https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111960
--- Comment #9 from Jakub Jelinek <jakub at gcc dot gnu.org> --- Ok, so what I see is a buffer overflow during 97 sprintf (buffer, "%" PRId64 " (%s, freq %.4f)", m_val, 98 profile_quality_display_names[m_quality], 99 to_sreal_scale (ENTRY_BLOCK_PTR_FOR_FN (fun)->count).to_double ()); in #0 profile_count::dump (this=0x7fffe9f37a18, buffer=0x7fffffffd7a0 "\300\327\377\377\377\177", fun=0x7fffea3020b8) at ../../gcc/profile-count.cc:97 #1 0x0000000000c92609 in profile_count::dump (this=0x7fffe9f37a18, f=0x3ab2930, fun=0x7fffea3020b8) at ../../gcc/profile-count.cc:111 #2 0x000000000065fefc in dump_bb_info (outf=0x3ab2930, bb=<basic_block 0x7fffe9f379c0 (3)>, indent=2, flags=266692985, do_header=true, do_footer=false) at ../../gcc/cfg.cc:812 #3 0x000000000068f3eb in dump_bb (outf=0x3ab2930, bb=<basic_block 0x7fffe9f379c0 (3)>, indent=2, flags=266692985) at ../../gcc/cfghooks.cc:302 #4 0x0000000000e31800 in dump_function_to_file (fndecl=<function_decl 0x7fffea2dd800 Compile>, file=0x3ab2930, flags=266692985) at ../../gcc/tree-cfg.cc:8458 #5 0x0000000000c4e038 in execute_function_dump (fn=0x7fffea3020b8, data=0x3a156d0) at ../../gcc/passes.cc:1797 #6 0x0000000000c4dbd9 in do_per_function (callback=0xc4dfd0 <execute_function_dump(function*, void*)>, data=0x3a156d0) at ../../gcc/passes.cc:1687 #7 0x0000000000c503e1 in execute_one_pass (pass=<opt_pass* 0x3a156d0 "rebuild_frequencies"(116)>) at ../../gcc/passes.cc:2722 buffer points to 107 void 108 profile_count::dump (FILE *f, struct function *fun) const 109 { 110 char buffer[64]; variable and the values I see are: (gdb) p m_val $18 = 2305843009213693950 (gdb) p profile_quality_display_names[m_quality] $19 = 0x2ba5722 "estimated locally" (gdb) p to_sreal_scale (((basic_block)0x7fffea2df600)->count, (bool *) 0).to_double () $20 = 1.4411518807585587e+17 So, that is 19 chars for m_val, 17 chars for the name and printing 144115188075855872.0000 double value, 23 chars, plus 11 chars on top of that. That is 70 chars, overflow by 6 bytes. Whether the above comes from some badly initialized values or what, no idea. That said, generally %PRId64 can print at most 20 chars, %s 38 chars and %.4f can print at most 309 digits before the decimal dot, then 1 char for the decimal dot and 4 digits after the dot. That is already 69 chars without the double at all, plus 314 for the double. Are you sure you want to print %.4f and not say %.4g so that there is a reasonable upper bound for the size of the double printing? Or use %.4f or %.4e conditionally depending on if the double is larger than some limit.