public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug c/108721] New: csmith: really old bug with -O2
@ 2023-02-08 16:51 dcb314 at hotmail dot com
2023-02-08 16:55 ` [Bug middle-end/108721] " pinskia at gcc dot gnu.org
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: dcb314 at hotmail dot com @ 2023-02-08 16:51 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108721
Bug ID: 108721
Summary: csmith: really old bug with -O2
Product: gcc
Version: 13.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: dcb314 at hotmail dot com
Target Milestone: ---
Created attachment 54436
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54436&action=edit
C source code
For the attached C code, generated from csmith, does this:
$ ../results/bin/gcc -w -O1 bug884.c && ./a.out
checksum = 749D4681
$ ../results/bin/gcc -w -O2 bug884.c && ./a.out
checksum = F8019D24
$
The bug seems to exist since sometime before 20220206, about a year ago.
$ ../results.20220206/bin/gcc -w -O2 bug884.c && ./a.out
checksum = F8019D24
$
The git hash for 20220206 is g:8eb329e963593342855b6072e5692659107337b7
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug middle-end/108721] csmith: really old bug with -O2
2023-02-08 16:51 [Bug c/108721] New: csmith: really old bug with -O2 dcb314 at hotmail dot com
@ 2023-02-08 16:55 ` pinskia at gcc dot gnu.org
2023-02-08 16:58 ` [Bug c/108721] [10/11/12/13 Regression] " jakub at gcc dot gnu.org
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-02-08 16:55 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108721
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Component|c |middle-end
--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
There could be aliasing issues here as -fno-strict-aliasing fixes the issue ...
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug c/108721] [10/11/12/13 Regression] csmith: really old bug with -O2
2023-02-08 16:51 [Bug c/108721] New: csmith: really old bug with -O2 dcb314 at hotmail dot com
2023-02-08 16:55 ` [Bug middle-end/108721] " pinskia at gcc dot gnu.org
@ 2023-02-08 16:58 ` jakub at gcc dot gnu.org
2023-02-15 17:24 ` [Bug middle-end/108721] " dcb314 at hotmail dot com
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: jakub at gcc dot gnu.org @ 2023-02-08 16:58 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108721
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|csmith: really old bug with |[10/11/12/13 Regression]
|-O2 |csmith: really old bug with
| |-O2
Priority|P3 |P2
Component|middle-end |c
CC| |jakub at gcc dot gnu.org,
| |rguenth at gcc dot gnu.org
Target Milestone|--- |10.5
--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
This one bisected to differences starting with
r0-107468-g605896f5527472717f9fe91ad90f9ce3778cc540
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug middle-end/108721] [10/11/12/13 Regression] csmith: really old bug with -O2
2023-02-08 16:51 [Bug c/108721] New: csmith: really old bug with -O2 dcb314 at hotmail dot com
2023-02-08 16:55 ` [Bug middle-end/108721] " pinskia at gcc dot gnu.org
2023-02-08 16:58 ` [Bug c/108721] [10/11/12/13 Regression] " jakub at gcc dot gnu.org
@ 2023-02-15 17:24 ` dcb314 at hotmail dot com
2023-02-16 12:07 ` jakub at gcc dot gnu.org
2023-02-16 12:31 ` jakub at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: dcb314 at hotmail dot com @ 2023-02-15 17:24 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108721
--- Comment #3 from David Binderman <dcb314 at hotmail dot com> ---
Created attachment 54471
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=54471&action=edit
C source code
After a short reduction.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug middle-end/108721] [10/11/12/13 Regression] csmith: really old bug with -O2
2023-02-08 16:51 [Bug c/108721] New: csmith: really old bug with -O2 dcb314 at hotmail dot com
` (2 preceding siblings ...)
2023-02-15 17:24 ` [Bug middle-end/108721] " dcb314 at hotmail dot com
@ 2023-02-16 12:07 ` jakub at gcc dot gnu.org
2023-02-16 12:31 ` jakub at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: jakub at gcc dot gnu.org @ 2023-02-16 12:07 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108721
--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
In the reduced testcase there is certainly an aliasing violation.
struct {
unsigned f0
} g_95 = {65531};
...
*g_412 = &g_95;
...
