[Bug middle-end/102970] [11/12 Regression] stable_sort uninitialized value with -funroll-loops -fno-tree-vectorize since r11-2963-gd6a05b494b4b714e

rguenth at gcc dot gnu.org gcc-bugzilla@gcc.gnu.org
Wed Nov 3 11:11:02 GMT 2021 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102970

--- Comment #5 from Richard Biener <rguenth at gcc dot gnu.org> ---
So it looks like while we copy the array to an allocated array successfully
the call

        movl    $10, %edx
        movq    %rbp, %rsi
        leaq    32(%rsp), %rdi
        movq    %r12, 8(%rsp)
        call   
_ZNSt17_Temporary_bufferIN9__gnu_cxx17__normal_iteratorIP3boxSt6vectorIS2_SaIS2_EEEES2_EC1ES7_l

clobbers part of the vRects data on the stack.  (it is at 32(%rsp))

This is the function that is appearantly miscomplied I think.  We have there

  <bb 9> [local count: 3804909251]:
  # PT = { D.54048 } (escaped, escaped heap)
  # __cur_76 = PHI <__cur_43(11), __cur_36(8)>
  # prephitmp_81 = PHI <pretmp_80(11), _32(8)>
  # prephitmp_83 = PHI <pretmp_82(11), _33(8)>
  # prephitmp_31 = PHI <pretmp_78(11), _34(8)>
  # prephitmp_28 = PHI <pretmp_45(11), _35(8)>
  [t.C:14:9] MEM[(int *)__cur_76 clique 4 base 1] = prephitmp_81;
  [t.C:15:9] MEM[(int *)__cur_76 + 4B clique 4 base 1] = prephitmp_83;
  [t.C:16:9] MEM[(int *)__cur_76 + 8B clique 4 base 1] = prephitmp_31;
  [t.C:17:9] MEM[(int *)__cur_76 + 12B clique 4 base 1] = prephitmp_28;
 
[/home/rguenther/install/gcc-11/usr/local/include/c++/11.2.1/bits/stl_tempbuf.h:212:8]
# PT = { D.54048 } (escaped, escaped heap)
  __cur_43 = __cur_76 + 16;
 
[/home/rguenther/install/gcc-11/usr/local/include/c++/11.2.1/bits/stl_tempbuf.h:212:20]
if (_3 != __cur_43)
    goto <bb 11>; [89.00%]
  else
    goto <bb 10>; [11.00%]

  <bb 10> [local count: 418540015]:
  # RANGE ~[18446744073709551600, 18446744073709551600]
  _37 = 18446744073709551600 - _56;
  _41 = _37 + _42;
 
[/home/rguenther/install/gcc-11/usr/local/include/c++/11.2.1/bits/stl_tempbuf.h:212:8]
# PT = { D.54048 } (escaped, escaped heap)
  __prev_27 = _26 + _41;
  goto <bb 12>; [100.00%]

  <bb 11> [local count: 3386369236]:
  [t.C:14:18] pretmp_80 = MEM[(int *)__cur_43 + -16B clique 4 base 0];
  [t.C:15:18] pretmp_82 = MEM[(int *)__cur_43 + -12B clique 4 base 0];
  [t.C:16:18] pretmp_78 = MEM[(int *)__cur_43 + -8B clique 4 base 0];
  [t.C:17:18] pretmp_45 = MEM[(int *)__cur_43 + -4B clique 4 base 0];
  goto <bb 9>; [100.00%]

note how PRE manages to "leak" the clique from one iteration to the previous
by translating the references across the backedge but the references
do actually conflict.

So we get to changes that are invalid done by sched2.  Both disabling
sched2 and PRE avoids this situation.

-fdbg-cnt=treepre_insert:10-10 is enough to trigger it (on the 11 branch).

More information about the Gcc-bugs mailing list