http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60183
--- Comment #3 from Richard Biener <rguenth at gcc dot gnu.org> ---
(In reply to Jakub Jelinek from comment #2)
> Updated testcase that segfaults for me, no -fsanitize=address is then needed
> to trigger it. Works with -O0 or -O? -fno-tree-phiprop:
>
> unsigned char c[0x300001] = { 1 };
> int j = 2;
>
> static void
> foo (unsigned long *x, unsigned char *y)
> {
> int i;
> unsigned long w = x[0];
> for (i = 0; i < j; i++)
> {
> w += *y;
> y += 0x100000;
> w += *y;
> y += 0x100000;
> }
> x[1] = w;
> }
>
> __attribute__ ((noinline, noclone)) void
> bar (unsigned long *x)
> {
> foo (x, c);
> }
>
> int
> main ()
> {
> unsigned long a[2] = { 0, -1UL };
> asm volatile (""::"r" (c):"memory");
> c[0] = 0;
> bar (a);
> if (a[1] != 0)
> __builtin_abort ();
> return 0;
> }
>
> Perhaps phiprop is confused by the &MEM[(void *)y_5 + 2097152B] and thinks
> that because of the MEM_REF in there it is safe to dereference it?
It doesn't check whether it's safe to dereference because it thinks it's
dereferenced anyway. It wasn't supposed to speculate loads. We miss
Index: tree-ssa-phiprop.c
===================================================================
--- tree-ssa-phiprop.c (revision 207757)
+++ tree-ssa-phiprop.c (working copy)
@@ -309,6 +309,10 @@ propagate_with_phi (basic_block bb, gimp
gimple def_stmt;
tree vuse;
+ /* Only replace loads in the same block as the PHI node. */
+ if (gimple_bb (use_stmt) != bb)
+ continue;
+
/* Check whether this is a load of *ptr. */
if (!(is_gimple_assign (use_stmt)
&& TREE_CODE (gimple_assign_lhs (use_stmt)) == SSA_NAME
or really a post-dominator check - but we don't compute post-dominators
and I'm not sure it would be worth doing that.
