https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115404
Bug ID: 115404 Summary: [15 Regression] possibly wrong code on glibc-2.39 since r15-1113-gde05e44b2ad963 Product: gcc Version: 15.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: target Assignee: unassigned at gcc dot gnu.org Reporter: slyfox at gcc dot gnu.org Target Milestone: --- No minimal reproducer yet, filing in case it's an easy to notice bug from the bisected r15-1113-gde05e44b2ad963: commit de05e44b2ad9638d04173393b1eae3c38b2c3864 Author: Uros Bizjak <ubiz...@gmail.com> Date: Sat Jun 8 12:17:11 2024 +0200 i386: Implement .SAT_ADD for unsigned scalar integers [PR112600] ... The bug manifests as a testsuite failure on mpfr-4.2.1 as: FAIL: tsprintf ============== Fatal glibc error: printf_buffer_as_file.c:31 (__printf_buffer_as_file_commit): assertion failed: file->stream._IO_write_ptr <= file->next->write_end FAIL tsprintf (exit status: 134) I think it's a `file->next->write_end` corruption around this code in glibc's libio/iovsprintf.c: ```c int __vsprintf_internal (char *string, size_t maxlen, const char *format, va_list args, unsigned int mode_flags) { struct __printf_buffer buf; if ((mode_flags & PRINTF_CHK) != 0) { string[0] = '\0'; uintptr_t end; if (__builtin_add_overflow ((uintptr_t) string, maxlen, &end)) end = -1; __printf_buffer_init_end (&buf, string, (char *) end, __printf_buffer_mode_sprintf_chk); } ... ``` Could it be that dead store to `&end` somehow conflicts with a following `end = -1`? I'll try to extract self-contained example, but it will take some time.