[Bug tree-optimization/65688] New: xbomb 2.2a segfault, infinite loop at -O2

Tue, 07 Apr 2015 10:08:28 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65688

            Bug ID: 65688
           Summary: xbomb 2.2a segfault, infinite loop at -O2
           Product: gcc
           Version: 4.9.2
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: ncahill_alt at yahoo dot com

Created attachment 35247
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=35247&action=edit
Reduced source with the behaviour

Bug 36124 is similar to this issue, a loop that becomes infinite at -O2.

I think I've found the cause:

### from bug.c ###
struct temp {
    Pixel colours[17];
} resources;

for(i=0; i<18; i++) {
    values.foreground=resources.colours[i];
    if (i==15) {
        XtVaGetValues(play_area,((char*)&XtStrings[52]),
            &values.background,((void *)0));
    }
}
### end ###

### from bug.c.129t.vrp2 ###
Value ranges after VRP:

i_9: [1, 17]

Folding predicate i_9 != 18 to 1
Removing basic block 7
### end ###

bug.c:18:38: warning: iteration 17u invokes undefined behavior
[-Waggressive-loop-optimizations]
   values.foreground=resources.colours[i];

I think this warning is not strong enough given that all one gets is a faceless
segfault.  It breaks at runtime, should it not be a fatal error?  Or if not,
should it not have stronger wording?  It seems to suggest one should switch off
the warning.

"warning: iteration 17u invokes undefined behaviour, expect it to fail, you
have been warned."

I say this because it isn't clear why the segfault happens at all.  The loop
loops 104 times and segfaults in an unrelated subroutine; the obvious thing to
think is that i is getting clobbered.

This is at O1 which works:

        movl    $1, %ebx
        jmp     .L2
.L4:
        addl    $1, %ebx
.L2:
        movl    resources-4(,%ebx,4), %eax
        movl    %eax, 8(%esp)
        cmpl    $16, %ebx
        jne     .L3
        pushl   $0
        leal    16(%esp), %eax
        pushl   %eax
        pushl   $XtStrings+52
        pushl   play_area
        call    XtVaGetValues
        addl    $16, %esp
        jmp     .L4
.L3:
        cmpl    $17, %ebx
        jle     .L4

And this is at O2:

    movl    $1, %ebx
        subl    $24, %esp
        jmp     .L2
.L3:
        addl    $1, %ebx
.L2:
        movl    resources-4(,%ebx,4), %eax
        cmpl    $16, %ebx
        movl    %eax, 8(%esp)
        jne     .L3
        pushl   $0
        leal    16(%esp), %eax
        pushl   %eax
        pushl   $XtStrings+52
        pushl   play_area
        call    XtVaGetValues
        addl    $16, %esp
        jmp     .L3


To reproduce:
gcc -m32 -O2 -S -c bug.c -o bug.S && cat bug.S \
grep -v '^[[:space:]]\+\.'

The version: (GCC) 4.9.2, Linux x86.

Thank you.
Neil Cahill.

Reply via email to