[Bug tree-optimization/71867] Optimizer generates code dereferencing a null pointer

[pinskia at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

Andrew Pinski  changed:

   What|Removed |Added

 Resolution|--- |FIXED
   See Also||https://gcc.gnu.org/bugzill
   ||a/show_bug.cgi?id=69243,
   ||https://gcc.gnu.org/bugzill
   ||a/show_bug.cgi?id=59704,
   ||https://gcc.gnu.org/bugzill
   ||a/show_bug.cgi?id=73434
 Status|WAITING |RESOLVED
   Target Milestone|--- |7.0

--- Comment #13 from Andrew Pinski  ---
Reporter reports it was fixed in GCC 7, There were many bug fixes between GCC
5.3 and GCC 7 so closing as fixed.

[Bug tree-optimization/71867] Optimizer generates code dereferencing a null pointer

[asmwarrior at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

--- Comment #12 from asmwarrior  ---
Hi, (In reply to Jonathan Wakely from comment #11)
> Does this code still get miscompiled with GCC 6 and newer?

Hi, I'm now using mingw-build i686-7.2.0-release-posix-dwarf-rt_v5-rev1, which
was downloaded from:
https://sourceforge.net/projects/mingw-w64/files/Toolchains%20targetting%20Win32/Personal%20Builds/mingw-builds/7.2.0/threads-posix/dwarf/i686-7.2.0-release-posix-dwarf-rt_v5-rev1.7z/download

I don't see such crash bug since 2018-02-09. (See this post in C::B forum:
http://forums.codeblocks.org/index.php/topic,22198.msg152596.html#msg152596)

[Bug tree-optimization/71867] Optimizer generates code dereferencing a null pointer

[redi at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

--- Comment #11 from Jonathan Wakely  ---
Does this code still get miscompiled with GCC 6 and newer?

[Bug tree-optimization/71867] Optimizer generates code dereferencing a null pointer

[asmwarrior at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

--- Comment #10 from asmwarrior  ---
Is it related to pointer casting? I see this post:
https://stackoverflow.com/questions/36816363/gcc-4-9-3-more-aggressive-null-pointer-check-removal

Some one reported that the Null check was removed in the following code

void someFunc(struct MyStruct *s)
{
if (s != NULL)
{
   cout << s->someField << endl;
   delete s;
}
}

I see comments in that question, and some one suggest using
`-fno-strict-aliasing` option.

@Vadim, dose wx use some cast? I see some macros in wx3.1's source like:

// this cast does some more checks at compile time as it uses static_cast
// internally
//
// note that it still has different semantics from dynamic_cast<> and so can't
// be replaced by it as long as there are any compilers not supporting it
#define wxDynamicCast(obj, className) \
((className *) wxCheckDynamicCast( \
const_cast(static_cast(\
  const_cast(static_cast(obj, \
::ms_classInfo))

[Bug tree-optimization/71867] Optimizer generates code dereferencing a null pointer

[asmwarrior at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

--- Comment #9 from asmwarrior  ---
I see this crash issue again, but still it happens in another place of the wx's
source code, add the

__attribute__((optimize("O0")))

To the function which cause the crash can workaround this issue. Note that the
-O0 option does not cause this issue.

wxString __attribute__((optimize("O0"))) wxCommandEvent::GetString() const
{
// This is part of the hack retrieving the event string from the control
// itself only when/if it's really needed to avoid copying potentially huge
// strings coming from multiline text controls. For consistency we also do
// it for combo boxes, even though there are no real performance advantages
// in doing this for them.
if (m_eventType == wxEVT_TEXT && m_eventObject)
{
#if wxUSE_TEXTCTRL
wxTextCtrl *txt = wxDynamicCast(m_eventObject, wxTextCtrl);
if ( txt )
return txt->GetValue();
#endif // wxUSE_TEXTCTRL

#if wxUSE_COMBOBOX
wxComboBox* combo = wxDynamicCast(m_eventObject, wxComboBox);
if ( combo )
return combo->GetValue();
#endif // wxUSE_COMBOBOX
}

return m_cmdString;
} 

Please see discussions here in wx-user's maillist and Code::Blocks's forum:

https://groups.google.com/d/msg/wx-users/LUxm6fUhirk/FJRFNIt6AAAJ

and 

http://forums.codeblocks.org/index.php/topic,22198.0.html

The original wx's workaround is here: https://trac.wxwidgets.org/ticket/17483

[Bug tree-optimization/71867] Optimizer generates code dereferencing a null pointer

