https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115404

            Bug ID: 115404
           Summary: [15 Regression] possibly wrong code on glibc-2.39
                    since r15-1113-gde05e44b2ad963
           Product: gcc
           Version: 15.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: target
          Assignee: unassigned at gcc dot gnu.org
          Reporter: slyfox at gcc dot gnu.org
  Target Milestone: ---

No minimal reproducer yet, filing in case it's an easy to notice bug from the
bisected r15-1113-gde05e44b2ad963:

  commit de05e44b2ad9638d04173393b1eae3c38b2c3864
  Author: Uros Bizjak <ubiz...@gmail.com>
  Date:   Sat Jun 8 12:17:11 2024 +0200

    i386: Implement .SAT_ADD for unsigned scalar integers [PR112600]

    ...

The bug manifests as a testsuite failure on mpfr-4.2.1 as:

  FAIL: tsprintf
  ==============

  Fatal glibc error: printf_buffer_as_file.c:31
(__printf_buffer_as_file_commit): assertion failed: file->stream._IO_write_ptr
<= file->next->write_end
  FAIL tsprintf (exit status: 134)

I think it's a `file->next->write_end` corruption around this code in glibc's
libio/iovsprintf.c:

```c
int
__vsprintf_internal (char *string, size_t maxlen,
                     const char *format, va_list args,
                     unsigned int mode_flags)
{
  struct __printf_buffer buf;

  if ((mode_flags & PRINTF_CHK) != 0)
    {
      string[0] = '\0';
      uintptr_t end;
      if (__builtin_add_overflow ((uintptr_t) string, maxlen, &end))
        end = -1;
      __printf_buffer_init_end (&buf, string, (char *) end,
                            __printf_buffer_mode_sprintf_chk);
    }
   ...
```

Could it be that dead store to `&end` somehow conflicts with a following `end =
-1`?

I'll try to extract self-contained example, but it will take some time.

Reply via email to