http://gcc.gnu.org/bugzilla/show_bug.cgi?id=48181
Summary: [4.5/4.6/4.7 Regression] wrong code with -O -fgcse
--param ira-max-conflict-table-size=0
Product: gcc
Version: 4.7.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: rtl-optimization
AssignedTo: unassig...@gcc.gnu.org
ReportedBy: zso...@seznam.cz
CC: ja...@gcc.gnu.org
Host: x86_64-pc-linux-gnu
Target: x86_64-pc-linux-gnu
Created attachment 23705
--> http://gcc.gnu.org/bugzilla/attachment.cgi?id=23705
reduced testcase
Output:
$ gcc -O -fgcse --param ira-max-conflict-table-size=0 testcase.c
$ valgrind -q ./a.out
==11903== Invalid read of size 8
==11903== at 0x4C2B44C: memcpy (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==11903== by 0x400602: foo (testcase.c:47)
==11903== by 0x4006AA: main (testcase.c:65)
==11903== Address 0x38 is not stack'd, malloc'd or (recently) free'd
The way it crashes is similiar to PR48156:
...
lea rcx, [rsp+128] # tmp126,
cmp QWORD PTR [rsp+8], 0 # %sfp,
jne .L11 #,
mov esi, r14d #, qsize
mov rdi, rcx #, tmp126
call bar #
.L11:
mov rdx, r12 #, D.2735
mov rsi, rcx #, tmp126 # -fno-gcse: lea rsi, [rsp+128]
lea rdi, [rsp+64] #,
call memcpy #
mov rdx, r12 #, D.2735
mov rsi, rcx #, tmp126 # -fno-gcse: lea rsi, [rsp+128]
lea rdi, [rsp+32] #,
call memcpy #
...
both calls to memcpy() read rcx to set its parameters, but rcx is not preserved
across function call (changes either by call to bar(), or by first memcpy())
Tested revisions:
r171088 - fail
4.6 r170095 - fail
4.5 r170095 - fail
4.4 r170095 - OK
