[Bug c/50284] New: possible miscompilation with -fstrict-aliasing

[Bug c/50284] New: possible miscompilation with -fstrict-aliasing

[rafael.espindola at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50284

             Bug #: 50284
           Summary: possible miscompilation with -fstrict-aliasing
    Classification: Unclassified
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: rafael.espindola@gmail.com


I am not sure if the attached program is valid, but I think it is covered by
c99 6.5 p7. On irc pinkia points out that it might be invalid. His arguments
are

* upcast is undefined in general, 6.5 p7 is trying to allow downcasting.
* upcasting is defined when the type was originally that type.

Two followup observations are that

* If we read "z->data.XXX" as an access to the member (an not the full
structure), all the access in the program are of the correct type.
* On the implementation side, this "bug" show up when main is in a another
translation unit too, a case where gcc could not know if "the type was
originally that type".

Philip Taylor pointed me at
http://davmac.wordpress.com/2010/02/26/c99-revisited/ which has an interesting
discussion about "Does accessing an object constitute access to the containing
object"?

This bug is "fixed" on trunk by 160947, but since that is an optimization
change, it probably has just deactivated the code path that caused this
behavior.

For some context, this testcase is a reduction from:

http://hg.mozilla.org/mozilla-central/file/a351ae35f2c4/js/src/jscntxtinlines.h#l179

[Bug c/50284] possible miscompilation with -fstrict-aliasing

[rafael.espindola at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50284

--- Comment #1 from Rafael Avila de Espindola <rafael.espindola at gmail dot com> 2011-09-03 18:53:58 UTC ---
Created attachment 25188
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=25188
testcase

[Bug c/50284] possible miscompilation with -fstrict-aliasing

[rafael.espindola at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50284

--- Comment #2 from Rafael Avila de Espindola <rafael.espindola at gmail dot com> 2011-09-03 19:07:54 UTC ---
Forgot to mention, this only reproduces with -fPIC. So to reproduce this you
need

* a linux 32 bit build older than 160947
* run cc1 with: -quiet -fPIC -O2 -std=c99

[Bug c/50284] possible miscompilation with -fstrict-aliasing

[rguenth at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50284

--- Comment #3 from Richard Guenther <rguenth at gcc dot gnu.org> 2011-09-03 20:52:49 UTC ---
struct Value {
  struct jsval data;
};
...
    struct jsval y = t3.array[i];
    struct Value *z = (struct Value*)&y;
    if (z->data.tag == 0xFFFFFF85) {

that's invalid in GCCs reading of 6.5 p7. jsval is a subset of Value's
alias-set
but not the other way around.  GCC reads z->data.tag as an access to an
object of type Value which is invalid.

The contorted reasoning is that the pointer conversion invokes undefined
behavior.  Definitely an interesting blog post ;)

[Bug c/50284] possible miscompilation with -fstrict-aliasing

[rafael.espindola at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50284

--- Comment #4 from Rafael Avila de Espindola <rafael.espindola at gmail dot com> 2011-09-03 22:54:10 UTC ---
(In reply to comment #3)
> struct Value {
>   struct jsval data;
> };
> ...
>     struct jsval y = t3.array[i];
>     struct Value *z = (struct Value*)&y;
>     if (z->data.tag == 0xFFFFFF85) {
> 
> that's invalid in GCCs reading of 6.5 p7. jsval is a subset of Value's
> alias-set
> but not the other way around.  GCC reads z->data.tag as an access to an
> object of type Value which is invalid.

So downcast (i.e. casting to a more specialized type) are invalid even if
original data type is correct (not that it is in the reduced testcase)? That is
really strict :-(

> The contorted reasoning is that the pointer conversion invokes undefined
> behavior.  Definitely an interesting blog post ;)

is there any hope that gcc could be made a bit less strict? Either reading the
member access as not involving an access to the full object or accepting
downcasts (when the original type matches) would work. My preference would be
for the second option, as downcasts are fairly common in OO.

[Bug c/50284] possible miscompilation with -fstrict-aliasing

[rafael.espindola at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50284

Rafael Avila de Espindola <rafael.espindola at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
  Attachment #25188|0                           |1
        is obsolete|                            |

--- Comment #5 from Rafael Avila de Espindola <rafael.espindola at gmail dot com> 2011-09-04 03:49:59 UTC ---
Created attachment 25189
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=25189
a better testcase

This one allocates the original objects as the "derived class" Value.

[Bug c/50284] possible miscompilation with -fstrict-aliasing

[rguenth at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50284

Richard Guenther <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|                            |INVALID

--- Comment #6 from Richard Guenther <rguenth at gcc dot gnu.org> 2011-09-04 08:57:35 UTC ---
(In reply to comment #4)
> (In reply to comment #3)
> > struct Value {
> >   struct jsval data;
> > };
> > ...
> >     struct jsval y = t3.array[i];
> >     struct Value *z = (struct Value*)&y;
> >     if (z->data.tag == 0xFFFFFF85) {
> > 
> > that's invalid in GCCs reading of 6.5 p7. jsval is a subset of Value's
> > alias-set
> > but not the other way around.  GCC reads z->data.tag as an access to an
> > object of type Value which is invalid.
> 
> So downcast (i.e. casting to a more specialized type) are invalid even if
> original data type is correct (not that it is in the reduced testcase)? That is
> really strict :-(

No, if there is an object of dynamic type Value at &y then the code is valid.
But you've stored to *&y via an lvalue of type jsval and are reading from
it via an lvalue of type Value.

> > The contorted reasoning is that the pointer conversion invokes undefined
> > behavior.  Definitely an interesting blog post ;)
> 
> is there any hope that gcc could be made a bit less strict? Either reading the
> member access as not involving an access to the full object or accepting
> downcasts (when the original type matches) would work. My preference would be
> for the second option, as downcasts are fairly common in OO.

Well, if we allow this case then we can drop any advanced TBAA we do
completely.  This restriction is really fundamental to TBAA based
optimizations.

Otherwise consider

int i;
struct X { int k; .... };

int foo(struct X *p)
{
  i = 0;
  p->k = 1;
  return i;
}

and we couldn't be sure that p->k is not accessing i and thus not optimize
the above to return 0.  That would be very bad.

You have -fno-strict-aliasing to "save" you.

Your better testcase doesn't change anything - you've just changed the
type of an unrelated object.