[Bug c++/71867] New: Optimizer generates code dereferencing a null pointer

[vz-gcc at zeitlins dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

            Bug ID: 71867
           Summary: Optimizer generates code dereferencing a null pointer
           Product: gcc
           Version: 5.3.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: vz-gcc at zeitlins dot org
  Target Milestone: ---

First of all, I'd like to say that I'm reporting this bug because it looks like
a rather bad problem in gcc to me, but I don't have any simple example
reproducing it because I couldn't produce one even in spite of spending some
time on this, so please feel free to close if you're not interested in
debugging this.

The problem in question is that, according to the original bug report (see
http://trac.wxwidgets.org/ticket/17483), code generated by gcc -O2 for this
method (omitting parts of the class, you can see the full version at
https://github.com/wxWidgets/wxWidgets/blob/v3.1.0/include/wx/rtti.h#L86):

class wxClassInfo {
public:
    ...
    bool IsKindOf(const wxClassInfo *info) const
    {
        return info != 0 &&
               ( info == this ||
                 ( m_baseInfo1 && m_baseInfo1->IsKindOf(info) ) ||
                 ( m_baseInfo2 && m_baseInfo2->IsKindOf(info) ) );
    }

private:
    const wxClassInfo       *m_baseInfo1;
    const wxClassInfo       *m_baseInfo2;
};

generates the code which crashes during run-time because
m_baseInfo1->IsKindOf() call is done even when m_baseInfo1 is null. The crash
doesn't happen with -O0 or even with an attribute optimize("O0") applied to
just this function.

Unfortunately, extracting this class and compiling just it with -O2 doesn't
show the problem, there must be something else triggering it and making the
optimizer assume that the pointers can never be null (which is true for almost
all classes, but not for the root class of the hierarchy, which is constructed
with null base class info pointer). And, again, I tried, but I couldn't find
what it was.

Rewriting the expression as a sequence of statements, as done in
https://github.com/wxWidgets/wxWidgets/commit/aa3acfdd15eff1519a41b48a2babe4cba75660f9,
fixes the bug, so from my point of view this particular problem is solved, but,
again, I find it rather worrying if the optimizer can miscompile quite
straightforward code like above, so I still wanted to report it. If you'd like
to look at it, please get any version of wxWidgets prior to the commit above
(e.g. 3.1.0 release) and build it under Windows. Of course, please let me know
if you need any more information -- other than a simple reproducible test case
which I, unfortunately, just can't make.

Thanks in advance!