struct field load through underaligned pointer has incorrect alignment

[andrewrk]

Zig Version

0.11.0-dev.1969+d525ecb52

Steps to Reproduce and Observed Behavior

const std = @import("std");
const expect = std.testing.expect;

pub fn main() !void {
    var buf: [9]u8 align(4) = .{ 1, 2, 3, 4, 5, 6, 7, 8, 9 };
    const ptr = @ptrCast(*align(1) Header, buf[1..][0..8]);
    const x = ptr.bytes_len;
    std.debug.print("x=0x{x}\n", .{x});
}

const Header = extern struct {
    tag: u32,
    bytes_len: u32,
};

$ stage3/bin/zig build-exe test3.zig -target mipsel-linux-musl
$ qemu-mipsel ./test3
Bus error (core dumped)

The problem is incorrect alignment in the LLVM IR:

const std = @import("std");

pub fn panic(msg: []const u8, st: ?*std.builtin.StackTrace, start: ?usize) noreturn {
    _ = .{ msg, st, start };
    unreachable;
}

export fn entry() bool {
    doTheTest() catch return false;
    return true;
}

fn doTheTest() !void {
    var buf: [9]u8 align(4) = .{ 1, 2, 3, 4, 5, 6, 7, 8, 9 };
    const ptr: *align(1) Header = @ptrCast(buf[1..][0..8]);
    const x = ptr.bytes_len;
    foo(x);
}

extern fn foo(u32) void;

const Header = extern struct {
    tag: u32,
    bytes_len: u32,
};

$ stage3/bin/zig build-obj test2.zig -target mipsel-linux-musl --verbose-llvm-ir -fstrip -OReleaseFast

define internal fastcc i16 @test2.doTheTest() unnamed_addr #0 {
Entry:
  %0 = alloca ptr, align 4
  %1 = alloca [9 x i8], align 4
  call void @llvm.memcpy.p0.p0.i32(ptr align 4 %1, ptr align 1 @0, i32 9, i1 false)
  %2 = getelementptr inbounds [9 x i8], ptr %1, i32 0, i32 1
  store ptr %2, ptr %0, align 4
  %3 = load ptr, ptr %0, align 4
  %4 = getelementptr inbounds [8 x i8], ptr %3, i32 0, i32 0
  %5 = getelementptr inbounds %test2.Header, ptr %4, i32 0, i32 1
  %6 = load i32, ptr %5, align 4
  call void @foo(i32 %6)
  ret i16 0
}

The problem is %6 = load i32, ptr %5, align 4 which has align 4 instead of align 1.

Side note: it is very annoying that the panic override above does not eliminate panicOutOfBounds from calling into std.debug.panicExtra and dragging in a whole lot of formatting code.

I have no evidence this is a regression, but I suspect it is.

Expected Behavior

I expect to see %6 = load i32, ptr %5, align 1 which would cause LLVM to generate machine code that did not cause a Bus Error.

[andrewrk]

Fixed for the LLVM backend; issue remains for the C backend.

[andrewrk]

C code generated is now:

static uint16_t test_doTheTest__251(void) {
 static uint8_t const t1[9] = "\001\002\003\004\005\006\a\b\t";
 uint8_t *t2;
 uint8_t (*t3)[8];
 struct Header__885 *t4;
 uint32_t *t5;
 uint32_t t6;
 zig_align(4) uint8_t t0[9];
 memcpy((char *)&t0, t1, sizeof(uint8_t[9]));
 t2 = (uint8_t *)&t0;
 t2 = (uint8_t *)(((uintptr_t)t2) + ((uintptr_t)1ul*sizeof(uint8_t)));
 t3 = (uint8_t (*)[8])t2;
 t4 = (struct Header__885 *)t3;
 t5 = (uint32_t *)&t4->bytes_len;
 memcpy(&t6, (const char *)t5, sizeof(uint32_t));
 foo(t6);
 return UINT16_C(0);
}

The memcpy makes it safe. Not sure when this got fixed.

[andrewrk]

Hmm the actual behavior test is not fixed however:

--- a/test/behavior/align.zig
+++ b/test/behavior/align.zig
@@ -624,7 +624,6 @@ test "sub-aligned pointer field access" {
     if (builtin.zig_backend == .stage2_aarch64) return error.SkipZigTest;
     if (builtin.zig_backend == .stage2_arm) return error.SkipZigTest;
     if (builtin.zig_backend == .stage2_sparc64) return error.SkipZigTest;
-    if (builtin.zig_backend == .stage2_c) return error.SkipZigTest;
 
     // Originally reported at https://github.com/ziglang/zig/issues/14904

test-behavior
└─ run test behavior-x86_64-linux.6.8.1...6.8.1-gnu.2.38-znver3-Debug-libc-cbe failure
Illegal instruction at address 0x12bf2c7
/home/andy/dev2/zig/zig-cache/o/6bfbca337d5fc3c5fed111b5c0ce840e/test.c:30711:24: 0x12bf2c7 in behavior_align_test_sub_2daligned_20pointer_20field_20access__1028 (/home/andy/dev2/zig/zig-cache/o/6bfbca337d5fc3c5fed111b5c0ce840e/test.c)
 t6 = (uint32_t *)&t5->bytes_len;
                       ^
/home/andy/dev2/zig/zig-cache/o/6bfbca337d5fc3c5fed111b5c0ce840e/test.c:29392:10: 0x126caa3 in test_runner_mainServer__260 (/home/andy/dev2/zig/zig-cache/o/6bfbca337d5fc3c5fed111b5c0ce840e/test.c)
    t6 = t40();
         ^
/home/andy/dev2/zig/zig-cache/o/6bfbca337d5fc3c5fed111b5c0ce840e/test.c:29574:9: 0x10ae933 in test_runner_main__259 (/home/andy/dev2/zig/zig-cache/o/6bfbca337d5fc3c5fed111b5c0ce840e/test.c)
  t17 = test_runner_mainServer__260();
        ^
/home/andy/dev2/zig/zig-cache/o/6bfbca337d5fc3c5fed111b5c0ce840e/test.c:27358:2: 0x10ad7f1 in main (/home/andy/dev2/zig/zig-cache/o/6bfbca337d5fc3c5fed111b5c0ce840e/test.c)
 test_runner_main__259();
 ^
???:?:?: 0x7f5098d0afcd in ??? (libc.so.6)
Unwind information for `libc.so.6:0x7f5098d0afcd` was not available, trace may be incomplete

Looks like the pointer cast causes UB even though the pointer is not accessed.