https://gcc.gnu.org/bugzilla/show_bug.cgi?id=122976
Bug ID: 122976
Summary: Miscompile with mixed lto/non-lto, -O3 - stack
variable getting clobbered with invalid values
Product: gcc
Version: 15.2.1
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: c
Assignee: unassigned at gcc dot gnu.org
Reporter: arnetheduck at gmail dot com
Target Milestone: ---
Created attachment 62978
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=62978&action=edit
build.sh + .i files for repro
In the attached program, compiling it with LTO partially enabled leads to a
stack variable being overwritten with invalid values which in turn leads to a
segfault / valgrind violation.
The miscompilation happens in the function
`_ZN25hexary_proof_verification11getNextNodeEN3rlp3RlpEN7nibbles10NibblesBufE`
(or one of its callees) where the variable `nextRef_1` gets overwritten with
junk leading to several problems ending with an invalid `free` call that
crashes the application.
There are a few things that can be done to avoid the issue, making both the
segfault and all valgrind errors go away:
* compile all TUs with LTO enabled
* compile all TUs with LTO disabled
* lower the optimization level to O2
```
==2548563== Conditional jump or move depends on uninitialised value(s)
==2548563== at 0x4197B3: system::eqdestroy_(seq<uInt8>)
(@psystem.nim.c:1233)
==2548563== by 0x43ECBC: _ZN3rlp10eqdestroy_E3varIN3rlp3RlpEE
(@[email protected]:1156)
==2548563== by 0x43ECBC:
_ZN25hexary_proof_verification11getNextNodeEN3rlp3RlpEN7nibbles10NibblesBufE
(@m..@strie@shexary_proof_verification.nim.c:2146)
==2548563== by 0x43ECBC:
hexary_proof_verification::verifyProof(ref<db::TrieDatabaseRefcolonObjectType_>,
hashes::Hash32, openArray<uInt8>)
(@m..@strie@shexary_proof_verification.nim.c:2764)
==2548563== by 0x441005:
_ZN25hexary_proof_verification14verifyMptProofE3seqI3seqI5uInt8EEN6hashes6Hash32E9openArrayI5uInt8E9openArrayI5uInt8E
(@m..@strie@shexary_proof_verification.nim.c:2959)
==2548563== by 0x441005: keys::runTestX60gensym60_(string, string)
(@mkeys.nim.c:2560)
==2548563== by 0x4394AE: _ZN4keys9runDirectEN4keys4TestE (@mkeys.nim.c:3071)
==2548563== by 0x4394AE: NimMainModule (@mkeys.nim.c:3337)
==2548563== by 0x400604: NimMainInner (@mkeys.nim.c:3268)
==2548563== by 0x400604: NimMain (@mkeys.nim.c:3279)
==2548563== by 0x400604: main (@mkeys.nim.c:3287)
==2548563== Uninitialised value was created by a stack allocation
==2548563== at 0x43DE9E:
hexary_proof_verification::verifyProof(ref<db::TrieDatabaseRefcolonObjectType_>,
hashes::Hash32, openArray<uInt8>)
(@m..@strie@shexary_proof_verification.nim.c:2722)
==2548563==
==2548563== Use of uninitialised value of size 8
==2548563== at 0x4197B5: system::eqdestroy_(seq<uInt8>)
(@psystem.nim.c:1233)
==2548563== by 0x43ECBC: _ZN3rlp10eqdestroy_E3varIN3rlp3RlpEE
(@[email protected]:1156)
==2548563== by 0x43ECBC:
_ZN25hexary_proof_verification11getNextNodeEN3rlp3RlpEN7nibbles10NibblesBufE
(@m..@strie@shexary_proof_verification.nim.c:2146)
==2548563== by 0x43ECBC:
hexary_proof_verification::verifyProof(ref<db::TrieDatabaseRefcolonObjectType_>,
hashes::Hash32, openArray<uInt8>)
(@m..@strie@shexary_proof_verification.nim.c:2764)
==2548563== by 0x441005:
_ZN25hexary_proof_verification14verifyMptProofE3seqI3seqI5uInt8EEN6hashes6Hash32E9openArrayI5uInt8E9openArrayI5uInt8E
(@m..@strie@shexary_proof_verification.nim.c:2959)
==2548563== by 0x441005: keys::runTestX60gensym60_(string, string)
(@mkeys.nim.c:2560)
==2548563== by 0x4394AE: _ZN4keys9runDirectEN4keys4TestE (@mkeys.nim.c:3071)
==2548563== by 0x4394AE: NimMainModule (@mkeys.nim.c:3337)
==2548563== by 0x400604: NimMainInner (@mkeys.nim.c:3268)
==2548563== by 0x400604: NimMain (@mkeys.nim.c:3279)
==2548563== by 0x400604: main (@mkeys.nim.c:3287)
==2548563== Uninitialised value was created by a stack allocation
==2548563== at 0x43DE9E:
hexary_proof_verification::verifyProof(ref<db::TrieDatabaseRefcolonObjectType_>,
hashes::Hash32, openArray<uInt8>)
(@m..@strie@shexary_proof_verification.nim.c:2722)
