https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107769
Bug ID: 107769
Summary: -flto with -Os/-O2/-O3 emitted code with gcc 12.x
segfaults via mutated global in .rodata
Product: gcc
Version: 12.2.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: resence at parsoma dot net
Target Milestone: ---
Created attachment 53931
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=53931&action=edit
Small, preprocessed testcase to reproduce this issue via -save-temps
On a Debian unstable amd64 system running "gcc (Debian 12.2.0-9) 12.2.0"
running any of:
gcc -flto -Wall -Wextra -pedantic -fopt-info -finline-limit=150 -Os
-fno-strict-aliasing -o r.OsNoG repro.c
gcc -flto -Wall -g -Wextra -pedantic -finline-limit=150 -Os
-fno-strict-aliasing -o r.Os repro.c
gcc -flto -Wall -Wextra -pedantic -fopt-info -finline-limit=150 -O2
-fno-strict-aliasing -o r.O2NoG repro.c
gcc -flto -Wall -g -Wextra -pedantic -finline-limit=150 -O2
-fno-strict-aliasing -o r.O2 repro.c
gcc -flto -Wall -Wextra -pedantic -finline-limit=150 -O3 -fno-strict-aliasing
-o r.O3noG repro.c
gcc -flto -Wall -Wextra -g -pedantic -finline-limit=150 -O3
-fno-strict-aliasing -o r.O3 repro.c
on the attached repro.c test case results in
repro.c: In function ‘incRef__system_5450’:
repro.c:12:39: warning: unused parameter ‘c’ [-Wunused-parameter]
12 | static void incRef__system_5450(void* c) {
| ~~~~~~^
repro.c: In function ‘isOnStack__system_5438’:
repro.c:15:74: warning: unused parameter ‘p’ [-Wunused-parameter]
15 | unsigned char __attribute__((__noinline__)) isOnStack__system_5438(void
*p) {
|
~~~~~~^
and a binary which segfaults:
$ for i in r.O*; do echo $i; ./$i; done
r.O2
Segmentation fault
r.O2NoG
Segmentation fault
r.O3
Segmentation fault
r.O3noG
Segmentation fault
r.Os
Segmentation fault
r.OsNoG
Segmentation fault
Running valgrind results in:
==1048150== Memcheck, a memory error detector
==1048150== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==1048150== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==1048150== Command: ./r.Os
==1048150==
==1048150==
==1048150== Process terminating with default action of signal 11 (SIGSEGV)
==1048150== Bad permissions for mapped region at address 0x10A008
==1048150== at 0x109098: UnknownInlinedFun (repro.c:24)
==1048150== by 0x109098: UnknownInlinedFun (repro.c:45)
==1048150== by 0x109098: main (repro.c:50)
(with similar output for other optimization settings, less for settings without
debug information)
The proximate cause of this is that the global variable g__r_1 has been placed
in the .rodata section:
(gdb) p &g__r_1
$2 = (void **) 0x555555556008 <g.r_1>
(gdb) info file
...
0x0000555555556000 - 0x0000555555556010 is .rodata
...
This seems to only happen with a combination of all of (a) -flto (even with one
source file), (b) some greater-than-O1 level optimization level, (c) absence of
-fno-inline-small-functions option; and (d) gcc 12.x or newer.
Running gcc UBSAN on this reveals nothing obviously additional:
$ rm -v a.out && gcc -Og -flto -finline-limit=150 -fsanitize=undefined -Wall
-Wextra -pedantic -fno-strict-aliasing repro.c && ./a.out && echo gcc UBSAN
complete
removed 'a.out'
repro.c: In function ‘incRef__system_5450’:
repro.c:12:39: warning: unused parameter ‘c’ [-Wunused-parameter]
12 | static void incRef__system_5450(void* c) {
| ~~~~~~^
repro.c: In function ‘isOnStack__system_5438’:
repro.c:15:74: warning: unused parameter ‘p’ [-Wunused-parameter]
15 | unsigned char __attribute__((__noinline__)) isOnStack__system_5438(void
*p) {
|
~~~~~~^
gcc UBSAN complete
