[Bug c/106503] New: "const char []" in local scope never initialized

[Bug c/106503] New: "const char []" in local scope never initialized

[eb at emlix dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106503

            Bug ID: 106503
           Summary: "const char []" in local scope never initialized
           Product: gcc
           Version: 11.3.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: eb at emlix dot com
  Target Milestone: ---

Given the following test program:

------------
#include <sys/uio.h>
#include <string.h>

#define WRITEL(str) \
                do { \
                        wdata[wpos].iov_base = (void*)(str); \
                        wdata[wpos].iov_len = strlen(str); \
                        wlen += wdata[wpos].iov_len; \
                        wpos++; \
                } while (0)

int main(int argc, char **argv)
{
        struct iovec wdata[20];
        unsigned int wpos = 0;
        ssize_t wlen = 0;
        int i = (argc > 1) ? 1 : 0;

        WRITEL("foo");
        if (argc) {
                const char junk[] = "abc";
                WRITEL(junk + i);
        } else {
                const char *junk = "def";
                WRITEL(junk + i);
        }
        WRITEL("baz\n");

        return writev(1, wdata, wpos) > 0 ? 0 : 1;
}
------------

For gcc 10 and before, and gcc 11, 12, or 13
(b06a282921c71bbc5cab69bc515804bd80f55e92) when used with -O0, this outputs:

$ ./Ch
fooabcbaz

>From gcc 11 on when using -O1 or more it does not seem to initialize the "junk"
buffer, so it may output random things:

$ ./Ch 
foocbaz
$ ./Ch 
foo�baz
$ ./Ch 
foo+baz
$ ./Ch 
foo baz
$ ./Ch 
foo[baz

I have seen the same behavior on both amd64 and sparc32, with distro compilers
(openSUSE, Gentoo) as well as an unpatched gcc13 built with Gentoo ebuilds.

[Bug c/106503] "const char []" in local scope never initialized

[eb at emlix dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106503

--- Comment #1 from Rolf Eike Beer <eb at emlix dot com> ---
If you turn the "const char []" into a "const char *" in line 21 it works fine.

[Bug c/106503] "const char []" in local scope never initialized

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106503

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #2 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
const char junk[]

Goes out of scope and you still have a reference to it.

-fsanitize=address sometimes can detect this kind of problems at runtime.

[Bug c/106503] "const char []" in local scope never initialized

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106503

--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
(In reply to Andrew Pinski from comment #2)
> -fsanitize=address sometimes can detect this kind of problems at runtime.


Program returned: 1
=================================================================
==1==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7f9235600030
at pc 0x7f9237ebcc9b bp 0x7ffc8cccff60 sp 0x7ffc8cccf720
READ of size 3 at 0x7f9235600030 thread T0
    #0 0x7f9237ebcc9a 
(/opt/compiler-explorer/gcc-snapshot/lib64/libasan.so.8+0x4ac9a) (BuildId:
f4e296dda2fcdab4980780e7f32c752a3e412556)
    #1 0x7f9237ebcf37 in writev
(/opt/compiler-explorer/gcc-snapshot/lib64/libasan.so.8+0x4af37) (BuildId:
f4e296dda2fcdab4980780e7f32c752a3e412556)
    #2 0x401673 in main (/app/output.s+0x401673) (BuildId:
af556f86dec87e7467f73a633f83c822f3afe85a)
    #3 0x7f923790b0b2 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x240b2) (BuildId:
9fdb74e7b217d06c93172a8243f8547f947ee6d1)
    #4 0x4010ed in _start (/app/output.s+0x4010ed) (BuildId:
af556f86dec87e7467f73a633f83c822f3afe85a)

Address 0x7f9235600030 is located in stack of thread T0 at offset 48 in frame
    #0 0x4011b5 in main (/app/output.s+0x4011b5) (BuildId:
af556f86dec87e7467f73a633f83c822f3afe85a)

  This frame has 2 object(s):
    [48, 52) 'junk' (line 22) <== Memory access at offset 48 is inside this
variable
    [64, 384) 'wdata' (line 15)
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope
(/opt/compiler-explorer/gcc-snapshot/lib64/libasan.so.8+0x4ac9a) (BuildId:
f4e296dda2fcdab4980780e7f32c752a3e412556) 
Shadow bytes around the buggy address:
  0x0ff2c6ab7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2c6ab7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2c6ab7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2c6ab7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2c6ab7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff2c6ab8000: f1 f1 f1 f1 f1 f1[f8]f2 00 00 00 00 00 00 00 00
  0x0ff2c6ab8010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2c6ab8020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2c6ab8030: f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
  0x0ff2c6ab8040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff2c6ab8050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1==ABORTING
fooabcbaz

[Bug c/106503] "const char []" in local scope never initialized

[eb at emlix dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106503

--- Comment #4 from Rolf Eike Beer <eb at emlix dot com> ---
You are right, but if you switch the if clause a little bit:

        if (argc) {
                const char junk[] = "abc";
                WRITEL(junk + i);
                WRITEL("something else");
        }

and then stop in the debugger on the second WRITEL you can see that junk has
never been initialized at all. So even within that scope it has the wrong
contents.

[Bug c/106503] "const char []" in local scope never initialized

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106503

--- Comment #5 from Jonathan Wakely <redi at gcc dot gnu.org> ---
Because when you enable optimizations the compiler can see that the contents of
junk are never used while still in scope, so the initialization is optimized
away.

Your program has undefined behaviour, that means the WHOLE program, including
inside that block.

[Bug c/106503] "const char []" in local scope never initialized

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106503

--- Comment #6 from Jonathan Wakely <redi at gcc dot gnu.org> ---
(In reply to Jonathan Wakely from comment #5)
> Your program has undefined behaviour, that means the WHOLE program,
> including inside that block.

Or in the case where you copy the pointer, and then overwrite it with another
value, that isn't undefined, but the value is not used. The point of
optimization is to remove unnecessary code, like setting bytes in memory that
will never get read back again.

If the contents of junk are not needed, why waste cycles initializing those
bytes?