<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/77274>77274</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
clang-16 inline bug: remove a function body while still calling it
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
Absoler
</td>
</tr>
</table>
<pre>
I found an abnormal behavior in clang-16 ([16.0.0](https://github.com/llvm/llvm-project/releases/download/llvmorg-16.0.0/clang+llvm-16.0.0-x86_64-linux-gnu-ubuntu-18.04.tar.xz), [16.0.2](https://github.com/llvm/llvm-project/releases/download/llvmorg-16.0.2/clang+llvm-16.0.2-x86_64-linux-gnu-ubuntu-22.04.tar.xz), [16.0.3](https://github.com/llvm/llvm-project/releases/download/llvmorg-16.0.3/clang+llvm-16.0.3-x86_64-linux-gnu-ubuntu-22.04.tar.xz), [16.0.4](https://github.com/llvm/llvm-project/releases/download/llvmorg-16.0.4/clang+llvm-16.0.4-x86_64-linux-gnu-ubuntu-22.04.tar.xz)), with `-O2` flag
for the following source code (full code can be downloaded) [case.zip](https://github.com/llvm/llvm-project/files/13856500/case.zip):
```
const int64_t func_1() {
int32_t b[1] = {0};
int16_t *c = &g_706;
*c = *c | (func_16(g_21), g_638) < b ^ g_824 % -1L;
}
int32_t func_16(uint8_t d) {
int32_t *e;
if (func_32(func_35(), e), 2 / ***g_441)
if (d)
--g_729;
++g_778;
return g;
}
int32_t func_32(uint8_t *p_33, int32_t *p_34) {
uint64_t f[4][10][6];
int g, h, i;
for (g = 0; g < 4; g++)
for (h = 0; h < 10; h++)
for (i = 0; i < 6; i++)
f[g][h][i] = 5;
if (f[2][9][0]) {
int32_t j;
if (j) {
int32_t k = g;
}
}
return 0;
}
uint8_t *func_35() {
int32_t l;
int16_t *m = &g_256;
g_52--;
g_63--;
int32_t *n = &l;
g_77 = n;
if (*m &= 7)
g_21 = g_140;
return &g_824;
}
```
func_32 is inlined by compiler and its separate function body is removed. However, it has an un-removed call instrucion.
let's see the disassembly of the compiled .o file.
```
Disassembly of section .text:
0000000000000000 <func_1>:
func_1():
0: 55 push %rbp
3b: 66 89 05 00 00 00 00 mov %ax,0x0(%rip) # 42 <func_1+0x42>
42: e8 00 00 00 00 call 47 <func_1+0x47>
```
we can know there's a relocation field at 0x43, and it's a function, we can find it in the relocation table
```
Relocation section '.rela.text' at offset 0x688 contains 39 entries:
Offset Info Type Sym. Value Sym. Name + Addend
000000000006 000500000002 R_X86_64_PC32 000000000000009a g_706 - 4
...
000000000043 000c00000004 R_X86_64_PLT32 0000000000000130 func_32 - 4
```
now we know it's func_32 that should be called here.
but actually func_32 is optimized away by compiler, it has no function body in the .o file. we can know it from the symbol table
```
Symbol table '.symtab' contains 30 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000000 0 FILE LOCAL DEFAULT ABS case.c
2: 0000000000000000 0 SECTION LOCAL DEFAULT 2 .text
3: 0000000000000000 4 OBJECT LOCAL DEFAULT 7 .L.str
4: 0000000000000000 166 FUNC GLOBAL DEFAULT 2 func_1
...
12: 0000000000000130 0 FUNC GLOBAL DEFAULT 2 func_32
...
20: 0000000000000130 57 FUNC GLOBAL DEFAULT 2 func_35
```
func_32 has zeor size and the same starting address with func_35. So here's the problem: after linking the .o file, **the instrucion will call func_35 instead of func_32 incorrectly**, the disassembly of the executable is:
```
0000000000001140 <func_1>:
func_1():
1140: 55 push %rbp
...
