[Tinycc-devel] "internal compiler error: vstack leak" and crash with VLA of incomplete type

[Pascal Cuoq]

With TCC from git (commit 9382a3a), the two following inputs vla0.i and vla1.i each cause the message “error: internal compiler error: vstack leak” to be printed. In addition, the input vla1.i makes TCC crash:

$ cat vla0.i

int X=1;

int main(void) {

  int t[][X];

}

$ ./tcc vla0.i

about to pop: 1

about to pop: 0

about to pop: 0

vla0.i:6: error: internal compiler error: vstack leak (-1)

$ cat vla1.i

int X=1;

int main(void) {

  int t[][][X];

}

$ ./tcc vla1.i

about to pop: 1

about to pop: 0

about to pop: -1

about to pop: -1

vla1.i:6: error: internal compiler error: vstack leak (104364)

Segmentation fault

$ 

The message “about to pop” is caused by the attached patch, which does not change the functional behavior of TCC.

If someone more knowledgeable than me about TCC's internals wants to continue from where I stopped, according to the tools I am using, the first undefined behavior to occur when TCC is processing either of these inputs is inside the function vpop, where the pointer vtop is made to point before the array it is supposed to point to. The callstacks at the point of this first undefined behavior respectively look like (the lines may not correspond exactly):

                  stack: vpop :: tccgen.c:4524 <-
                         post_type :: tccgen.c:4608 <-
                         type_decl :: tccgen.c:7512 <-
                         decl0 :: tccgen.c:7697 <-
                         decl :: tccgen.c:6197 <-
                         block :: tccgen.c:7375 <-
                         gen_function :: tccgen.c:7596 <-
                         decl0 :: tccgen.c:7697 <-
                         decl :: tccgen.c:298 <-
                         tccgen_compile :: libtcc.c:652 <-
                         tcc_compile :: libtcc.c:1068 <-
                         tcc_add_file_internal :: libtcc.c:1094 <-
                         tcc_add_file :: tcc.c:338 <-
                         main

                  stack: vpop :: tccgen.c:4524 <-
                         post_type :: tccgen.c:4507 <-
                         post_type :: tccgen.c:4608 <-
                         type_decl :: tccgen.c:7512 <-
                         decl0 :: tccgen.c:7697 <-
                         decl :: tccgen.c:6197 <-
                         block :: tccgen.c:7375 <-
                         gen_function :: tccgen.c:7596 <-
                         decl0 :: tccgen.c:7697 <-
                         decl :: tccgen.c:298 <-
                         tccgen_compile :: libtcc.c:652 <-
                         tcc_compile :: libtcc.c:1068 <-
                         tcc_add_file_internal :: libtcc.c:1094 <-
                         tcc_add_file :: tcc.c:338 <-
                         main

The attached patch, when applied, shows the undefined behavior occurring: the message “about to pop” is printed just before executing vtop--. When the message shows 0, vtop is about to go outside the array __vstack. When it shows -1, vtop is already outside the array. It does not make much sense to try to debug anything that happens after this, since vtop going outside of __vstack is already something that should not happen, and since it can mess up whatever data structure is stored next to it.

pop.patch
Description: pop.patch