From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 596F63858C54; Tue, 5 Mar 2024 15:58:07 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 596F63858C54 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1709654287; bh=/yqxHJHqbzGRDxcuvXXmPr3BvWuQtb0iG8Nr1xLsObs=; h=From:To:Subject:Date:In-Reply-To:References:From; b=MdLTw3q62cPzuMVIhg8IS3hekG2pZKoBX8H+p9OarnCetXP46xGAMf9ZUNcd+NeCY WVDGoHEr1b56NM2cU4DYPdeTLjm3iO+wKSbWNp9QsVyeRCxSY/WAX42RQVhYT4FAiN qg3OKUNUHmDSm8hY/JOBH4/3MUEKVj3GYqybA3H8= From: "jakub at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug tree-optimization/111839] [12/13/14 Regression] Wrong code at -O3 on x86_64-linux-gnu since r12-2097-g9f34b780b0 Date: Tue, 05 Mar 2024 15:58:06 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: tree-optimization X-Bugzilla-Version: 14.0 X-Bugzilla-Keywords: wrong-code X-Bugzilla-Severity: normal X-Bugzilla-Who: jakub at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: 12.4 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: cc Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D111839 Jakub Jelinek changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jakub at gcc dot gnu.org --- Comment #2 from Jakub Jelinek --- Slightly cleaned up. long a, *d, *h; int b, c, e, g, i; signed char f =3D -26; int main () { long j; for (c =3D 0; c !=3D 7; ++c) { long k =3D 0; long l =3D k; long **m =3D &d; for (; f + i !=3D 0; i++) h =3D &l; g =3D h !=3D (*m =3D &j); int *n =3D &b; *n =3D g; while (e) while (a) ++a; } if (b !=3D 1) __builtin_abort (); } I'd say this is just invalid code. In the c =3D=3D 0 iteration, h is set to address of l, local in the loop (m= any times). But when that l var goes out of the scope at the end of the iteration, the h pointer pointing to it becomes invalid, it doesn't point to any valid objec= t. In the c =3D=3D 1 iteration, it isn't reinitialized, so I think using it fo= r the comparison is UB. ASan use-after-scope can't catch such sort of thing, it can catch stuff when such pointer is dereferenced, but that is not the case here. Plus, when l starts lifetime in the c =3D=3D 1 and later iterations, it would be unpoiso= ned again and nothing would be reported even if it was dereferenced. This is essentially int *p; int main () { for (int i =3D 0; i < 10; ++i) { int l =3D 0; if (i =3D=3D 0) p =3D &l; *p =3D 42; } } which isn't reported with -fsanitize=3Daddress -fsanitize-address-use-after= -scope -g by either gcc or clang, yet is clearly undefined behavior. The earlier testcase doesn't dereference but IMHO has the same problem.=