==2548563==
==2548563== Conditional jump or move depends on uninitialised value(s)
==2548563== at 0x4842DF6: free (vg_replace_malloc.c:990)
==2548563== by 0x43ECBC: _ZN3rlp10eqdestroy_E3varIN3rlp3RlpEE
(@[email protected]:1156)
==2548563== by 0x43ECBC:
_ZN25hexary_proof_verification11getNextNodeEN3rlp3RlpEN7nibbles10NibblesBufE
(@m..@strie@shexary_proof_verification.nim.c:2146)
==2548563== by 0x43ECBC:
hexary_proof_verification::verifyProof(ref<db::TrieDatabaseRefcolonObjectType_>,
hashes::Hash32, openArray<uInt8>)
(@m..@strie@shexary_proof_verification.nim.c:2764)
==2548563== by 0x441005:
_ZN25hexary_proof_verification14verifyMptProofE3seqI3seqI5uInt8EEN6hashes6Hash32E9openArrayI5uInt8E9openArrayI5uInt8E
(@m..@strie@shexary_proof_verification.nim.c:2959)
==2548563== by 0x441005: keys::runTestX60gensym60_(string, string)
(@mkeys.nim.c:2560)
==2548563== by 0x4394AE: _ZN4keys9runDirectEN4keys4TestE (@mkeys.nim.c:3071)
==2548563== by 0x4394AE: NimMainModule (@mkeys.nim.c:3337)
==2548563== by 0x400604: NimMainInner (@mkeys.nim.c:3268)
==2548563== by 0x400604: NimMain (@mkeys.nim.c:3279)
==2548563== by 0x400604: main (@mkeys.nim.c:3287)
==2548563== Uninitialised value was created by a stack allocation
==2548563== at 0x43DE9E:
hexary_proof_verification::verifyProof(ref<db::TrieDatabaseRefcolonObjectType_>,
hashes::Hash32, openArray<uInt8>)
(@m..@strie@shexary_proof_verification.nim.c:2722)
==2548563==
==2548563== Invalid free() / delete / delete[] / realloc()
==2548563== at 0x4842E43: free (vg_replace_malloc.c:990)
==2548563== by 0x43ECBC: _ZN3rlp10eqdestroy_E3varIN3rlp3RlpEE
(@[email protected]:1156)
==2548563== by 0x43ECBC:
_ZN25hexary_proof_verification11getNextNodeEN3rlp3RlpEN7nibbles10NibblesBufE
(@m..@strie@shexary_proof_verification.nim.c:2146)
==2548563== by 0x43ECBC:
hexary_proof_verification::verifyProof(ref<db::TrieDatabaseRefcolonObjectType_>,
hashes::Hash32, openArray<uInt8>)
(@m..@strie@shexary_proof_verification.nim.c:2764)
==2548563== by 0x441005:
_ZN25hexary_proof_verification14verifyMptProofE3seqI3seqI5uInt8EEN6hashes6Hash32E9openArrayI5uInt8E9openArrayI5uInt8E
(@m..@strie@shexary_proof_verification.nim.c:2959)
==2548563== by 0x441005: keys::runTestX60gensym60_(string, string)
(@mkeys.nim.c:2560)
==2548563== by 0x4394AE: _ZN4keys9runDirectEN4keys4TestE (@mkeys.nim.c:3071)
==2548563== by 0x4394AE: NimMainModule (@mkeys.nim.c:3337)
==2548563== by 0x400604: NimMainInner (@mkeys.nim.c:3268)
==2548563== by 0x400604: NimMain (@mkeys.nim.c:3279)
==2548563== by 0x400604: main (@mkeys.nim.c:3287)
==2548563== Address 0x54cba8 is 8 bytes inside data symbol
"TM__M68nGWgBGfdRpIiz8SqAwg_88"
```
The code is clean when compiled with -fsanitize=address,undefined.
```
gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/15/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none:amdgcn-amdhsa
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-redhat-linux
Configured with: ../configure --enable-bootstrap
--enable-languages=c,c++,fortran,objc,obj-c++,ada,go,d,m2,cobol,lto
--prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info
--with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-shared
--enable-threads=posix --enable-checking=release --enable-multilib
--with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions
--enable-gnu-unique-object --enable-linker-build-id
--with-gcc-major-version-only --enable-libstdcxx-backtrace
--with-libstdcxx-zoneinfo=/usr/share/zoneinfo --with-linker-hash-style=gnu
--enable-plugin --enable-initfini-array
--with-isl=/builddir/build/BUILD/gcc-15.2.1-build/gcc-15.2.1-20251111/obj-x86_64-redhat-linux/isl-install
--enable-offload-targets=nvptx-none,amdgcn-amdhsa --enable-offload-defaulted
--without-cuda-driver --enable-gnu-indirect-function --enable-cet
--with-tune=generic --with-arch_32=i686 --build=x86_64-redhat-linux
--with-build-config=bootstrap-lto --enable-link-serialization=1
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 15.2.1 20251111 (Red Hat 15.2.1-4) (GCC)
```
