stage2 self referential array memory corruption

[scheibo]

Zig Version

0.11.0-dev.18+81c27677d

Steps to Reproduce and Observed Behavior

const std = @import("std");

var i: u8 = 3;

fn bar(a: u8, b: u8, c: []u8) u8 {
    var j: u8 = 0;
    while (j < b) : (j += 1) {
        c[j] = a + j;
    }
    return a;
}

pub fn main() !void {
    var foo: [10]u8 = undefined;
    const baz = foo[bar(i, 6, &foo)];
    const qux = foo[bar(i, 9, &foo)];
    std.debug.print("{d} {d}\n", .{ baz, qux });

	 // workaround - behaves as expected
    var arr: [10]u8 = undefined;
    const a = bar(i, 6, &arr);
    const b = arr[a];
    const c = bar(i, 9, &arr);
    const d = arr[c];
    std.debug.print("{d} {d}\n", .{ b, d });
}

$ zig run main.zig
170 6
6 6

possibly eagerly reading from undefined memory?

Expected Behavior

This worked with stage 1:

$ zig run -fstage1 main.zig
6 6
6 6

and alternatively works in C:

#include <stdio.h>

int bar(int a, int b, int c[10]) {
  for (int j = 0; j < b; j++) {
    c[j] = a + j;
  }
  return a;
}

int main() {
  int i = 3;

  int foo[10];
  int baz = foo[bar(i, 6, &foo)];
  int qux = foo[bar(i, 9, &foo)];
  printf("%d %d\n", baz, qux);

  int arr[10];
  int a = bar(i, 6, &arr);
  int b = arr[a];
  int c = bar(i, 9, &arr);
  int d = arr[c];
  printf("%d %d\n", b, d);

  return 0;
}

$ zig  cc main.c && ./a.out
6 6
6 6

[Vexu]

Likely duplicate of #13064

[scheibo]

Can you please reopen @Vexu - this is still not fixed in version 0.11.0-dev.152+8a5818535 that includes #13074 AFAICT, so perhaps it is due to a different bug?

[mparadinha]

reduction:

const std = @import("std");

fn bar(slice: []u8) usize {
    for (slice) |*byte| byte.* = 6;
    return 0;
}

pub fn main() !void {
    var arr1: [10]u8 = undefined;
    const direct = arr1[bar(&arr1)];
    var arr2: [10]u8 = undefined;
    const idx = bar(&arr2);
    const indirect = arr2[idx];
    std.debug.print("{}, {}\n", .{ direct, indirect }); // prints '170, 6'
}

the ZIR for the offending line const direct = arr1[bar(&arr1)]; is:

        %50 = int(10)
        %51 = array_type(%50, @Zir.Inst.Ref.u8_type) node_offset:9:15 to :9:21
        %52 = alloc_mut(%51) node_offset:9:5 to :9:33
        %53 = store_node(%52, @Zir.Inst.Ref.undef) node_offset:9:24 to :9:33
        %56 = load(%52) node_offset:10:20 to :10:24
        %57 = decl_val("bar") token_offset:10:25 to :10:28
        %59 = call(.auto, %57, [
          {
            %60 = break_inline(%59, %52)
          },
        ]) node_offset:10:25 to :10:35
        %61 = as_node(@Zir.Inst.Ref.usize_type, %59) node_offset:10:25 to :10:35
        %63 = elem_val_node(%56, %61) node_offset:10:20 to :10:36

The %56 = load(%52) copies the still undefined memory of arr1 which is then used for the indexing instead of the original memory arr1 which gets set during the call.

resulting assembly:

000000000020fc30 <13415_bug.main>:
....
  20fc3b:	48 b8 aa aa aa aa aa 	movabs rax,0xaaaaaaaaaaaaaaaa        ; setting arr1 at rbp-0x70 to undefined
  20fc42:	aa aa aa 
  20fc45:	48 89 45 90          	mov    QWORD PTR [rbp-0x70],rax
  20fc49:	66 c7 45 98 aa aa    	mov    WORD PTR [rbp-0x68],0xaaaa
....
  20fc9a:	66 8b 45 98          	mov    ax,WORD PTR [rbp-0x68]        ; copy of arr1 to rbp-0x30
  20fc9e:	66 89 45 d8          	mov    WORD PTR [rbp-0x28],ax
  20fca2:	48 8b 45 90          	mov    rax,QWORD PTR [rbp-0x70]
  20fca6:	48 89 45 d0          	mov    QWORD PTR [rbp-0x30],rax
....
  20fcaf:	e8 ec 00 00 00       	call   20fda0 <13415_bug.bar>
  20fcb4:	48 89 45 88          	mov    QWORD PTR [rbp-0x78],rax
....
  20fcce:	48 8b 45 88          	mov    rax,QWORD PTR [rbp-0x78]
  20fcd2:	8a 44 05 d0          	mov    al,BYTE PTR [rbp+rax*1-0x30]  ; indexing using the copy at rbp-0x30
  20fcd6:	88 85 7f ff ff ff    	mov    BYTE PTR [rbp-0x81],al
....