http://gcc.gnu.org/bugzilla/show_bug.cgi?id=47414
Summary: [4.6 Regression] wrong code with -O -freorder-blocks -fschedule-insns2 -fno-early-inlining -fstrict-aliasing -ftracer Product: gcc Version: 4.6.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: rtl-optimization AssignedTo: unassig...@gcc.gnu.org ReportedBy: zso...@seznam.cz Host: x86_64-pc-linux-gnu Target: x86_64-pc-linux-gnu Created attachment 23077 --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=23077 reduced testcase Output: $ g++ -O -freorder-blocks -fschedule-insns2 -fno-early-inlining -fstrict-aliasing -ftracer testcase.C $ ./a.out ==32217== Invalid write of size 8 ==32217== at 0x40061B: test01() (testcase.C:44) ==32217== by 0x4006BC: main (testcase.C:62) ==32217== Address 0x0 is not stack'd, malloc'd or (recently) free'd Segmentation fault The assembly looks like: 2 mov rcx, rsp # nul, mov QWORD PTR [rax], rbp # b_17->D.2238.next, b mov DWORD PTR [rax+8], 1 # b_17->i, 1 mov rdx, QWORD PTR [rcx] # nul, nul_23->D.2238.next 3 mov QWORD PTR [rsp], rax # MEM[(struct A *)&s].next, b mov esi, 0 # nul, test rdx, rdx # nul jne .L10 #, .L6: >>> mov QWORD PTR [rsi], 0 # nul_12->D.2238.next, ^ crash The problem is that (1) loads the value before it is stored at (3). rcx == rsp because of (2). Without -fschedule-insns2: mov DWORD PTR [rax+8], 1 # b_17->i, mov QWORD PTR [rax], rbp # b_17->D.2238.next, b 1 mov QWORD PTR [rsp], rax # MEM[(struct A *)&s].next, b mov esi, 0 # nul, 2 mov rcx, rsp # nul, 3 mov rdx, QWORD PTR [rcx] # nul, nul_23->D.2238.next test rdx, rdx # nul jne .L10 #, .L6: mov QWORD PTR [rsi], 0 # nul_12->D.2238.next, The order is correct. Tested revisions: r169125 - fail 4.5 r168785 - OK