From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 30C4D385E02D; Thu, 19 May 2022 06:41:22 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 30C4D385E02D
From: "gnu.org at quisquis dot de" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug c/105654] New: Address of local variable as function call
 argument is NULL?!
Date: Thu, 19 May 2022 06:41:21 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: c
X-Bugzilla-Version: 12.1.1
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: gnu.org at quisquis dot de
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
 attachments.created
Message-ID: <bug-105654-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Thu, 19 May 2022 06:41:22 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D105654

            Bug ID: 105654
           Summary: Address of local variable as function call argument is
                    NULL?!
           Product: gcc
           Version: 12.1.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: gnu.org at quisquis dot de
  Target Milestone: ---

Created attachment 52993
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D52993&action=3Dedit
Preprocessed example code

Problem
=3D=3D=3D=3D=3D=3D=3D
The address of a local variable is used as the argument in a function call.=
 The
actual value passed to the call is 0, which subsequently leads to a segfaul=
t.

Context
=3D=3D=3D=3D=3D=3D=3D
The strongswan project uses a somewhat obscure construct in some of its opt=
ion
processing code, which is where the problem was initially detected. See
https://github.com/strongswan/strongswan/issues/1053#issuecomment-113013433=
2 .

The behaviour was first observed with gcc-12.1. gcc-11.2.1 is apparently not
affected. The problem disappears with either
* -O0 optimiziation
* -fsanitize=3Dundefined
* the "parse" function pointer not declared static

Compiler invocation
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

> env -u LANG gcc -v  --save-temps -o test -g -O1 -Wall -Wextra  test.c=20
Using built-in specs.
COLLECT_GCC=3Dgcc
COLLECT_LTO_WRAPPER=3D/usr/lib64/gcc/x86_64-suse-linux/12/lto-wrapper
OFFLOAD_TARGET_NAMES=3Dnvptx-none:amdgcn-amdhsa
OFFLOAD_TARGET_DEFAULT=3D1
Target: x86_64-suse-linux
Configured with: ../configure --prefix=3D/usr --infodir=3D/usr/share/info
--mandir=3D/usr/share/man --libdir=3D/usr/lib64 --libexecdir=3D/usr/lib64
--enable-languages=3Dc,c++,objc,fortran,obj-c++,ada,go,d,jit
--enable-offload-targets=3Dnvptx-none,amdgcn-amdhsa, --enable-offload-defau=
lted
--without-cuda-driver --enable-host-shared --enable-checking=3Drelease
--disable-werror --with-gxx-include-dir=3D/usr/include/c++/12 --enable-ssp
--disable-libssp --disable-libvtv --enable-cet=3Dauto --disable-libcc1
--enable-plugin --with-bugurl=3Dhttps://bugs.opensuse.org/
--with-pkgversion=3D'SUSE Linux' --with-slibdir=3D/lib64 --with-system-zlib
--enable-libstdcxx-allocator=3Dnew --disable-libstdcxx-pch --enable-libphob=
os
--enable-version-specific-runtime-libs --with-gcc-major-version-only
--enable-linker-build-id --enable-linux-futex --enable-gnu-indirect-function
--program-suffix=3D-12 --without-system-libunwind --enable-multilib
--with-arch-32=3Dx86-64 --with-tune=3Dgeneric
--with-build-config=3Dbootstrap-lto-lean --enable-link-mutex
--build=3Dx86_64-suse-linux --host=3Dx86_64-suse-linux
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.1.1 20220517 [revision 325d82b08696da17fb26bd2e1b6ba60764935=
7fb]
(SUSE Linux)=20
COLLECT_GCC_OPTIONS=3D'-v' '-save-temps' '-o' 'test' '-g' '-O1' '-Wall' '-W=
extra'
'-mtune=3Dgeneric' '-march=3Dx86-64'
 /usr/lib64/gcc/x86_64-suse-linux/12/cc1 -E -quiet -v test.c -mtune=3Dgener=
ic
-march=3Dx86-64 -Wall -Wextra -g -fworking-directory -O1 -fpch-preprocess -o
test.i
#include "..." search starts here:
#include <...> search starts here:
 /usr/lib64/gcc/x86_64-suse-linux/12/include
 /usr/local/include
 /usr/lib64/gcc/x86_64-suse-linux/12/include-fixed
 /usr/lib64/gcc/x86_64-suse-linux/12/../../../../x86_64-suse-linux/include
 /usr/include
End of search list.
COLLECT_GCC_OPTIONS=3D'-v' '-save-temps' '-o' 'test' '-g' '-O1' '-Wall' '-W=
extra'
'-mtune=3Dgeneric' '-march=3Dx86-64'
 /usr/lib64/gcc/x86_64-suse-linux/12/cc1 -fpreprocessed test.i -quiet -dump=
base
test.c -dumpbase-ext .c -mtune=3Dgeneric -march=3Dx86-64 -g -O1 -Wall -Wext=
ra
-version -o test.s
GNU C17 (SUSE Linux) version 12.1.1 20220517 [revision
325d82b08696da17fb26bd2e1b6ba607649357fb] (x86_64-suse-linux)
        compiled by GNU C version 12.1.1 20220517 [revision
325d82b08696da17fb26bd2e1b6ba607649357fb], GMP version 6.2.1, MPFR version
4.1.0-p7, MPC version 1.2.1, isl version isl-0.24-GMP

