https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65752
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |wrong-code
Status|UNCONFIRMED |NEW
Last reconfirmed| |2016-10-20
Ever confirmed|0 |1
--- Comment #52 from Richard Biener <rguenth at gcc dot gnu.org> ---
Testcase with integers involving propagation that still "works" on trunk:
#include <stdio.h>
int main()
{
int x, y = 1;
int *volatile v;
int *p;
v = &y;
p = v;
unsigned long k = (unsigned long)(&x + 1);
unsigned long pi = (unsigned long)p;
if (pi == k) {
pi+=4;
p = (int *)pi;
*(p-1) = 2;
printf("y = %d\n", y);
}
}
it needs enough obfuscation (before the equivalency propagation which has
to happen before another PTA pass happens). Either via IPA inlining
if we'd ever propagate such equivalences before inlining or as above via
offsetting.
Here we replace pi with k in pi = pi + 4; which makes PTA consider pi
to point to x. The propagation essentially introduces undefined behavior.
You can expose the same issue by piecewise decomposing the pointer to
chars, and having them equivalency propagated in a bogus way, then
reconstruct the pointer from the chars. So it's not enough to disable
pointer and uintptr_t propagations either.
It's not enough to put points-to information in the dereference site
(which would fix some related issues) as this issue appears as part
of PTA analysis itself (it doesn't consider an equivalency relation
to form a dependency, see the discussion in this PR).
