{"id":2222696,"url":"http://patchwork.ozlabs.org/api/1.2/patches/2222696/?format=json","web_url":"http://patchwork.ozlabs.org/project/gcc/patch/20260413130534.8E3CA4BA2E1E@sourceware.org/","project":{"id":17,"url":"http://patchwork.ozlabs.org/api/1.2/projects/17/?format=json","name":"GNU Compiler Collection","link_name":"gcc","list_id":"gcc-patches.gcc.gnu.org","list_email":"gcc-patches@gcc.gnu.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<20260413130534.8E3CA4BA2E1E@sourceware.org>","list_archive_url":null,"date":"2026-04-13T13:05:04","name":"tree-optimization/124868 - path isolation wrong-code","commit_ref":null,"pull_url":null,"state":"new","archived":false,"hash":"8fcb0a2f9b1dc0b3553d59fda82235ce82ffc914","submitter":{"id":4338,"url":"http://patchwork.ozlabs.org/api/1.2/people/4338/?format=json","name":"Richard Biener","email":"rguenther@suse.de"},"delegate":null,"mbox":"http://patchwork.ozlabs.org/project/gcc/patch/20260413130534.8E3CA4BA2E1E@sourceware.org/mbox/","series":[{"id":499700,"url":"http://patchwork.ozlabs.org/api/1.2/series/499700/?format=json","web_url":"http://patchwork.ozlabs.org/project/gcc/list/?series=499700","date":"2026-04-13T13:05:04","name":"tree-optimization/124868 - path isolation wrong-code","version":1,"mbox":"http://patchwork.ozlabs.org/series/499700/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/2222696/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/2222696/checks/","tags":{},"related":[],"headers":{"Return-Path":"","X-Original-To":["incoming@patchwork.ozlabs.org","gcc-patches@gcc.gnu.org"],"Delivered-To":["patchwork-incoming@legolas.ozlabs.org","gcc-patches@gcc.gnu.org"],"Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (1024-bit key;\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=YXyKSlxs;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=8sMpUbH7;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=YXyKSlxs;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=8sMpUbH7;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=gcc.gnu.org\n (client-ip=2620:52:6:3111::32; helo=vm01.sourceware.org;\n envelope-from=gcc-patches-bounces~incoming=patchwork.ozlabs.org@gcc.gnu.org;\n receiver=patchwork.ozlabs.org)","sourceware.org;\n\tdkim=pass (1024-bit key,\n unprotected) header.d=suse.de header.i=@suse.de header.a=rsa-sha256\n header.s=susede2_rsa header.b=YXyKSlxs;\n\tdkim=pass header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=8sMpUbH7;\n\tdkim=pass (1024-bit key) header.d=suse.de header.i=@suse.de\n header.a=rsa-sha256 header.s=susede2_rsa header.b=YXyKSlxs;\n\tdkim=neutral header.d=suse.de header.i=@suse.de header.a=ed25519-sha256\n header.s=susede2_ed25519 header.b=8sMpUbH7","sourceware.org;\n dmarc=pass (p=none dis=none) header.from=suse.de","sourceware.org; spf=pass smtp.mailfrom=suse.de","server2.sourceware.org;\n arc=none smtp.remote-ip=195.135.223.130","smtp-out1.suse.de;\n\tnone"],"Received":["from vm01.sourceware.org (vm01.sourceware.org\n [IPv6:2620:52:6:3111::32])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4fvSM56Lz7z1yDF\n\tfor ; Mon, 13 Apr 2026 23:05:36 +1000 (AEST)","from vm01.sourceware.org (localhost [127.0.0.1])\n\tby sourceware.org (Postfix) with ESMTP id 8E3CA4BA2E1E\n\tfor ; Mon, 13 Apr 2026 13:05:34 +0000 (GMT)","from smtp-out1.suse.de (smtp-out1.suse.de [195.135.223.130])\n by sourceware.org (Postfix) with ESMTPS id 7CCBE4BA2E10\n for ; Mon, 13 Apr 2026 13:05:05 +0000 (GMT)","from murzim.nue2.suse.org (unknown [10.168.4.243])\n (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n (No client certificate requested)\n by smtp-out1.suse.de (Postfix) with ESMTPS id 310616A8B6;\n Mon, 13 Apr 2026 13:05:04 +0000 (UTC)"],"DKIM-Filter":["OpenDKIM Filter v2.11.0 sourceware.org 8E3CA4BA2E1E","OpenDKIM Filter v2.11.0 sourceware.org 7CCBE4BA2E10"],"DMARC-Filter":"OpenDMARC Filter v1.4.2 sourceware.org 7CCBE4BA2E10","ARC-Filter":"OpenARC Filter v1.0.0 sourceware.org 7CCBE4BA2E10","ARC-Seal":"i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1776085505; cv=none;\n b=t0mTmaQHRV6UGivlarD1fudmu6NjCgGZYwDAYXpF+WDobq6hftcNv47WbNEkrkF3cMEIDLPEPaLtGv7lFCV/GX+ftk7wBiPDhUlQuxFIPOlw5WuPMKqKny2MmEjN7F3PcnjmREIVgOhhA8T1A+D87Q6fm+0ks8DX3EN1YczJ7HY=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=sourceware.org; s=key;\n t=1776085505; c=relaxed/simple;\n bh=AOFs53iN238HPcTo95HvuY77y9USYVy10/SmVfMhkaw=;\n h=DKIM-Signature:DKIM-Signature:DKIM-Signature:DKIM-Signature:Date:\n From:To:Subject:MIME-Version;\n b=TyR1ZW9nIn75JvjQvlJ85BLETmjDi7lzXMwzKJ11JiKYHrDzBuWu6Ba2SMGBbUeMLm3lOxEZMp9Ohuza9p83gUw2SkbdLEIiHJKXZ+E8SWjEyZmNNdUPHGFPMVIBjghReZcbzahAnSA77+Y7HsWZdSqR9Wiod8MhI9XrvMTt92U=","ARC-Authentication-Results":"i=1; server2.sourceware.org","DKIM-Signature":["v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n t=1776085504;\n h=from:from:reply-to:date:date:to:to:cc:cc:mime-version:mime-version:\n content-type:content-type; bh=3wkGxQUMyt/OqjxPB/Zb2to5sFsQITElHQjkMLjewlg=;\n b=YXyKSlxsHcml+wd3MTguVU2OCWlY6+QwJygRuf5Lw+sOfhMvQnlinn3g3UUqgi7CaIF/rV\n 2kPqyjSOrGXyzuksQ1/13mx35bra/U8w6AKSARU5mLiocfkGmFkloqi1jlUHFiGdQDqV+u\n P53IAH491uBIbsnd6vy9obnX/rawZj4=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_ed25519; t=1776085504;\n h=from:from:reply-to:date:date:to:to:cc:cc:mime-version:mime-version:\n content-type:content-type; bh=3wkGxQUMyt/OqjxPB/Zb2to5sFsQITElHQjkMLjewlg=;\n b=8sMpUbH7zfUlD/Rjb2ixrfK+XohDpGtq2Ygxc+6oyLShs6sBDMuCc4DM/+8UK/tTZ2rVFp\n ksJaxlKuxxu34LAg==","v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_rsa;\n t=1776085504;\n h=from:from:reply-to:date:date:to:to:cc:cc:mime-version:mime-version:\n content-type:content-type; bh=3wkGxQUMyt/OqjxPB/Zb2to5sFsQITElHQjkMLjewlg=;\n b=YXyKSlxsHcml+wd3MTguVU2OCWlY6+QwJygRuf5Lw+sOfhMvQnlinn3g3UUqgi7CaIF/rV\n 2kPqyjSOrGXyzuksQ1/13mx35bra/U8w6AKSARU5mLiocfkGmFkloqi1jlUHFiGdQDqV+u\n P53IAH491uBIbsnd6vy9obnX/rawZj4=","v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;\n s=susede2_ed25519; t=1776085504;\n h=from:from:reply-to:date:date:to:to:cc:cc:mime-version:mime-version:\n content-type:content-type; bh=3wkGxQUMyt/OqjxPB/Zb2to5sFsQITElHQjkMLjewlg=;\n b=8sMpUbH7zfUlD/Rjb2ixrfK+XohDpGtq2Ygxc+6oyLShs6sBDMuCc4DM/+8UK/tTZ2rVFp\n ksJaxlKuxxu34LAg=="],"Date":"Mon, 13 Apr 2026 15:05:04 +0200 (CEST)","From":"Richard Biener ","To":"gcc-patches@gcc.gnu.org","cc":"jeffrey.law@oss.qualcomm.com","Subject":"[PATCH] tree-optimization/124868 - path isolation wrong-code","MIME-Version":"1.0","Content-Type":"text/plain; charset=US-ASCII","X-Spamd-Result":"default: False [-1.80 / 50.00]; BAYES_HAM(-3.00)[100.00%];\n MISSING_MID(2.50)[]; NEURAL_HAM_LONG(-1.00)[-1.000];\n NEURAL_HAM_SHORT(-0.20)[-0.989]; MIME_GOOD(-0.10)[text/plain];\n