cmd/compile: CMOV optimization allows GC to see invalid pointer #56990
Description
This program when run on the playground, go1.18, go1.19, or tip, crashes when the Go runtime finds an invalid pointer on the stack.
@cherrymui determined that this has to do with a conditional move optimization. We have code like:
if q != nil {
p = &q.f
}
Which gets rewritten to a conditional move:
tmp := &q.f
p = Select q!=nil, tmp, p
Unfortunately, we can't compute &q.f before we've checked if q is nil, because if it is nil, &q.f is an invalid pointer (if f's offset is nonzero but small).
Normally this is not a problem because the tmp variable above immediately dies, and is thus not live across any safepoint. However, if later there is another &q.f computation, those two computations are CSEd, causing tmp to be used at both use points. That will extend tmp's lifetime, possibly across a call.