1182: e8 e9 00 00 00 call 1270 <func_35>
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJy0WF2P4joS_TXmpUTkOJ888AB0szurVvfV7Z6r3SfkJE7wjIlR7DTQv35lO5AE6LlzRxqEyFf5-LjqVJUDVYpXNWNzFC1R9DChrd7KZr7IlBSsmWSyOM2_QCnbugBaA81q2eyogIxt6TuXDfAackHraurHgEiKoqUfe9jDKHpAJN1qvVcoWCCyRmRdcb1tMy-XO0TWQryfD9N9I7-xXCOybphgVDGFyLqQh1pIWnRGsjFzWGiytlMisrSj3d3pMY03cTgVvG6P06pup23W1rqd-qmHQ0_Txjt-IDJDZAVnluT3sSR3WZJPWRLyKcvg97EM7rIMfoVl-PtYhndZhj_P0hI9cL0FFOPpC0ExhlLQCuEHhBfut5QN6C2DUgohD7yuQMm2yRnksmBG2mUrhLvIaQ0ZgzNdViAyM37IqWLeB9__oidKLqwb_CCN4ghbnZ8RycwgObox7r72Mpe10sBrHYcbDWVb5xvfJKKhlCydDQAYi4BsNGQmYCh6ABQ8GAuMkgcUjA39eKMBkUXujEhcbRIc91aDR-YkWTn_mKljRNJqQ_zO6dUmDhyXYAUZoOgRqk1KQkAkgqn_dME0LAbROLPtQVte63Sjofh0ZYgs2Hgl5YVXQC5nkfOOYce6IwFE1ma8-1abMLQLuCD1aMXN_em02iQmPoOZEVkisqw2SZKO7jdMt00N1U8t23I-LxuRxX4TBIbtYL37TRCO_dFelICipc3JaOljd4zN4SrUUBnIrcUdPTP5YGJp44xRsITKBjG0p26BvS86621vvbXWvju_Nh98upG8H8ntyNie3syDomXlVrN1B37WcjSOwLUKULQkbsTMHVyLGvru7NhvI6Qe49uN9C7Pu5HfLZPqZvwlzIOzXg74MzkMgj_S7n39i37aQQ7v-hwmUTxiVm0iMp1e3YqDq1sDudVnLHE1KEnsk_pO-jkKJDbPkxsFmFLhfLbxw94PZ89Y2ikJ7zhoXAW7hAGugNeC16yA7AS53O25YA3QugCuFSi2pw3VzCaY5rIGs8Mxoxq2k--s8ODf8sDeWWMTQsOWKrPvaetpZwA5FQJ4rXTT5lzW3jBegmlEEjMNs72k4IoqxXaZOIEs7a2OUgGeBFPwvbvLeRgPVMyR9TQ76r4R2F989THJ03WB4PFiO-wLl5sARnoLhGdRBLcfhGf7Vm1tOYuabD-cFYLMjYxjSGeAI8C4_yI828l3VwgjekRkhY_YTh41tpldpiABhGRAmSzxMSSGecfQXJh5WDqa4cLQhgMgTK5BkgvIlW8ProF_r-XBRKRhNmQUGiZkTq2fS85EAVQDPoa25Dr9dIZn7dhNhQMruTUwu2ET5AGUpplgd3n82Rud44tI4jVMUBdnkhgKsiwVM0ziNIVc1pryWkEwA1brhjM1iOaLM_1Sl3IQxrfTng0uX087D_6iomWXq2e6MzucJSyKgtXFja5iAIxx1F0R-HPzX7vz2vyxCogFHUtwRsFuGGAKoQPzPO8aNQzssPx8OUB9enOwI1A_wOe22ONeudT9msAemAtwF7TzQL2lGtRWtqIwOzgjHlaAEUHHL2s10Fy3VIgTDIqK3Gu-4x-sAHqgp2FtGRSKWl7XFSeHc6rDUHpcQ9nInTVQp10mxUgr95b3OjCzWlGnnaaZEUovDHxHGPDc7lCw6MPeSYF_sIs8lkbCAH9x5R4-F0crjEG9NsUCbuqNfQLPL2__--MR4OlltXgCeHhcL74-vQF8fX4Y9GLwfwCx_vL0aM6uIRbLV7Ab4XwARH4A9Pq4evvy8nwDBEC6EtrjBJ_ihPCy_M_j6u2WEEAC3pOndDMACj8B8uMY1l-fV8bmX08vy8XTmFBXs8ZpYl11u0STA52v_g4xIHcgyW0EO8go-QnI6Iet12TAB5MNKCMrUzGttE1tUZo22rxS0aJomFLuXawD9eBVwqUOmzH7RmaCWcXSUrMGBK-_m-GDZLKvnna3bm72_RgO3Lymma7Q4duHjBamkV4yus5l07Bci9N517_6rGOzI8tbl3NcXTXfK1eMHOuH_7AXg2-3QF0_vt99jdlYJX7ad0g2G_Xgrjf6JOmZBNFtX5wU86CYBTM6YXM_wWE8CyI_nGznJI78MgtYWZZxgoMsSFKc4TxIizwrSJhM-JxgEmIfpziK0iD0_DKK0jz1yyTPgyghKMRsR7nwzLuuJ5tqwpVq2TxJSBJOBM2YUPa_J0JqdgD7EBGzUZ80c_t-nLWVQiEWXGnVo2iuBZtf_nlyez7I2sqIxm3VBp3aVePDlgujxbNAjKK4nrSNmP_jd3VL1Lys24X8PwAA__-xAjkA">