From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 2B58D3858D20; Tue, 15 Mar 2022 10:20:08 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 2B58D3858D20 From: "rguenth at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug tree-optimization/104931] New: wrong-code with number_of_iterations_lt_to_ne Date: Tue, 15 Mar 2022 10:20:08 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: tree-optimization X-Bugzilla-Version: 11.2.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: rguenth at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Mar 2022 10:20:08 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D104931 Bug ID: 104931 Summary: wrong-code with number_of_iterations_lt_to_ne Product: gcc Version: 11.2.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: tree-optimization Assignee: unassigned at gcc dot gnu.org Reporter: rguenth at gcc dot gnu.org Target Milestone: --- The premake tool is miscompiled when building it with LTO on i586-linux, resulting in it immediately segfaulting via =3D=3D9912=3D=3D Invalid read of size 4 =3D=3D9912=3D=3D at 0x8162378: UnknownInlinedFun (lapi.c:197) =3D=3D9912=3D=3D by 0x8162378: lua_rotate.constprop.0 (lapi.c:217) =3D=3D9912=3D=3D by 0x8063881: luaL_requiref (lauxlib.c:983) =3D=3D9912=3D=3D by 0x807DF76: luaL_openlibs (linit.c:64) =3D=3D9912=3D=3D by 0x8061128: main (premake_main.c:15) =3D=3D9912=3D=3D Address 0x43816dc is 12 bytes before a block of size 408 = alloc'd =3D=3D9912=3D=3D at 0x4035EDB: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-x86-linux.so) =3D=3D9912=3D=3D by 0x80806A3: luaM_realloc_ (lmem.c:86) =3D=3D9912=3D=3D by 0x807727E: luaD_reallocstack (ldo.c:182) this can be reproduced with GCC 10 and GCC 11 but not on trunk. After chec= king out https://github.com/premake/premake-core.git do make -f Bootstrap.mak linux CC=3D"gcc-11 -m32" CFLAGS=3D"-O2 -flto -g" and ./bin/release/premake will then segfault. I've narrowed this down to the first IPA CP clone of lua_rotate being miscompiled, we enter number_of_iterations_lt_to_ne for exit condition [(struct TValue *) (_2 + 4294967272) + 12, + , 24](no_overflow) < _2 + 4294967272 with delta being 4294967284, the step type is unsigned int. The problem is that for pointer IVs the step type has to be interpreted as signed, but the code uses an unsigned FLOOR_MOD to compute the condition under which the loop will not iterate which it computes to result: zero if (struct TValue *) (_2 + 4294967272) + 12 > _2 + 4294967292 # of iterations 178956971, bounded by 0 which is always false (but not folded). When making sure to use a signed type to compute the modulo the miscompile is gone and we manage to compute the correct result: zero if (struct TValue *) (_2 + 4294967272) + 12 > _2 + 4294967284(OVF) # of iterations 0(OVF), bounded by 0 I've failed to create a small testcase - there seem to be special circumsta= nces required that make us enter niter analysis with exactly this SCEV. The simplified testcase struct X { int x[3]; }; static void reverse (struct X *from, struct X *to) { do { struct X temp =3D *from; *from =3D *to; *to =3D temp; from++; to--; } while (from < to); } void lua_rotate (struct X **L) { struct X *y =3D *L; struct X *to =3D y - 1; struct X *from =3D y - 2; reverse (from, to); }=20 does not exhibit this problem.=