[Bug tree-optimization/102769] New: wrong code at -O1 and above on x86_64-linux-gnu

[Bug tree-optimization/102769] New: wrong code at -O1 and above on x86_64-linux-gnu

[zhendong.su at inf dot ethz.ch]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102769

            Bug ID: 102769
           Summary: wrong code at -O1 and above on x86_64-linux-gnu
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: zhendong.su at inf dot ethz.ch
  Target Milestone: ---

It seems to be very long-latent regression (since at least as early as GCC
4.7.* according to Compiler Explorer).

[581] % gcctk -v
Using built-in specs.
COLLECT_GCC=gcctk
COLLECT_LTO_WRAPPER=/local/suz-local/software/local/gcc-trunk/libexec/gcc/x86_64-pc-linux-gnu/12.0.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: ../gcc-trunk/configure --disable-bootstrap
--prefix=/local/suz-local/software/local/gcc-trunk --enable-languages=c,c++
--disable-werror --enable-multilib --with-system-zlib
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 12.0.0 20211015 (experimental) [master r12-4426-gf7571527a44] (GCC) 
[582] % 
[582] % gcctk -O0 small.c; ./a.out
[583] % 
[583] % gcctk -O1 small.c
[584] % ./a.out
Aborted
[585] % 
[585] % cat small.c
int a, *b, **c = &b, *d, e, f = 1;
int main() {
  int g[20];
  for (; e < 2; e++) {
    if (a == f && *b)
      break;
    int h;
    f = h = 0;
    *c = &h;
  }
  d = &g[4];
  if (e != 2)
    __builtin_abort();
  return 0;
}

[Bug tree-optimization/102769] wrong code at -O1 and above on x86_64-linux-gnu

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102769

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |INVALID
                 CC|                            |marxin at gcc dot gnu.org

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
I think it's invalid code:

gcc-11 pr102769.c -g -fsanitize=address,undefined && ./a.out 
=================================================================
==27019==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7fffffffdd00 at pc 0x000000400bfd bp 0x7fffffffdcd0 sp 0x7fffffffdcc8
READ of size 4 at 0x7fffffffdd00 thread T0
    #0 0x400bfc in main /home/marxin/Programming/testcases/pr102769.c:5
    #1 0x7ffff6a7553f in __libc_start_call_main
../sysdeps/nptl/libc_start_call_main.h:58
    #2 0x7ffff6a755eb in __libc_start_main_impl ../csu/libc-start.c:409
    #3 0x400a44 in _start (/home/marxin/Programming/testcases/a.out+0x400a44)

Address 0x7fffffffdd00 is located in stack of thread T0 at offset 32 in frame
    #0 0x400b15 in main /home/marxin/Programming/testcases/pr102769.c:2

  This frame has 2 object(s):
    [32, 36) 'h' (line 7) <== Memory access at offset 32 is inside this
variable
    [48, 128) 'g' (line 3)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope
/home/marxin/Programming/testcases/pr102769.c:5 in main
Shadow bytes around the buggy address:
  0x10007fff7b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b90: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
=>0x10007fff7ba0:[f8]f2 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3
  0x10007fff7bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==27019==ABORTING

[Bug tree-optimization/102769] wrong code at -O1 and above on x86_64-linux-gnu

[zhendong.su at inf dot ethz.ch]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102769

--- Comment #2 from Zhendong Su <zhendong.su at inf dot ethz.ch> ---
Interesting --- it was missed by clang-10 sanitizers and the CompCert
interpreter (a pretty rare occurrence): 

[565] % ccomp -interp -fall small.c
small.c:13: warning: implicit declaration of function '__builtin_abort' is
invalid in C99 [-Wimplicit-function-declaration]
small.c:13: warning: '__builtin_abort' is declared without a function prototype
Time 114: program terminated (exit code = 0)
[566] % clang-10 -Xclang -disable-llvm-optzns -w -m64 -O0 -fwrapv -ftrapv
-fsanitize=undefined,address small.c; ./a.out
[567] % clang-10 -pie -fPIE -pie -Xclang -disable-llvm-optzns -w -O0 -m64
-fsanitize=memory small.c; ./a.out
[568] %

[Bug tree-optimization/102769] wrong code at -O1 and above on x86_64-linux-gnu

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102769

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jakub at gcc dot gnu.org

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
It is still UB, the b = &h; happens inside of the scope, then the scope is left
and on a next iteration rentered again and *b dereferenced.
I don't think C/C++ have anything that would special case {}s around body of
the loop, though in most versions of the languages there is an extra for scope
around it.