FUZZY_RATELIMITED(0.00)[rspamd.com]; MISSING_XM_UA(0.00)[];\n ARC_NA(0.00)[]; RCVD_COUNT_ZERO(0.00)[0]; FROM_HAS_DN(0.00)[];\n DKIM_SIGNED(0.00)[suse.de:s=susede2_rsa,suse.de:s=susede2_ed25519];\n FROM_EQ_ENVFROM(0.00)[]; RCPT_COUNT_TWO(0.00)[2];\n TO_DN_NONE(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[];\n MIME_TRACE(0.00)[0:+]","X-BeenThere":"gcc-patches@gcc.gnu.org","X-Mailman-Version":"2.1.30","Precedence":"list","List-Id":"Gcc-patches mailing list ","List-Unsubscribe":",\n ","List-Archive":"","List-Post":"","List-Help":"","List-Subscribe":",\n ","Errors-To":"gcc-patches-bounces~incoming=patchwork.ozlabs.org@gcc.gnu.org","Message-Id":"<20260413130534.8E3CA4BA2E1E@sourceware.org>"},"content":"The path isolation code mishandles the case where in the same block\nthere's both a return of a local variable and a dereference of zero\nbut from different edges. In this case we re-use the produced block\ncopy for both isolated paths, causing a trap on the path to the\nreturn of a non-local.\n\nThe least intrusive change I came up with separates both causes\nand transforms, first isolating NULL dereferences and then\nisolating returns of non-NULL. This will skip the latter transform\non paths which will now not return anyway.\n\nTo avoid duplicate diagnostics the handle_return_addr_local_phi_arg\nonly diagnoses cases in blocks dominated by the original block, not in\ncopies which still need SSA update and thus are falsely visited.\n\nBootstrapped and tested on x86_64-unknown-linux-gnu.\n\nNot exactly minimal surgery, I'd probably swap PHI and PHI argument\niteration as well, we likely miss out finding the first dereferenced\nnull pointer. It's probably awkward because we interleave analysis\nand transform here ... :/\n\nOK?\n\nThanks,\nRichard.\n\n\tPR tree-optimization/124868\n\t* gimple-ssa-isolate-paths.cc (handle_return_addr_local_phi_arg):\n\tDo not diagnose returns in blocks not dominated by the PHI.\n\t(find_implicit_erroneous_behavior): Do two sweeps over PHIs,\n\tfirst for NULL dereferences and then for local address returns.\n\n\t* gcc.dg/torture/pr124868.c: New testcase.\n---\n gcc/gimple-ssa-isolate-paths.cc | 62 ++++++++++++++++++-------\n gcc/testsuite/gcc.dg/torture/pr124868.c | 24 ++++++++++\n 2 files changed, 69 insertions(+), 17 deletions(-)\n create mode 100644 gcc/testsuite/gcc.dg/torture/pr124868.c","diff":"diff --git a/gcc/gimple-ssa-isolate-paths.cc b/gcc/gimple-ssa-isolate-paths.cc\nindex 7407acfc84c..4c5b70d108a 100644\n--- a/gcc/gimple-ssa-isolate-paths.cc\n+++ b/gcc/gimple-ssa-isolate-paths.cc\n@@ -641,7 +641,8 @@ handle_return_addr_local_phi_arg (basic_block bb, basic_block duplicate,\n if (!return_stmt)\n \tcontinue;\n \n- if (gimple_return_retval (return_stmt) != lhs)\n+ if (gimple_return_retval (return_stmt) != lhs\n+\t || !dominated_by_p (CDI_DOMINATORS, gimple_bb (use_stmt), bb))\n \tcontinue;\n \n /* Add an entry for the return statement and the locations\n@@ -715,24 +716,18 @@ find_implicit_erroneous_behavior (void)\n \t is then dereferenced within BB. This is somewhat overly\n \t conservative, but probably catches most of the interesting\n \t cases. */\n+ basic_block duplicate = NULL;\n for (si = gsi_start_phis (bb); !gsi_end_p (si); gsi_next (&si))\n \t{\n \t gphi *phi = si.phi ();\n \t tree lhs = gimple_phi_result (phi);\n \n-\t /* Initial number of PHI arguments. The result may change\n-\t from one iteration of the loop below to the next in\n-\t response to changes to the CFG but only the initial\n-\t value is stored below for use by diagnostics. */\n-\t unsigned nargs = gimple_phi_num_args (phi);\n-\n \t /* PHI produces a pointer result. See if any of the PHI's\n \t arguments are NULL.