Hello,

I use icc (ICC) version 17.0.0 (20160721). I found a bug in the way its MPX transformation pass treats code with VLAs (variable-length arrays allocated on stack). My computer has an Intel Skylake CPU (though I don't think it plays any role).

Here is the minimal test case that reproduces the problem (adapted from Dedup program where the bug was triggered):

#include <pthread.h>

struct thread_args {
  int tid;
};

void* threadfunc(void * targs) {
  struct thread_args *args = (struct thread_args *)targs;
  return (void*) args->tid;
}

__attribute__((noinline)) int foo(int nthreads) {
  int threadret=0;
  pthread_t  threads_chunk[4];
  struct thread_args chunk_thread_args[nthreads]; // VLA array! Translates into a call to __chkp_vla_alloc()
//  struct thread_args chunk_thread_args[4];  // THIS WORKS

  for (int i = 0; i < nthreads; i ++) {
    chunk_thread_args.tid = i;
    pthread_create(&threads_chunk, NULL, threadfunc, &chunk_thread_args);
  }
  for (int i = 0; i < nthreads; i ++) {
    pthread_join(threads_chunk, (void**)&threadret);
  }
  return threadret;
}

int main() {
    int ret = foo(1);
    return ret; // supposed to return `0`
}

The code is supposed to return `0` but returns garbage values. The optimization level doesn't matter.

>>> icc -O0 -ggdb -check-pointers-mpx=rw -lmpx -pthread test.c
>>> ./a.out
>>> echo $?
112  # garbage value
>>> icc -O2 -ggdb -check-pointers-mpx=rw -lmpx -pthread test.c
>>> ./a.out
>>> echo $?
96   # garbage value
>>> icc -O2 -ggdb -pthread test.c
>>> ./a.out 
>>> echo $?
0

So in a nutshell, whenever ICC-MPX detects a VLA stack-allocated array, it calls a function __chkp_vla_alloc(). Somehow, this corrupts the stack, so a later access to the stack-based `args->tid` reads garbage from the stack address.