Created attachment 42773 [details] Test case main program (you also need foobody.i) I ran into this problem trying to use -fcheck-pointer-bounds on GNU Emacs. I used gcc (Ubuntu 7.2.0-8ubuntu3) 7.2.0 on x86-64 (Ubuntu 17.10); my CPU was a Kaby Lake processor (Intel Core i3-7100U) that supports Intel MPX. To reproduce, compile and run the attached source code as follows: gcc -mmpx -fcheck-pointer-bounds -O2 -S foobody.i foomain.i gcc -mmpx -fcheck-pointer-bounds -O2 foobody.s foomain.s ./a.out a.out's output contains many incorrect lines like this: Saw a #BR! status 1 at 0x55fae4af26da The problem occurs because incorrect code is generated for the function 'calculate_address', whose source code looks like this: Lisp_Object *sym = &lispsym[1213]; char *narsym = __builtin___bnd_narrow_ptr_bounds (sym, sym, sizeof (Lisp_Object)); return (Lisp_Object) (narsym + sizeof *sym); This is a pure function that merely calculates an address and returns it. Instead, as foobody.s shows, this function's implementation also modifies global metadata, for example: movq 8+__chkp_bounds_of_lispsym(%rip), %rax cmpq %rdx, %rax cmovb %rdx, %rax movq %rax, 8+__chkp_bounds_of_lispsym(%rip) Here calculate_address's implementation conditionally shrinks __chkp_bounds_of_lispsym, the bounds of the 'lispsym' array. But lispsym is a static array and its bounds should never change. As a result of this mistaken implementation, later valid attempts to access the lispsym array (in 'obviously_safe') fail their bounds check and this mistake in GCC causes the program to crash even though it is a valid program.
Created attachment 42774 [details] Test case subroutines (you also need foomain.i)
MPX is removed, won't fix then.