[Bug tree-optimization/102769] wrong code at -O1 and above on x86_64-linux-gnu

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102769

--- Comment #4 from Martin Liška <marxin at gcc dot gnu.org> ---
Clang I have (12) reports that as well:

clang-12 pr102769.c -g -fsanitize=address,undefined && ./a.out 
/usr/bin/ld: warning: Cannot export local symbol '__asan_extra_spill_area'
=================================================================
==30045==ERROR: AddressSanitizer: stack-use-after-scope on address
0x7fffffffdcd0 at pc 0x0000004cbe5e bp 0x7fffffffdc30 sp 0x7fffffffdc28
READ of size 4 at 0x7fffffffdcd0 thread T0
    #0 0x4cbe5d in main /home/marxin/Programming/testcases/pr102769.c:5:19
    #1 0x7ffff7cbd53f in __libc_start_call_main
/usr/src/debug/glibc-2.34-2.1.x86_64/csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #2 0x7ffff7cbd5eb in __libc_start_main@GLIBC_2.2.5
/usr/src/debug/glibc-2.34-2.1.x86_64/csu/../csu/libc-start.c:409:3
    #3 0x41f814 in _start
/home/abuild/rpmbuild/BUILD/glibc-2.34/csu/../sysdeps/x86_64/start.S:116

Address 0x7fffffffdcd0 is located in stack of thread T0 at offset 144 in frame
    #0 0x4cbccf in main /home/marxin/Programming/testcases/pr102769.c:2

  This frame has 2 object(s):
    [32, 112) 'g' (line 3)
    [144, 148) 'h' (line 7) <== Memory access at offset 144 is inside this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope
/home/marxin/Programming/testcases/pr102769.c:5:19 in main
Shadow bytes around the buggy address:
  0x10007fff7b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7b80: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00
=>0x10007fff7b90: 00 00 00 00 00 00 f2 f2 f2 f2[f8]f3 00 00 00 00
  0x10007fff7ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7bd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007fff7be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==30045==ABORTING

[Bug tree-optimization/102769] wrong code at -O1 and above on x86_64-linux-gnu

[zhendong.su at inf dot ethz.ch]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102769

--- Comment #5 from Zhendong Su <zhendong.su at inf dot ethz.ch> ---
Yes, it's clear that the code is invalid. I should update my reduction script
to use more recent clang and gcc for ruling out UBs.

[Bug tree-optimization/102769] wrong code at -O1 and above on x86_64-linux-gnu

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102769

--- Comment #6 from Martin Liška <marxin at gcc dot gnu.org> ---
(In reply to Zhendong Su from comment #5)
> Yes, it's clear that the code is invalid. I should update my reduction
> script to use more recent clang and gcc for ruling out UBs.

Yes, please include also ASAN and UBSAN checks made by the GCC compiler.

[Bug tree-optimization/102769] wrong code at -O1 and above on x86_64-linux-gnu

[zhendong.su at inf dot ethz.ch]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102769

--- Comment #7 from Zhendong Su <zhendong.su at inf dot ethz.ch> ---
(In reply to Martin Liška from comment #6)
> (In reply to Zhendong Su from comment #5)
> > Yes, it's clear that the code is invalid. I should update my reduction
> > script to use more recent clang and gcc for ruling out UBs.
> 
> Yes, please include also ASAN and UBSAN checks made by the GCC compiler.

Yes, will also do; sorry for the invalid report and noise.

[Bug tree-optimization/102769] wrong code at -O1 and above on x86_64-linux-gnu

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102769

--- Comment #8 from Martin Liška <marxin at gcc dot gnu.org> ---
> Yes, will also do; sorry for the invalid report and noise.

Thanks!

Don't apologize, you have created very many wrong-code issues.
We appreciate the effort of your team.

[Bug tree-optimization/102769] wrong code at -O1 and above on x86_64-linux-gnu

[zhendong.su at inf dot ethz.ch]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102769

--- Comment #9 from Zhendong Su <zhendong.su at inf dot ethz.ch> ---
> Don't apologize, you have created very many wrong-code issues.
> We appreciate the effort of your team.

Thanks, Martin :)

[Bug tree-optimization/102769] wrong code at -O1 and above on x86_64-linux-gnu

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102769

--- Comment #10 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
(In reply to Martin Liška from comment #8)
> Don't apologize, you have created very many wrong-code issues.

s/created/reported/
We as GCC developers have created them.

Anyway, thanks for all the bug reports.

[Bug tree-optimization/102769] wrong code at -O1 and above on x86_64-linux-gnu

[zhendong.su at inf dot ethz.ch]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=102769

--- Comment #11 from Zhendong Su <zhendong.su at inf dot ethz.ch> ---
> s/created/reported/
> We as GCC developers have created them.

Thanks for this clarification, Jakob :)

> Anyway, thanks for all the bug reports.

Sure thing. Thanks to all you folks for the great work in maintaining and
improving GCC!