[Bug rtl-optimization/79541] New: lra reads uninitialized memory (with invalid input)

bernds at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Wed Feb 15 19:47:00 GMT 2017 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79541

            Bug ID: 79541
           Summary: lra reads uninitialized memory (with invalid input)
           Product: gcc
           Version: 7.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: rtl-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: bernds at gcc dot gnu.org
  Target Milestone: ---

Created attachment 40753
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=40753&action=edit
Reproducer

Disclaimer: I'm uncertain how severe this is: the test program contains an
invalid assembly statement that LRA converts into a nop. If that asm is
corrected, the problem no longer reproduces, and I don't know if the issue
could show up on a legitimate input. I noticed this because an unrelated patch
that should have had no effect on this program caused differences in assembly
output.

Compile the test program as follows, for ppc-linux (I use an x86_64-linux x
ppc-linux cross):

valgrind ./cc1 -O2 sl4.i   -I include 

The following should show up in the output:

==7398== Conditional jump or move depends on uninitialised value(s)
==7398==    at 0xCB3791: lra_eliminate_regs_1(rtx_insn*, rtx_def*,
machine_mode, bool, bool, long, bool) (lra-eliminations.c:403)
==7398==    by 0xCB4133: lra_eliminate_regs_1(rtx_insn*, rtx_def*,
machine_mode, bool, bool, long, bool) (lra-eliminations.c:642)
==7398==    by 0xCC1D71: remove_pseudos(rtx_def**, rtx_insn*)
(lra-spills.c:421)
==7398==    by 0xCC1E1F: remove_pseudos(rtx_def**, rtx_insn*)
(lra-spills.c:431)
==7398==    by 0xCC2089: spill_pseudos() (lra-spills.c:475)
==7398==    by 0xCC27A9: lra_spill() (lra-spills.c:604)
==7398==    by 0xC93355: lra(_IO_FILE*) (lra.c:2486)
==7398==    by 0xC38FC0: do_reload() (ira.c:5400)
==7398==    by 0xC39476: (anonymous namespace)::pass_reload::execute(function*)
(ira.c:5584)
==7398==    by 0xD83360: execute_one_pass(opt_pass*) (passes.c:2465)
==7398==    by 0xD836C4: execute_pass_list_1(opt_pass*) (passes.c:2554)
==7398==    by 0xD836F5: execute_pass_list_1(opt_pass*) (passes.c:2555)

The unitialized memory seems to be the sp_offset field of an insn created by
LRA. The .reload dump should contain a line as follows, with random numbers for
sp_off:

         Choosing alt 5 in insn 266:  (0) m  (1) r {*movsi_internal1}
(sp_off=139971034200304)

More information about the Gcc-bugs mailing list