https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113066
Bug ID: 113066
Summary: Returning from a function marked noreturn allows
execution to fall-through
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: translation
Assignee: unassigned at gcc dot gnu.org
Reporter: luke.geeson at cs dot ucl.ac.uk
Target Milestone: ---
Consider the following program.
```
[[noreturn]] inline void ub_if_reached() { return; }
void P0 () {
atomic_store_explicit(y,1,memory_order_release);
ub_if_reached();
}
```
If compiled to target Armv8-a using `clang -O3`
(https://godbolt.org/z/T33Yncjsh), the whole of `P0` is optimised away.
This is because `ub_if_reached` is marked as `noreturn` which means this
function should not return, however the `return` statement does exactly that,
inducing undefined behaviour.
Clang warns of this behaviour, and optimises away the code in `P0` before the
call, since it assumes a program is UB-free and that `P0` is therefore
unreachable. Further if we define an `f` that calls a `g` that calls `P0` from
`main` then all functions including `main` are also optimised away
(https://godbolt.org/z/qsraYr7o5).
Technically the standards and compiler are not required to do anything here as
there is UB, however if this program is compiled and linked with a program that
calls `P0` then the resultant execution may fallthrough to the code below `P0`.
Both GCC and LLVM allow `P0` to fallthrough - this is not good and only
functions guaranteed to return should be subject to this optimisation.
In practice we can fix this by:
- emitting an explicit abort (or undefined instruction that causes a trap) at
the end of `noreturn` functions like `ub_if_reached`, or
- if the compiler can statically determine that a `noreturn` function does in
fact `return` then ignore the noreturn attribute, and emit an abort on return.
As far as I can tell, this behaviour arises in clang, but clang has an optional
`-mllvm -trap-unreachable` to prevent this behaviour. I was made aware that GCC
has `-fsanitize=undefined` `-fsanitize-trap=undefined` for this, but these seem
to be general options. It would be good for GCC to have a flag similar to
`-mllvm -trap-unreachable`.
Disclaimer: The views of the authors expressed in this bug report are my own
and are not endorsed by Arm or any other company mentioned.