[asmwarrior at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

--- Comment #8 from asmwarrior  ---
Hi, I just build wx2.8.12 under TDM-GCC 5.1 with
-fno-delete-null-pointer-checks enabled. But the bad thing is that I still see
the same crash here. The whole command is below:

mingw32-make -f makefile.gcc USE_XRC=1 SHARED=1 MONOLITHIC=1 BUILD=release
UNICODE=1 USE_OPENGL=1 VENDOR=cb CXXFLAGS="-Wno-unused-local-typedefs
-Wno-deprecated-declarations -fno-keep-inline-dllexport 
-fno-delete-null-pointer-checks -g" >log-release-no-delete-null.txt 2>&1

For some assembler code of the crash:

[debug]Stack level 0, frame at 0x22e004:
[debug] eip = 0x6d11fb05 in wxClassInfo::IsKindOf
(F:\wx\wxMSW-2.8.12\include\wx\object.h:94); saved eip = 0x6cfa043d
[debug] inlined into frame 1
[debug] source language c++.
[debug] Arglist at unknown address.
[debug] Locals at unknown address, Previous frame's sp in esp
[debug]>>cb_gdb:
[debug]> disassemble 0x6d11fb05
[debug]Dump of assembler code for function wxCheckDynamicCast(wxObject*,
wxClassInfo*):
[debug]   0x6d11fa70 <+0>:  push   ebp
[debug]   0x6d11fa71 <+1>:  push   edi
[debug]   0x6d11fa72 <+2>:  push   esi
[debug]   0x6d11fa73 <+3>:  push   ebx
[debug]   0x6d11fa74 <+4>:  subesp,0x1c
[debug]   0x6d11fa77 <+7>:  movebx,DWORD PTR [esp+0x30]
[debug]   0x6d11fa7b <+11>: movesi,DWORD PTR [esp+0x34]
[debug]   0x6d11fa7f <+15>: test   ebx,ebx
[debug]   0x6d11fa81 <+17>: je 0x6d11fb50

[debug]   0x6d11fa87 <+23>: moveax,DWORD PTR [ebx]
[debug]   0x6d11fa89 <+25>: movecx,ebx
[debug]   0x6d11fa8b <+27>: call   DWORD PTR [eax]
[debug]   0x6d11fa8d <+29>: test   esi,esi
[debug]   0x6d11fa8f <+31>: movedx,eax
[debug]   0x6d11fa91 <+33>: je 0x6d11fb50

[debug]   0x6d11fa97 <+39>: cmpeax,esi
[debug]   0x6d11fa99 <+41>: je 0x6d11fb3e

[debug]   0x6d11fa9f <+47>: movedi,DWORD PTR [eax+0xc]
[debug]   0x6d11faa2 <+50>: test   edi,edi
[debug]   0x6d11faa4 <+52>: je 0x6d11fb05

[debug]   0x6d11faa6 <+54>: cmpesi,edi
[debug]   0x6d11faa8 <+56>: je 0x6d11fb3e

[debug]   0x6d11faae <+62>: movebp,DWORD PTR [edi+0xc]
[debug]   0x6d11fab1 <+65>: test   ebp,ebp
[debug]   0x6d11fab3 <+67>: je 0x6d11faed

[debug]   0x6d11fab5 <+69>: cmpesi,ebp
[debug]   0x6d11fab7 <+71>: je 0x6d11fb3e

[debug]   0x6d11fabd <+77>: movecx,DWORD PTR [ebp+0xc]
[debug]   0x6d11fac0 <+80>: test   ecx,ecx
[debug]   0x6d11fac2 <+82>: je 0x6d11fad5

[debug]   0x6d11fac4 <+84>: movDWORD PTR [esp],esi
[debug]   0x6d11fac7 <+87>: call   0x6d166c80

[debug]   0x6d11facc <+92>: subesp,0x4
[debug]   0x6d11facf <+95>: test   al,al
[debug]   0x6d11fad1 <+97>: movecx,ebx
[debug]   0x6d11fad3 <+99>: jne0x6d11fb40

[debug]   0x6d11fad5 <+101>:movecx,DWORD PTR [ebp+0x10]
[debug]   0x6d11fad8 <+104>:test   ecx,ecx
[debug]   0x6d11fada <+106>:je 0x6d11faed

[debug]   0x6d11fadc <+108>:movDWORD PTR [esp],esi
[debug]   0x6d11fadf <+111>:call   0x6d166c80

[debug]   0x6d11fae4 <+116>:subesp,0x4
[debug]   0x6d11fae7 <+119>:test   al,al
[debug]   0x6d11fae9 <+121>:movecx,ebx
[debug]   0x6d11faeb <+123>:jne0x6d11fb40

