https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70559
Bug ID: 70559
Summary: Miscompilation of nsTextFormatter.cpp from Firefox
with -Os -fomit-frame-pointer
Product: gcc
Version: 4.9.3
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: ipa
Assignee: unassigned at gcc dot gnu.org
Reporter: mh+gcc at glandium dot org
Target Milestone: ---
We've recently switched to GCC 4.8 to build Firefox (yeah, I know...), and
valgrind detected an error that we subsequently identified as what looks like a
GCC codegen/ipa bug. I was able to reproduce with GCC 4.9.3 from Debian
(4.9.3-12) on x86-64. It doesn't reproduce with GCC 5, however.
Command line to reproduce:
$ g++ -std=gnu++11 -g -Os -fomit-frame-pointer -fno-exceptions
nsTextFormatter.ii -S -o nsTextFormatter.s
Look at the resulting assembly, and look at what corresponds to
nsTextFormatter.cpp:857 (search for ".loc 1 857). It looks like the following:
.loc 1 857 0
movl 0(%rbp), %eax
leaq 2(%rbp), %r12
.LVL184:
testw %ax, %ax
je .L526
The corresponding C++ is:
while ((c = *aFmt++) != 0) {
where c is a char16_t and aFmt a const char16_t*.
Note how it's using movl to read *aFmt, instead of movw. Which means it can
read 2 bytes past the end of aFmt (and it does, that's what valgrind complains
about, and it does so while reading at a 2-aligned address, so it's not about
the read being considered safe because always 4-aligned, although it might be a
misevaluation of that).
Building with -fno-omit-frame-pointer, the assembly looks like:
.loc 1 857 0
movw (%r12), %ax
leaq 2(%r12), %r13
.LVL183:
testw %ax, %ax
je .L525