\n \n \t When we remove an edge, we want to reprocess the current\n \t index since the argument at that index will have been\n \t removed, hence the ugly way we update I for each iteration. */\n-\t basic_block duplicate = NULL;\n \t for (unsigned i = 0, next_i = 0;\n \t i < gimple_phi_num_args (phi); i = next_i)\n \t {\n@@ -742,15 +737,6 @@ find_implicit_erroneous_behavior (void)\n \t /* Advance the argument index unless a path involving\n \t\t the current argument has been isolated. */\n \t next_i = i + 1;\n-\t bool isolated = false;\n-\t duplicate = handle_return_addr_local_phi_arg (bb, duplicate, lhs,\n-\t\t\t\t\t\t\t arg, e, locmap,\n-\t\t\t\t\t\t\t nargs, &isolated);\n-\t if (isolated)\n-\t\t{\n-\t\t cfg_altered = true;\n-\t\t next_i = i;\n-\t\t}\n \n \t if (!integer_zerop (arg))\n \t\tcontinue;\n@@ -794,6 +780,48 @@ find_implicit_erroneous_behavior (void)\n \t\t}\n \t }\n \t}\n+\n+ /* Then look for a PHI which have addresses of locals that\n+\t are then returned. */\n+ duplicate = NULL;\n+ for (si = gsi_start_phis (bb); !gsi_end_p (si); gsi_next (&si))\n+\t{\n+\t gphi *phi = si.phi ();\n+\t tree lhs = gimple_phi_result (phi);\n+\n+\t /* Initial number of PHI arguments. The result may change\n+\t from one iteration of the loop below to the next in\n+\t response to changes to the CFG but only the initial\n+\t value is stored below for use by diagnostics. */\n+\t unsigned nargs = gimple_phi_num_args (phi);\n+\n+\t /* PHI produces a pointer result. See if any of the PHI's\n+\t arguments are NULL.\n+\n+\t When we remove an edge, we want to reprocess the current\n+\t index since the argument at that index will have been\n+\t removed, hence the ugly way we update I for each iteration. */\n+\t for (unsigned i = 0, next_i = 0;\n+\t i < gimple_phi_num_args (phi); i = next_i)\n+\t {\n+\t tree arg = gimple_phi_arg_def (phi, i);\n+\t edge e = gimple_phi_arg_edge (phi, i);\n+\n+\t /* Advance the argument index unless a path involving\n+\t\t the current argument has been isolated. */\n+\t next_i = i + 1;\n+\t bool isolated = false;\n+\t duplicate = handle_return_addr_local_phi_arg (bb, duplicate, lhs,\n+\t\t\t\t\t\t\t arg, e, locmap,\n+\t\t\t\t\t\t\t nargs, &isolated);\n+\t if (isolated)\n+\t\t{\n+\t\t cfg_altered = true;\n+\t\t next_i = i;\n+\t\t}\n+\t }\n+\t}\n+\n }\n \n diag_returned_locals (false, locmap);\ndiff --git a/gcc/testsuite/gcc.dg/torture/pr124868.c b/gcc/testsuite/gcc.dg/torture/pr124868.c\nnew file mode 100644\nindex 00000000000..6f0f6612fc9\n--- /dev/null\n+++ b/gcc/testsuite/gcc.dg/torture/pr124868.c\n@@ -0,0 +1,24 @@\n+/* { dg-do run } */\n+/* { dg-skip-if \"\" { *-*-* } { \"-O0\" } } */\n+/* { dg-additional-options \"-fisolate-erroneous-paths-dereference\" } */\n+\n+int a;\n+static void __attribute__((noipa)) c(int b) {}\n+static int * __attribute__((noipa))\n+d()\n+{\n+ int g = 0, *h = &g;\n+ if (a)\n+ {\n+ int **i = &h;\n+ *i = 0;\n+ }\n+ c(*h);\n+ return h; /* { dg-warning \"address of local variable\" } */\n+}\n+int\n+main()\n+{\n+ d();\n+ return 0;\n+}\n","prefixes":[]}