[Bug c/125252] New: [15/16/17 regression] TBAA vs struct type in C23

Sun, 10 May 2026 03:59:44 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=125252

            Bug ID: 125252
           Summary: [15/16/17 regression] TBAA vs struct type in C23
           Product: gcc
           Version: 16.0
            Status: UNCONFIRMED
          Keywords: wrong-code
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: sjames at gcc dot gnu.org
                CC: amonakov at gcc dot gnu.org, lschmelting at posteo dot com,
                    uecker at gcc dot gnu.org
  Target Milestone: ---

Thanks to Alexander Monakov for the testcase and Lukas Schmelting for the
report and initial debugging.

With -O2, this is miscompiled w/ C23:
```
struct S {};

#define T struct S

T *get_sender ();
T *get_cc ();

void test() {
    struct {
         T * (*get_header)(void);
    } reply_to_map[] = {
        { get_sender },
        { get_cc },
    };

    for (int i = 0; i < 2; i++) {
        asm("" :: "r"(reply_to_map[i].get_header()));
    }
}
```

```
$ diff -u <(gcc a.c -O2 -std=gnu17 -S -fdump-tree-dse5-details=-) <(gcc a.c -O2
-S -fdump-tree-dse5-details=-)
--- /dev/fd/63  2026-05-10 11:46:23.171058875 +0100
+++ /dev/fd/62  2026-05-10 11:46:23.174058902 +0100
@@ -1,29 +1,31 @@

 ;; Function test (test, funcdef_no=0, decl_uid=2963, cgraph_uid=1,
symbol_order=0)

+  Deleted dead store: reply_to_map[1].get_header = get_cc;
+
+  Deleted dead store: reply_to_map[0].get_header = get_sender;
+
 void test ()
 {
   unsigned long ivtmp.10;
   int i;
   struct
   {
-    struct S * (*<T3fb>) (void) get_header;
+    struct S * (*<T3f9>) (void) get_header;
   } reply_to_map[2];
-  struct S * (*<T3fb>) (void) _1;
+  struct S * (*<T3f9>) (void) _1;
   struct S * _2;
   void * _17;
   unsigned long _19;

   <bb 2> [local count: 357878152]:
-  reply_to_map[0].get_header = get_sender;
-  reply_to_map[1].get_header = get_cc;
   ivtmp.10_16 = (unsigned long) &reply_to_map;
   _19 = ivtmp.10_16 + 16;

   <bb 3> [local count: 715863672]:
   # ivtmp.10_12 = PHI <ivtmp.10_11(3), ivtmp.10_16(2)>
   _17 = (void *) ivtmp.10_12;
-  _1 = MEM[(struct S * (*<T3fb>) (void) *)_17];
+  _1 = MEM[(struct S * (*<T3f9>) (void) *)_17];
   _2 = _1 ();
   __asm__ __volatile__("" :  : "r" _2);
   ivtmp.10_11 = ivtmp.10_12 + 8;
```

The function pointers in reply_to_map are left uninitialised.

Reply via email to