--g_95.f0;
*g_86 = g_613 || 0;
*g_412 = 0;
short *l_873 = &g_95;
--*l_873;
even after making g_412 unsigned *g_412 = &g_95.f0; it gets different results,
but
while short *l_873 = &g_95.f0; does as well, doing
typedef short sa __attribute__((may_alias));
sa *l_873 = &g_95.f0;
one gets the same result.
Now, in the original testcase it actually uses
union U0 {
uint16_t f0;
int64_t f1;
int64_t f2;
uint32_t f3;
};
static union U0 g_95 = {65531UL};
but then has
static int64_t *g_279 = &g_95.f2;
...
int64_t *l_939 = &g_95.f2;
...
uint16_t *l_873 = &g_95.f0;
...
uint32_t *l_933[8] =
{&g_95.f3,&g_95.f3,&g_95.f3,&g_95.f3,&g_95.f3,&g_95.f3,&g_95.f3,&g_95.f3};
...
int64_t *l_425 = &g_95.f2;
...
uint16_t *l_597 = &g_95.f0;
etc. Now, all of this doesn't necessarily mean it is UB, but it is a strong
indication that it very likely is. Standard C/C++ doesn't allow type punning
through union, only one of the members can be active at a time, GCC allows it,
but for aliasing requires that accesses have the union type visible to the
compiler on the access. Taking addresses of different union members means that
most likely that isn't followed, UB would be whenever some union member is
stored and another one read through a pointer without the union in access path
etc.
Now, I think some of the readings of the standard say that whenever say
uint16_t and uint32_t appear in some union anywhere, one basically needs to
treat them as the same alias set, but such reading makes TBAA totally useless.
So if csmith follows that reading, it is indeed unsafe for TBAA.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [Bug middle-end/108721] [10/11/12/13 Regression] csmith: really old bug with -O2
2023-02-08 16:51 [Bug c/108721] New: csmith: really old bug with -O2 dcb314 at hotmail dot com
` (3 preceding siblings ...)
2023-02-16 12:07 ` jakub at gcc dot gnu.org
@ 2023-02-16 12:31 ` jakub at gcc dot gnu.org
4 siblings, 0 replies; 6+ messages in thread
From: jakub at gcc dot gnu.org @ 2023-02-16 12:31 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108721
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|UNCONFIRMED |RESOLVED
--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Ok, trying the original testcase compiled with -O0 -g and awatch g_95.f1 in
gdb,
g_95.f0 is read/modified directly, then
(*p_9) = (((**g_412) = ((safe_mod_func_uint8_t_u_u(p_10,
(safe_div_func_uint32_t_u_u(((safe_lshift_func_uint8_t_u_u(((safe_lshift_func_int16_t_s_s((((&g_95
!= &g_95) || ((*g_86) = (g_613[1] || (*g_245)))) | (l_799 < 0UL)), 1)) ^ (p_10
== (0x95L != 247UL))), p_10)) , l_799), 5L)))) >= 0x7BC3L)) < l_799);
stores 0 to it through int64_t * (g_412[0] is &g_95.f1) and is read from it
immediately again.
Then
(*l_871) = (safe_mul_func_int8_t_s_s(((1UL > ((void*)0 == l_871)) <
(--(*l_873))), ((l_876 , ((*l_878) = l_877)) >
(safe_sub_func_int8_t_s_s(((safe_sub_func_uint64_t_u_u(((safe_div_func_int16_t_s_s((((safe_sub_func_uint8_t_u_u((((l_887
!= l_888) != ((safe_add_func_uint64_t_u_u((*l_3), (((--g_118.f0) > ((*l_872) =
(*l_871))) , g_594))) || l_894)) == g_20.f0), (*l_3))) | (*l_3)) >
4294967288UL), g_207[3][7][2])) > 0xCA172E9FL), (*l_3))) < 1L), 0UL)))));
reads it through uint16_t * pointer l_873. I think that is enough UBs to mark
this as invalid.
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-02-16 12:31 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-02-08 16:51 [Bug c/108721] New: csmith: really old bug with -O2 dcb314 at hotmail dot com
2023-02-08 16:55 ` [Bug middle-end/108721] " pinskia at gcc dot gnu.org
2023-02-08 16:58 ` [Bug c/108721] [10/11/12/13 Regression] " jakub at gcc dot gnu.org
2023-02-15 17:24 ` [Bug middle-end/108721] " dcb314 at hotmail dot com
2023-02-16 12:07 ` jakub at gcc dot gnu.org
2023-02-16 12:31 ` jakub at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).