https://gcc.gnu.org/bugzilla/show_bug.cgi?id=123888
--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
What I see under debugger (when using -g2 instead of -g1) at that cmp %rdx,%rax
insn
above is
(gdb) p
*(mozilla::net::nsStandardURL::TemplatedMutator<mozilla::net::nsStandardURL>
*)($r13-24)
$9 = {<nsIURIMutator> = {<nsIURISetters> = {<nsIURISetSpec> = {<nsISupports> =
{
_vptr.nsISupports = 0x7fffebf39fe8 <vtable for
mozilla::net::nsStandardURL::Mutator+16>, static kIID = {m0 = 0, m1 = 0, m2 =
0,
m3 = "\300\000\000\000\000\000\000F"}}, static kIID = {m0 =
533017175, m1 = 35211, m2 = 19550, m3 = "\266\234\005\274\204\264<BF>"}},
static kIID = {
m0 = 1409525484, m1 = 39383, m2 = 16478, m3 = "\213E\237\200[\275\374",
<incomplete sequence \357>}}, static kIID = {m0 = 1293889795, m1 = 7236, m2 =
19917,
m3 = "\267\027]\"\246\227\247", <incomplete sequence \331>}},
<BaseURIMutator<mozilla::net::nsStandardURL>> = {
_vptr.BaseURIMutator = 0x7fffebf3a0e8 <vtable for
mozilla::net::nsStandardURL::Mutator+272>, mURI = {mRawPtr = 0x0}},
<nsIStandardURLMutator> = {<nsISupports> = {
_vptr.nsISupports = 0x7fffebf3a100 <vtable for
mozilla::net::nsStandardURL::Mutator+296>, static kIID = {m0 = 0, m1 = 0, m2 =
0,
m3 = "\300\000\000\000\000\000\000F"}}, static kIID = {m0 = 4236856984,
m1 = 9121, m2 = 17357,
m3 = "\247\376r\207o\216\242", <incomplete sequence \356>}},
<nsIURLMutator> = {<nsISupports> = {
_vptr.nsISupports = 0x7fffebf3a138 <vtable for
mozilla::net::nsStandardURL::Mutator+352>, static kIID = {m0 = 0, m1 = 0, m2 =
0,
m3 = "\300\000\000\000\000\000\000F"}}, static kIID = {m0 = 621227704,
m1 = 61926, m2 = 18479,
m3 = "\234\251\355\335=e\026\232"}}, <nsIFileURLMutator> = {<nsISupports>
= {
_vptr.nsISupports = 0x7fffebf3a178 <vtable for
mozilla::net::nsStandardURL::Mutator+416>, static kIID = {m0 = 0, m1 = 0, m2 =
0,
m3 = "\300\000\000\000\000\000\000F"}}, static kIID = {m0 = 2777200370,
m1 = 53945, m2 = 16420, m3 = "\204<BF>3hTkW"}}, <nsISerializable> =
{<nsISupports> = {
_vptr.nsISupports = 0x7fffebf3a1b0 <vtable for
mozilla::net::nsStandardURL::Mutator+472>, static kIID = {m0 = 0, m1 = 0, m2 =
0,
m3 = "\300\000\000\000\000\000\000F"}}, static kIID = {m0 = 2446109057,
m1 = 49773, m2 = 17576, m3 = "\276\276\331\355H\221P:"}}, mMarkedFileURL =
false}
(gdb) p
&((mozilla::net::nsStandardURL::TemplatedMutator<mozilla::net::nsStandardURL>
*)($r13-24))->mURI.mRawPtr
$10 = (mozilla::net::nsStandardURL **) 0x7fffccaf7700
(gdb) p/x $r13
$11 = 0x7fffccaf7708
(gdb) p/x $r13-24
$12 = 0x7fffccaf76f0
i.e. mURI.mRawPtr is NULL at that point, and MEM[(const struct RefPtr *)_188 +
-8B].mRawPtr is the right offset to access it at that point - the non-virtual
thunk subtracts 24 bytes.
