Re: netbsd-11 gcc bug

[Roland Illig <roland.illig%gmx.de@localhost>]

Am 23.05.2026 um 10:59 schrieb Manuel Bouyer:
> Hello,
> I tried upgrading a server to netbsd-11 and quickly got a panic
> in ipf:
> [ 150.0240120] fatal page fault in supervisor mode
> [ 150.0586271] trap type 6 code 0 rip 0xffffffff8056dffa cs 0x8 rflags 0x10286 cr2 0xec ilevel 0x4 rsp 0xffff870268a63a50
> [ 150.1225901] curlwp 0xffff869617c47400 pid 0.3 lowest kstack 0xffff870268a5f2c0
> [ 150.1657501] panic: trap
> [ 150.1803103] cpu0: Begin traceback...
> [ 150.2016313] vpanic() at netbsd:vpanic+0x171
> [ 150.2257081] panic() at netbsd:panic+0x3c
> [ 150.2473911] trap() at netbsd:trap+0xb43
> [ 150.2743808] --- trap (number 6) ---
> [ 150.2951811] ipf_fastroute() at netbsd:ipf_fastroute+0x6ea
> [ 150.3266935] ipf_send_ip() at netbsd:ipf_send_ip+0x127
> [ 150.3544099] ipf_check() at netbsd:ipf_check+0xfd5
> [ 150.3859226] pfil_run_hooks() at netbsd:pfil_run_hooks+0x11e
> [ 150.4164994] ipintr() at netbsd:ipintr+0x21e
> [ 150.4451003] softint_dispatch() at netbsd:softint_dispatch+0x112
> 
> ipf_fastroute+0x6ea points to external/bsd/ipf/netinet/ip_fil_netbsd.c
> line 1200:
>                 if (!fr || !(fr->fr_flags & FR_RETMASK)) {

line 1214 says:
> 	if ((fdp != &fr->fr_dif) && (fin->fin_out == 0)) {

After this point, fr is guaranteed to be non-null, as the expression
&fr->fr_dif would invoke undefined behavior, even though no memory near
the null pointer would be accessed.

C99 6.5.3.2 doesn't explicitly mention taking the address of
nullptr->member, but it may be possible to construct a valid argument
using that section.

Then, in line 1220, fr cannot be null anymore since that variable is not
re-assigned anywhere nearby.

Roland