[Bug ipa/115701] [11/12/13/14/15 Regression] wrong code at -O1 and above with "-fipa-pta" on x86_64-linux-gnu

[rguenth at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=115701

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Version|unknown                     |15.0
           Assignee|unassigned at gcc dot gnu.org      |rguenth at gcc dot 
gnu.org
             Blocks|68331                       |
             Status|NEW                         |ASSIGNED

--- Comment #2 from Richard Biener <rguenth at gcc dot gnu.org> ---
Hmm.  We don't recompute alias after IPA and have:

  <bb 3> [local count: 1073741824]:
  # e_18 = PHI <&aD.2772(2), &dD.2774(4)>

but then after FRE3 I see

  <bb 3> [local count: 1073741824]:
  # PT = null
  # e_18 = PHI <&aD.2772(2), &dD.2774(4)>

this happens from

#0  0x0000000001a83bd4 in duplicate_ssa_name_ptr_info (
    name=<ssa_name 0x7ffff69db5a0 18>, ptr_info=0x7ffff69bbfc0)
    at ../../src/gcc/gcc/tree-ssanames.cc:755
#1  0x0000000001a0b263 in eliminate_dom_walker::eliminate_stmt (
    this=0x7fffffffd8d0, b=<basic_block 0x7ffff69b5780 (4)>, 
    gsi=0x7fffffffd5b0) at ../../src/gcc/gcc/tree-ssa-sccvn.cc:6899
#2  0x0000000001a109bd in process_bb (avail=..., 
    bb=<basic_block 0x7ffff69b5780 (4)>, bb_visited=false, iterate_phis=false, 
    iterate=false, eliminate=true, do_region=false, exit_bbs=0x0, 
    skip_phis=false) at ../../src/gcc/gcc/tree-ssa-sccvn.cc:8251

when we duplicate the undefined (g is uninitialized)

  *g = e;
  _4 = *g;

copy.  There we pick up the points-to set computed for _4 which is
PT = null (and correct).  Here we duplicate points-to info irrespective
of flow (since points to is also computed that way).  But we can see here
that this leads to points-to info from code invoking UB to leak out.

      /* If this now constitutes a copy duplicate points-to
         and range info appropriately.  This is especially
         important for inserted code.  See tree-ssa-copy.cc
         for similar code.  */
      if (sprime
          && TREE_CODE (sprime) == SSA_NAME) 
        {
          basic_block sprime_b = gimple_bb (SSA_NAME_DEF_STMT (sprime));
          if (POINTER_TYPE_P (TREE_TYPE (lhs))
              && SSA_NAME_PTR_INFO (lhs)
              && ! SSA_NAME_PTR_INFO (sprime))
            {
              duplicate_ssa_name_ptr_info (sprime,
                                           SSA_NAME_PTR_INFO (lhs));
              if (b != sprime_b)
                reset_flow_sensitive_info (sprime);
            }

range-info duplication is gated on b == sprime_b.

Note this doesn't have anything to do with IPA-PTA, a -fdisable-tree-alias
reproduces this as well (IPA PTA has that as a side-effect).


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=68331
[Bug 68331] [meta-bug] fipa-pta issues