From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugs-return-350686-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 1601 invoked by alias); 18 Mar 2011 14:39:21 -0000
Received: (qmail 1531 invoked by uid 22791); 18 Mar 2011 14:39:19 -0000
X-SWARE-Spam-Status: No, hits=-2.8 required=5.0	tests=ALL_TRUSTED,AWL,BAYES_00,TW_CP,TW_QS
X-Spam-Check-By: sourceware.org
Received: from localhost (HELO gcc.gnu.org) (127.0.0.1)    by sourceware.org (qpsmtpd/0.43rc1) with ESMTP; Fri, 18 Mar 2011 14:39:15 +0000
From: "zsojka at seznam dot cz" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug rtl-optimization/48181] New: [4.5/4.6/4.7 Regression] wrong code with -O -fgcse --param ira-max-conflict-table-size=0
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: rtl-optimization
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: zsojka at seznam dot cz
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Changed-Fields:
Message-ID: <bug-48181-4@http.gcc.gnu.org/bugzilla/>
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
Date: Fri, 18 Mar 2011 14:40:00 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
X-SW-Source: 2011-03/txt/msg01999.txt.bz2

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48181

           Summary: [4.5/4.6/4.7 Regression] wrong code with -O -fgcse
                    --param ira-max-conflict-table-size=0
           Product: gcc
           Version: 4.7.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: rtl-optimization
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: zsojka@seznam.cz
                CC: jakub@gcc.gnu.org
              Host: x86_64-pc-linux-gnu
            Target: x86_64-pc-linux-gnu


Created attachment 23705
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=23705
reduced testcase

Output:
$ gcc -O -fgcse --param ira-max-conflict-table-size=0 testcase.c
$ valgrind -q ./a.out 
==11903== Invalid read of size 8
==11903==    at 0x4C2B44C: memcpy (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==11903==    by 0x400602: foo (testcase.c:47)
==11903==    by 0x4006AA: main (testcase.c:65)
==11903==  Address 0x38 is not stack'd, malloc'd or (recently) free'd

The way it crashes is similiar to PR48156:
...
    lea    rcx, [rsp+128]    # tmp126,
    cmp    QWORD PTR [rsp+8], 0    # %sfp,
    jne    .L11    #,
    mov    esi, r14d    #, qsize
    mov    rdi, rcx    #, tmp126
    call    bar    #
.L11:
    mov    rdx, r12    #, D.2735
    mov    rsi, rcx    #, tmp126 # -fno-gcse: lea rsi, [rsp+128]
    lea    rdi, [rsp+64]    #,
    call    memcpy    #
    mov    rdx, r12    #, D.2735
    mov    rsi, rcx    #, tmp126 # -fno-gcse: lea rsi, [rsp+128]
    lea    rdi, [rsp+32]    #,
    call    memcpy    #
...

both calls to memcpy() read rcx to set its parameters, but rcx is not preserved
across function call (changes either by call to bar(), or by first memcpy())

Tested revisions:
r171088 - fail
4.6 r170095 - fail
4.5 r170095 - fail
4.4 r170095 - OK