<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/60596>60596</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [clang] Taking address of unreachable function can be used to obtain identical integers that compare unequal
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            new issue
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          SvizelPritula
      </td>
    </tr>
</table>

<pre>
    Using `__builtin_unreachable`, it's possible to create a function `a` that compiles to zero assembly instructions, like this:

```c
void a() {
 __builtin_unreachable();
}

void b() {}
```

With `-O1` or higher this compiles to:

```as
a:
b:
 ret
```

The function `a` is pretty useless, since calling it will unconditionally result in undefined behaviour. It is, however, possible to take its address, like this:

```c
#include <stdlib.h>
#include <stdio.h>

void a() {
    __builtin_unreachable();
}

void b() {}

int main() {
    size_t ap = (size_t) a;
    size_t bp = (size_t) b;

    printf("%zu %zu %d\n", ap, bp, ap == bp);
}
```

Executing this will reveal that `ap` and `bp` have identical values, since `a` and `b` have the same address. However, it will also show that `ap == bp` is false, which contradicts that.

My guess is that some optimization pass assumes that different functions have different addresses, which is required by the  C standard.

This bug is unlikely to happen in real programs, since:
a) few programs have functions that have unconditionally undefined behaviour,
b) even fewer programs will take the address of such a function, and
c) fewer still programs compare function pointers.

`__builtin_unreachable` can also be replaced by other statements with undefined behaviour, such as `for (int i=0; i>=0; i++);`.

Tested with `clang` and `clang++` 15.0.7 with an optimization level of 1.
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJysVkmP4zYT_TX0pTCCFsvLwYev29P4cggSIBPk2CiJJasyFKnhYsf96wNSXtQT9yCHAIbMpapYj_VeSegcHzTRTtRPot4vMPje2N1vR34j9atlHxQuGiPPu98d6wOIVf762gRWnvVr0Jaw7bFRJFa5KJ-BvSjXDkbjHDeKwBtoLaEnQOiCbj0bHWOgWOXge_TQmmFkRS6avpE1gM7R0KgzsHbehuTiYmzFXwl8z05U_xP5XuTX5yqffu00PxqWgKLciHILYv00rcLjtJOVqC5GYr2fR06Rmlmk2_b1yLn1H-z7iO3TL0VEZyz0fOjJppznOD_KH920gDeD5jYCS_4HZ3_p6Z_3yw5GS96fIThS5NItOtYtQYtKxXKyhxMrBUG3RkuO7qjUGSy5oDywhqAldaxJQkM9HtkEm8FPHjhF682JjmTjcF5zj18J2DtAKe3l4H9bPlFWrFsVJIGonp2XipusF9XnD7bZzHd_xACA_5YE6cnaw4CsH53m-I1ePeAIotqDKDfTQrTD23Ezw-aBYXPP62Y-Wta-SyeWoqzfAtyeUtTPOi0_A47x2YzTOIaO0eP8EdhHtPr8F7XBR6IkDieqWDoSqkm8kWljpBpqGSdNmvR4JGBJ2nOLCo6oAs24d6Xn1efm4nsChwNdWZPB_-_0ujIVlTPgenOaZTCDNtG-Q-Uoep16bntojfYWJbfeJa9sjvHnMxwCORf9UkhnBgIzeh74DZOgRnQu9qUw0MVGcteRJe1vqnMThvvGBcSEfMqDHVj6FthGNZ0TXngG51FLtDJ7L2h20IRD9Ak6akedo7J6HEfSUZg2VmG05mBxuN_uTVwYydPR6WYy5XdPN-FIa9-L_4HkRfl87UjlFuhIOsYme4-eipN0H2FdwIPpwIW2n3X_REYtp2jtJUmy4HwMcAsX2yXaWVMbDWtP1mXf9Y6P3kbQop7I0hBYGhW2060b36fj0NNA2sfMff8B5kvyLtKsMzYqM-qdRbXPRfUUB5_v4_Ip_ZK4Vvn7cpLzJKejYqtTqA8zDUzzyX-VQ1FnebaerFG_56KiI6l4r0W2kLtKbqstLmhXrNb1pljWxWbR70hi0RTVulgvqdtIWa3zvOu2RbPCelkvVwvelXlZ5WW-yfO8qDdZIduuqbbFVi7X9ZZILHMakFWm1HHIjD0s2LlAu1Veb1cLhQ0plz4ZylLTCdJm7Dr1fmF30edTEw5OLHPFzrt7FM9epW-NCXG9hy_4NfaXGWFmdbyXP1azofgik1EGpvHIetZkIjkOZN39oyKyJ2j6FlAtglW73vsxvXvKF1G-HNj3oclaM4jyJaZ3-fs0WvMntV6ULwmUE-VLAv13AAAA__8VH9m3">