Still, _ZN7mozilla3net13nsStandardURL4InitEjiRK12nsTSubstringIcEPKcP6nsIURI
before IPA is doing among other things (note this is that this_20(D) is
caller's _188 - 24):
_51 = MEM[(const struct RefPtr *)this_20(D) + 16B].mRawPtr;
if (_51 != 0B)
goto <bb 5>; [INV]
else
goto <bb 6>; [INV]
<bb 5> :
MEM[(struct RefPtr *)this_20(D) + 16B].mRawPtr = 0B;
goto <bb 8>; [INV]
<bb 6> :
_4 = this_20(D)->D.1367904.D.273177.D.273160.D.273079._vptr.nsISupports;
_6 = MEM[(int (*__vtbl_ptr_type) () *)_4 + 200B];
_7 = OBJ_TYPE_REF(_6;(struct TemplatedMutator)this_20(D)->25B) (this_20(D));
if (_7 != 0B)
goto <bb 7>; [70.00%]
else
goto <bb 8>; [30.00%]
<bb 7> :
_55 = _7->D.1368030.D.1350637.D.1350598.D.272311._vptr.nsISupports;
_56 = MEM[(int (*__vtbl_ptr_type) () *)_55 + 8B];
OBJ_TYPE_REF(_56;(struct nsStandardURL)_7->1B) (_7);
<bb 8> :
# uri$mRawPtr_70 = PHI <_51(5), _7(7), 0B(6)>
rv_38 = mozilla::net::nsStandardURL::Init (uri$mRawPtr_70, aURLType_32(D),
aDefaultPort_33(D), aSpec_34(D), aCharset_35(D), aBaseURI_36(D));
i.e. if _51 is not NULL, stores there NULL and calls nsStandardURL::Init with
_51 as this, if it is NULL (the case during firefox startup), then
some function to create it. And that conditional is clearly gone in the
optimized dump.
Now, looking at libxul.so.ltrans2.ltrans.121t.phiprop2, I see there the
conditional:
_153 = MEM[(const struct RefPtr *)_233 + 16B].mRawPtr;
if (_153 != 0B)
goto <bb 31>; [0.00%]
else
goto <bb 32>; [100.00%]
<bb 31> [count: 0]:
MEM[(struct RefPtr *)_233 + 16B].mRawPtr = 0B;
rv_160 = Init (_153, 2, _99, aSpec_9(D), aCharset_269(D), aBaseURI_268(D));
_161 = (signed int) rv_160;
_162 = _161 != 0;
_163 = (long int) _162;
_164 = _163;
if (_164 != 0)
goto <bb 35>; [0.00%]
else
goto <bb 33>; [0.00%]
<bb 32> [count: 0]:
_154 = MEM[(struct TemplatedMutator
*)_233].D.6066.D.5807.D.5804.D.5801._vptr.nsISupports;
_155 = MEM[(int (*__vtbl_ptr_type) () *)_154 + 200B];
__builtin_unreachable ();
but clearly IPA thinks that for some reason the code for mRawPtr == 0 invokes
UB.
In the inline dump there is:
Expanding speculative call of NewStandardURI/60 -> Finalize/65 count: 47149
(adjusted)
Expanding speculative call of NewStandardURI/60 -> Release/66 count: 47149
(adjusted)
Expanding speculative call of NewStandardURI/60 -> AddRef/80 count: 47149
(adjusted)
Expanding speculative call of NewStandardURI/60 -> Release/81 count: 47149
(adjusted)
Expanding speculative call of NewStandardURI/60 ->
_ZThn24_N7mozilla3net13nsStandardURL16TemplatedMutatorIS1_E4InitEjiRK12nsTSubstringIcEPKcP6nsIURIPP13nsIURIMutator.artificial_thunk
.0/84 count: 47149 (adjusted)
Expanding speculative call of NewStandardURI/60 -> AddRef/95 count: 47149
(adjusted)
Introduced new external node (__builtin_unreachable/966).
