https://gcc.gnu.org/bugzilla/show_bug.cgi?id=86274
--- Comment #8 from Martin Jambor <jamborm at gcc dot gnu.org> ---
After a more careful look: The testcase from comment #5 calls
__builtin_alloca(1) and then tries to vnsprintf into that memory, so I
decided I'd go back to the original testcase.
It indeed does segfaults when IPA-CP takes place, but it seems there
is already undefined behavior in what IPA-CP sees as its input,
looking into release_ssa tree dump:
__gnu_cxx::__to_xstring<std::__cxx11::basic_string<char>, char> (int (*<T4030>)
(char *, size_t, const char *, struct *) __convf, size_t __n, const char *
__fmt)
{
struct forward_iterator_tag D.128814;
struct __args[1];
char * __s;
sizetype _1;
char * _2;
const int _11;
char[16] * _15;
<bb 2> [local count: 1073741825]:
__s_6 = __builtin_alloca (__n_4(D));
__builtin_va_start (&__args, 0);
_11 = __convf_8(D) (__s_6, __n_4(D), __fmt_9(D), &__args);
__builtin_va_end (&__args);
_1 = (sizetype) _11;
_2 = __s_6 + _1;
_15 = &_13(D)->D.22460._M_local_buf;
MEM[(struct _Alloc_hider *)_13(D)]._M_p = _15;
std::__cxx11::basic_string<char>::_M_construct<char*> (_13(D), __s_6, _2,
D.128814);
__args ={v} {CLOBBER};
return _13(D);
}
The two lines:
_15 = &_13(D)->D.22460._M_local_buf;
MEM[(struct _Alloc_hider *)_13(D)]._M_p = _15;
clearly take some value out of thin air and then store into it into a
random place and (in the subsequent call), the address of that random
place is passed to some constructor... after inlining, the
default-defs proliferate even some more.
