[Bug c++/70690] New: [6/7 Regression] r235002 miscompiles tcmalloc

[trippels at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70690

            Bug ID: 70690
           Summary: [6/7 Regression] r235002 miscompiles tcmalloc
           Product: gcc
           Version: 6.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: trippels at gcc dot gnu.org
                CC: jason at gcc dot gnu.org
  Target Milestone: ---

Created attachment 38286
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=38286&action=edit
unreduced testcase

Starting with r235002 tcmalloc apparently gets miscompiled.

Chromium uses tcmalloc and crashes on startup:

Program received signal SIGSEGV, Segmentation fault.
0x00005555564f7dbf in tcmalloc::CentralFreeList::FetchFromSpans() ()
(gdb) bt
#0  0x00005555564f7dbf in tcmalloc::CentralFreeList::FetchFromSpans() ()
#1  0x00005555564f8429 in tcmalloc::CentralFreeList::FetchFromSpansSafe() ()
#2  0x00005555564f84c2 in tcmalloc::CentralFreeList::RemoveRange(void**,
void**, int) ()
#3  0x00005555564f3b94 in tcmalloc::ThreadCache::FetchFromCentralCache(unsigned
long, unsigned long) ()
#4  0x000055555b24873a in tc_malloc ()
#5  0x000055555650a2ba in malloc ()
#6  0x00007ffff606b07d in __fopen_internal (filename=0x8a049a4f740
"/proc/31709/stat", mode=0x55555b252e53 "rb", is32=1) at iofopen.c:69
#7  0x00005555564849c6 in base::OpenFile(base::FilePath const&, char const*) ()
#8  0x0000555556483787 in base::ReadFileToStringWithMaxSize(base::FilePath
const&, std::__cxx11::basic_string<char, std::char_traits<char>,
std::allocator<char> >*, unsigned long) ()
#9  0x00005555564dae45 in base::internal::ReadProcStats(int,
std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char>
>*) ()
#10 0x00005555564dbb03 in base::internal::ReadProcStatsAndGetFieldAsInt64(int,
base::internal::ProcStatsFields) ()
#11 0x00005555564a2a72 in base::CurrentProcessInfo::CreationTime() ()
#12 0x000055555602a970 in ChromeMainDelegate::ChromeMainDelegate() ()
#13 0x00005555560299db in ChromeMain ()

I've narrowed the issue down to a single file (attached).

Assembly difference using:
g++ -c -fPIC static_vars.ii -O2 -S

markus@x4 Release % diff -u static_vars.s static_vars_bad.s
--- static_vars.s       2016-04-16 13:52:18.332989892 +0200
+++ static_vars_bad.s   2016-04-16 13:34:21.899894073 +0200
@@ -1118,6 +1118,31 @@
        .cfi_endproc
 .LFE1443:
        .size   _ZN8tcmalloc6Static14InitStaticVarsEv,
.-_ZN8tcmalloc6Static14InitStaticVarsEv
+       .section        .text.startup,"ax",@progbits
+       .p2align 4,,15
+       .type   _GLOBAL__sub_I_static_vars.cc, @function
+_GLOBAL__sub_I_static_vars.cc:
+.LFB1718:
+       .cfi_startproc
+       movq    _ZN8tcmalloc6Static14central_cache_E@GOTPCREL(%rip), %rdx
+       xorl    %eax, %eax
+       leaq    64448(%rdx), %rsi
+       .p2align 4,,10
+       .p2align 3
+.L68:
+       movq    %rdx, %rdi
+       addq    $1216, %rdx
+       movl    $152, %ecx
+       cmpq    %rdx, %rsi
+       rep stosq
+       jne     .L68
+       rep ret
+       .cfi_endproc
+.LFE1718:
+       .size   _GLOBAL__sub_I_static_vars.cc, .-_GLOBAL__sub_I_static_vars.cc
+       .section        .init_array,"aw"
+       .align 8
+       .quad   _GLOBAL__sub_I_static_vars.cc
        .globl  _ZN8tcmalloc6Static9pageheap_E
        .bss
        .align 8
@@ -1173,5 +1198,5 @@
        .size   _ZN8tcmalloc6Static14pageheap_lock_E, 4
 _ZN8tcmalloc6Static14pageheap_lock_E:
        .zero   4
-       .ident  "GCC: (GNU) 6.0.0 20160415 (experimental)"
+       .ident  "GCC: (GNU) 6.0.1 20160416 (prerelease)"
        .section        .note.GNU-stack,"",@progbits

It is weekend, so I haven't looked deeper yet.