[Bug c++/71867] New: Optimizer generates code dereferencing a null pointer
vz-gcc at zeitlins dot org
gcc-bugzilla@gcc.gnu.org
Wed Jul 13 21:51:00 GMT 2016
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867
Bug ID: 71867
Summary: Optimizer generates code dereferencing a null pointer
Product: gcc
Version: 5.3.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c++
Assignee: unassigned at gcc dot gnu.org
Reporter: vz-gcc at zeitlins dot org
Target Milestone: ---
First of all, I'd like to say that I'm reporting this bug because it looks like
a rather bad problem in gcc to me, but I don't have any simple example
reproducing it because I couldn't produce one even in spite of spending some
time on this, so please feel free to close if you're not interested in
debugging this.
The problem in question is that, according to the original bug report (see
http://trac.wxwidgets.org/ticket/17483), code generated by gcc -O2 for this
method (omitting parts of the class, you can see the full version at
https://github.com/wxWidgets/wxWidgets/blob/v3.1.0/include/wx/rtti.h#L86):
class wxClassInfo {
public:
...
bool IsKindOf(const wxClassInfo *info) const
{
return info != 0 &&
( info == this ||
( m_baseInfo1 && m_baseInfo1->IsKindOf(info) ) ||
( m_baseInfo2 && m_baseInfo2->IsKindOf(info) ) );
}
private:
const wxClassInfo *m_baseInfo1;
const wxClassInfo *m_baseInfo2;
};
generates the code which crashes during run-time because
m_baseInfo1->IsKindOf() call is done even when m_baseInfo1 is null. The crash
doesn't happen with -O0 or even with an attribute optimize("O0") applied to
just this function.
Unfortunately, extracting this class and compiling just it with -O2 doesn't
show the problem, there must be something else triggering it and making the
optimizer assume that the pointers can never be null (which is true for almost
all classes, but not for the root class of the hierarchy, which is constructed
with null base class info pointer). And, again, I tried, but I couldn't find
what it was.
Rewriting the expression as a sequence of statements, as done in
https://github.com/wxWidgets/wxWidgets/commit/aa3acfdd15eff1519a41b48a2babe4cba75660f9,
fixes the bug, so from my point of view this particular problem is solved, but,
again, I find it rather worrying if the optimizer can miscompile quite
straightforward code like above, so I still wanted to report it. If you'd like
to look at it, please get any version of wxWidgets prior to the commit above
(e.g. 3.1.0 release) and build it under Windows. Of course, please let me know
if you need any more information -- other than a simple reproducible test case
which I, unfortunately, just can't make.
Thanks in advance!
More information about the Gcc-bugs
mailing list