(In reply to Anders Kaseorg from comment #4)
> Another bisect between 4.7 and 4.8 shows that the bug appeared with r189321
> (bug 52009).
>
> My test case has triggers the bug in more versions than Kerberos does: as
> far as I can tell, Kerberos was unaffected until r192604.
Thanks - that pin-points it. tail-merging concludes that
(In reply to Anders Kaseorg from comment #4)
> Another bisect between 4.7 and 4.8 shows that the bug appeared with r189321
> (bug 52009).
>
> My test case has triggers the bug in more versions than Kerberos does: as
> far as I can tell, Kerberos was unaffected until r192604.
Thanks - that pin-points it. tail-merging concludes that
<bb 3>:
_11 = n_7->next;
MEM[(struct head *)_10].first = _11;
goto <bb 5>;
and
<bb 4>:
_13 = n_7->next;
_10->next = _13;
are equivalent. But they are not - the stores are performed using
different alias sets.
Note that the actual miscompile happens during RTL instruction scheduling.
In 4.9 and trunk tail-merging is faced with
<bb 3>: [k.1_8] .first = _11;
_11 = n_7->next;
MEM[(struct head *)&heads]
goto <bb 5>;
<bb 4>:
_13 = n_7->next;
_10->next = _13;
instead but I bet the issue is still there.
So it simply does (on the 4.8 branch):
case GIMPLE_ASSIGN:
lhs1 = gimple_get_lhs (s1);
lhs2 = gimple_get_lhs (s2);
if (TREE_CODE (lhs1) != SSA_NAME
&& TREE_CODE (lhs2) != SSA_NAME)
return (vn_valueize (gimple_vdef (s1))
== vn_valueize (gimple_vdef (s2)));
which shows that we value-number the VDEFs the same.
IMHO VDEF value-numbering is dangerous here.
I have a patch.