[debug]   0x6d11faed <+125>:movecx,DWORD PTR [edi+0x10]
[debug]   0x6d11faf0 <+128>:test   ecx,ecx
[debug]   0x6d11faf2 <+130>:je 0x6d11fb05

[debug]   0x6d11faf4 <+132>:movDWORD PTR [esp],esi
[debug]   0x6d11faf7 <+135>:call   0x6d166c80

[debug]   0x6d11fafc <+140>:subesp,0x4
[debug]   0x6d11faff <+143>:test   al,al
[debug]   0x6d11fb01 <+145>:movecx,ebx
[debug]   0x6d11fb03 <+147>:jne0x6d11fb40

[debug]=> 0x6d11fb05 <+149>:movedx,DWORD PTR [edx+0x10]
[debug]   0x6d11fb08 <+152>:test   edx,edx
[debug]   0x6d11fb0a <+154>:je 0x6d11fb50

[debug]   0x6d11fb0c <+156>:cmpesi,edx
[debug]   0x6d11fb0e <+158>:je 0x6d11fb3e

[debug]   0x6d11fb10 <+160>:movecx,DWORD PTR [edx+0xc]

[Bug tree-optimization/71867] Optimizer generates code dereferencing a null pointer

[asmwarrior at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

--- Comment #7 from asmwarrior  ---
The -fno-delete-null-pointer-checks option exists in -O2 mode in both GCC 4.9
and GCC 5.x, but this crash issue only happens on GCC 5.x serials. So, why do
you think it is the reason?

See my related discussion here:
http://forums.codeblocks.org/index.php/topic,21207.msg145242.html#msg145242

[Bug tree-optimization/71867] Optimizer generates code dereferencing a null pointer

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

--- Comment #6 from Richard Biener  ---
Does -fno-delete-null-pointer-checks make it work?  Does -fsanitize=null
trigger?

[Bug tree-optimization/71867] Optimizer generates code dereferencing a null pointer

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

--- Comment #5 from Andrew Pinski  ---
I don't see it at least on aarch64-elf.  But I did not check all checks.

[Bug tree-optimization/71867] Optimizer generates code dereferencing a null pointer

[asmwarrior at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

--- Comment #4 from asmwarrior  ---
It looks like the code is called from an inline function, you can see this code
snippet in the prepossessed file.


inline wxObject *wxCheckDynamicCast(wxObject *obj, wxClassInfo *classInfo)
{
return obj && obj->GetClassInfo()->IsKindOf(classInfo) ? obj : 
# 502 "..\\..\\include/wx/object.h" 3 4
  __null
# 502 "..\\..\\include/wx/object.h"
  ;
}

[Bug tree-optimization/71867] Optimizer generates code dereferencing a null pointer

[asmwarrior at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

asmwarrior  changed:

   What|Removed |Added

 CC||asmwarrior at gmail dot com

--- Comment #3 from asmwarrior  ---
Created attachment 38908
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=38908=edit
The preprocessed file

This is the command I use to generate the preprocessed file(a.cpp in zip)

g++ -E -o a.cpp -O2 -mthreads  -DHAVE_W32API_H -D__WXMSW__   -DNDEBUG   
-D_UNICODE   -I..\..\lib\gcc_dll\mswu -I..\..\include  -W -Wall -DWXBUILDING
-I..\..\src\tiff -I..\..\src\jpeg -I..\..\src\png -I..\..\src\zlib
-I..\..\src\regex -I..\..\src\expat\lib -DwxUSE_BASE=1 -DWXMAKINGDLL  
-Wno-ctor-dtor-privacy  -Wno-unused-local-typedefs -Wno-deprecated-declarations
-fno-keep-inline-dllexport -g -MTgcc_mswudll\monodll_xh_sizer.o
-MFgcc_mswudll\monodll_xh_sizer.o.d -MD -MP ../../src/xrc/xh_sizer.cpp

I use TDM GCC5.1 under Windows XP, I use wxWidgets 2.8.12 official release. The
command is run from the folder \build\msw\.

[Bug tree-optimization/71867] Optimizer generates code dereferencing a null pointer

[vz-gcc at zeitlins dot org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

--- Comment #2 from Vadim Zeitlin  ---
I'll try to add the preprocessed code a bit later, but, FWIW, I can already say
that there is no macro trickery whatsoever in this code itself.

[Bug tree-optimization/71867] Optimizer generates code dereferencing a null pointer

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=71867

Richard Biener  changed:

   What|Removed |Added

 Status|UNCONFIRMED |WAITING
   Last reconfirmed||2016-07-14
  Component|c++ |tree-optimization
 Ever confirmed|0   |1