GGC heuristics: --param ggc-min-expand=3D100 --param ggc-min-heapsize=3D131=
072
GNU C17 (SUSE Linux) version 12.1.1 20220517 [revision
325d82b08696da17fb26bd2e1b6ba607649357fb] (x86_64-suse-linux)
        compiled by GNU C version 12.1.1 20220517 [revision
325d82b08696da17fb26bd2e1b6ba607649357fb], GMP version 6.2.1, MPFR version
4.1.0-p7, MPC version 1.2.1, isl version isl-0.24-GMP

GGC heuristics: --param ggc-min-expand=3D100 --param ggc-min-heapsize=3D131=
072
Compiler executable checksum: 00000000000000000000000000000000
COLLECT_GCC_OPTIONS=3D'-v' '-save-temps' '-o' 'test' '-g' '-O1' '-Wall' '-W=
extra'
'-mtune=3Dgeneric' '-march=3Dx86-64'
 /usr/lib64/gcc/x86_64-suse-linux/12/../../../../x86_64-suse-linux/bin/as -v
--gdwarf-5 --64 -o test.o test.s
GNU assembler version 2.38 (x86_64-suse-linux) using BFD version (GNU Binut=
ils;
openSUSE Tumbleweed) 2.38.20220411-5
COMPILER_PATH=3D/usr/lib64/gcc/x86_64-suse-linux/12/:/usr/lib64/gcc/x86_64-=
suse-linux/12/:/usr/lib64/gcc/x86_64-suse-linux/:/usr/lib64/gcc/x86_64-suse=
-linux/12/:/usr/lib64/gcc/x86_64-suse-linux/:/usr/lib64/gcc/x86_64-suse-lin=
ux/12/../../../../x86_64-suse-linux/bin/
LIBRARY_PATH=3D/usr/lib64/gcc/x86_64-suse-linux/12/:/usr/lib64/gcc/x86_64-s=
use-linux/12/../../../../lib64/:/lib/../lib64/:/usr/lib/../lib64/:/usr/lib6=
4/gcc/x86_64-suse-linux/12/../../../../x86_64-suse-linux/lib/:/usr/lib64/gc=
c/x86_64-suse-linux/12/../../../:/lib/:/usr/lib/
COLLECT_GCC_OPTIONS=3D'-v' '-save-temps' '-o' 'test' '-g' '-O1' '-Wall' '-W=
extra'
'-mtune=3Dgeneric' '-march=3Dx86-64' '-dumpdir' 'test.'
 /usr/lib64/gcc/x86_64-suse-linux/12/collect2 -plugin
/usr/lib64/gcc/x86_64-suse-linux/12/liblto_plugin.so
-plugin-opt=3D/usr/lib64/gcc/x86_64-suse-linux/12/lto-wrapper
-plugin-opt=3D-fresolution=3Dtest.res -plugin-opt=3D-pass-through=3D-lgcc
-plugin-opt=3D-pass-through=3D-lgcc_s -plugin-opt=3D-pass-through=3D-lc
-plugin-opt=3D-pass-through=3D-lgcc -plugin-opt=3D-pass-through=3D-lgcc_s -=
-build-id
--eh-frame-hdr -m elf_x86_64 -dynamic-linker /lib64/ld-linux-x86-64.so.2 -o
test /usr/lib64/gcc/x86_64-suse-linux/12/../../../../lib64/crt1.o
/usr/lib64/gcc/x86_64-suse-linux/12/../../../../lib64/crti.o
/usr/lib64/gcc/x86_64-suse-linux/12/crtbegin.o
-L/usr/lib64/gcc/x86_64-suse-linux/12
-L/usr/lib64/gcc/x86_64-suse-linux/12/../../../../lib64 -L/lib/../lib64
-L/usr/lib/../lib64
-L/usr/lib64/gcc/x86_64-suse-linux/12/../../../../x86_64-suse-linux/lib
-L/usr/lib64/gcc/x86_64-suse-linux/12/../../.. test.o -lgcc --push-state
--as-needed -lgcc_s --pop-state -lc -lgcc --push-state --as-needed -lgcc_s
--pop-state /usr/lib64/gcc/x86_64-suse-linux/12/crtend.o
/usr/lib64/gcc/x86_64-suse-linux/12/../../../../lib64/crtn.o
COLLECT_GCC_OPTIONS=3D'-v' '-save-temps' '-o' 'test' '-g' '-O1' '-Wall' '-W=
extra'
'-mtune=3Dgeneric' '-march=3Dx86-64' '-dumpdir' 'test.'

Crash
=3D=3D=3D=3D=3D
> gdb --args test yes
GNU gdb (GDB; openSUSE Tumbleweed) 11.1
[...]
Reading symbols from test...
(gdb) r
Starting program: /tmp/tmp/test yes
Missing separate debuginfos, use: zypper install
glibc-debuginfo-2.35-2.4.x86_64
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x0000000000401166 in _cb_parse (out=3Dout@entry=3D0x0, in=3D<optimized out=
>) at
test.c:9
9           *out =3D !strcmp("yes", in);
(gdb)=20

(notice "out=3Dout@entry=3D0x0")=