[Bug analyzer/105860] New: Miscompilation causing clobbered union contents

Mon Jun 6 12:51:23 GMT 2022

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105860

            Bug ID: 105860
           Summary: Miscompilation causing clobbered union contents
           Product: gcc
           Version: 10.3.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: analyzer
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: tpg+gcc at mutabah dot net
  Target Milestone: ---

Created attachment 53092
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53092&action=edit
Reproduction source file, compile with `gcc -O1`

Found while debugging this issue with auto-generated code:
https://github.com/thepowersgang/mrustc/issues/266#issuecomment-1147389581

gcc generates code that reads 32-bits from offset 8 of a union, and then writes
that value back to offset 4 before copying 64-bits from offset 4, causing data
corruption.
This issue is present on gcc 10.3.0 (`gcc (Ubuntu 10.3.0-1ubuntu1~20.04)
10.3.0`) and on gcc 11.1 (`gcc-11 (Ubuntu 11.1.0-1ubuntu1~20.04) 11.1.0`), but
not on gcc 9.4.0 (`gcc-9 (Ubuntu 9.4.0-1ubuntu1~20.04.1) 9.4.0`)

Compiler flags required: `-O1`

Disassembly with comments pointing to the faulty instructions.
```
0000000000000000
<ZRQG3cM17rustc_middle0_0_02ty3sty20ExistentialPredicate0g3c_A2ty4fold12TypeFoldable0g15super_fold_with1gG3c_A2ty_E16Bou$c6411ae8e3203bad>:
   0:   f3 0f 1e fa             endbr64 
   4:   41 56                   push   %r14
   6:   41 55                   push   %r13
   8:   41 54                   push   %r12
   a:   49 89 fc                mov    %rdi,%r12
   d:   55                      push   %rbp
   e:   53                      push   %rbx
   f:   48 83 ec 10             sub    $0x10,%rsp
  13:   8b 5c 24 40             mov    0x40(%rsp),%ebx
  17:   8b 6c 24 48             mov    0x48(%rsp),%ebp   ; Read word 3
  1b:   81 fb 01 ff ff ff       cmp    $0xffffff01,%ebx
  21:   74 4d                   je     70
<ZRQG3cM17rustc_middle0_0_02ty3sty20ExistentialPredicate0g3c_A2ty4fold12TypeFoldable0g15super_fold_with1gG3c_A2ty_E16Bou$c6411ae8e3203bad+0x70>
  23:   81 fb 03 ff ff ff       cmp    $0xffffff03,%ebx
  29:   74 5d                   je     88
<ZRQG3cM17rustc_middle0_0_02ty3sty20ExistentialPredicate0g3c_A2ty4fold12TypeFoldable0g15super_fold_with1gG3c_A2ty_E16Bou$c6411ae8e3203bad+0x88>
-- SNIP ---
  88:   89 6c 24 44             mov    %ebp,0x44(%rsp)   ; Write word 3 over
word 2
  8c:   48 8b 44 24 44          mov    0x44(%rsp),%rax   ; Read words 2/3
(values from 3/3)
  91:   48 89 47 04             mov    %rax,0x4(%rdi)    ; Write to words 2/3
of output
  95:   eb af                   jmp    46
<ZRQG3cM17rustc_middle0_0_02ty3sty20ExistentialPredicate0g3c_A2ty4fold12TypeFoldable0g15super_fold_with1gG3c_A2ty_E16Bou$c6411ae8e3203bad+0x46>
```