able to merge the reproducer into a single file ([[gnu::noipa]] and __attribute__((noipa)) didn't work or I've used them incorrectly). This looks like a recent bug because we started to detect it on Tuesday (June 12th).

Reproducer:
//driver.cpp
#include <stdio.h>

bool var_0 = (bool)1;
unsigned int arr_44 = 3397135069U;
bool arr_8 [7];
short arr_61 [140];

void test();

int main() {
  test();
  printf("%u\n", arr_61[117]);
  if (arr_61[117] != 9)
    __builtin_abort();
}

//func.cpp
extern bool var_0;
extern unsigned arr_44;
extern bool arr_8[];
extern short arr_61[];
const unsigned &a(const unsigned &c, unsigned &f) { return f ? c : f; }
bool bar(bool c) { return c; }
void test() {
  for (int b = 0; b < 7; b += var_0)
    arr_8[b] = 1;
  for (int d = 0; d < bar(var_0) + 9; d++)
    for (unsigned e = 0; e < 14; e++)
      arr_61[d * e] = a(d, arr_44);
}

Error:
>$ g++ -O2 func.cpp driver.cpp && ./a.out 
9
>$ g++ -O3 func.cpp driver.cpp && ./a.out 
Segmentation fault (core dumped)

gcc version 13.0.0 20220713 (c479c40f8c8fee0fb70e8a365b61c55739f448e1)
Comment 1 Martin Liška 2022-07-14 08:03:08 UTC
Fixed with r13-1684-g554b21edb9ec91a8.
Comment 2 Aldy Hernandez 2022-07-14 08:29:16 UTC
(In reply to Martin Liška from comment #1)
> Fixed with r13-1684-g554b21edb9ec91a8.

Thanks for tracking this down Martin.

Sorry for the pain.  It was a silly oversight.