builtin causing strange errno corruption for function named reallocarray

[guijan]

If I have one program composed of 2 C source files, reallocarray_test.c and reallocarray.c, with the following contents:

reallocarray_test.c:

#include <errno.h>
#include <stdio.h>

void *reallocarray(void *optr, size_t nmemb, size_t size);

int
main(void)
{
	errno = 0;

	reallocarray(0, 0, 0);
	printf("1st errno val after  return: %d\n", errno);
	printf("2nd errno val after  return: %d\n", errno);
	return 0;
}

reallocarray.c:

#include <errno.h>
#include <stdio.h>

void *
reallocarray(void *optr, size_t nmemb, size_t size)
{
	errno = 1;
	printf("    errno val before return: %d\n", errno);
	return NULL;
}

And if I compile and run it with builtins off and then builtins on, the program's output is different:

$ clang -O2 -fno-builtin -o builtin_off reallocarray_test.c reallocarray.c
$ ./builtin_off
    errno val before return: 1
1st errno val after  return: 1
2nd errno val after  return: 1

$ clang -O2 -o builtin_on reallocarray_test.c reallocarray.c
$ ./builtin_on 
    errno val before return: 1
1st errno val after  return: 0
2nd errno val after  return: 1

Here's a diff:

--- /tmp/builtin_off.txt        2025-07-16 14:18:18.140908085 +0000
+++ /tmp/builtin_on.txt 2025-07-16 14:18:22.365877065 +0000
@@ -1,3 +1,3 @@
     errno val before return: 1
-1st errno val after  return: 1
+1st errno val after  return: 0
 2nd errno val after  return: 1

Strangely, when builtins are enabled, the first read of errno is 0, while the 2nd read is 1, even though at the C level there is no write to errno between these 2 reads. The compiled program isn't actually calling the builtin reallocarray (nor should it), as evidenced by looking at the program's output and disassembling the program.

I can confirm this behavior on the following versions of clang:

clang version 22.0.0git (https://github.com/llvm/llvm-project.git 968d38d1d7d9de2d5717457876bba2663b36f620)

clang version 20.1.7

This bug is very finnicky. If I join the source files and create a single-file program, it no longer happens. If I comment out errno = 0; from reallocarray_test.c's main(), it won't happen either.

[Alcaro]

But there is a C level write to errno. It's inside the printf.

errno manual:

A common mistake is to do

if (somecall() == -1) {
printf("somecall() failed\n");
if (errno == ...) { ... }
}

where errno no longer needs to have the value it had upon return from somecall() (i.e., it may have been changed by the printf(3)).

(LLVM seems to assume that printf always sets errno to zero. e: no, it doesn't, I misread the eax use)

As for the name reallocarray, it is indeed special cased somehow, but it's also a defined function in both glibc and musl. I don't know if it's undefined behavior to override libc functions with subtly (or unsubtly) different behavior, but I do know it's inadvisable.

[guijan]

Okay, C allows the implementation to set errno inside printf, and I assumed that if the libc doesn't set it, that was good enough. However, I can change the code so that there are no function calls between the 2 errno reads and still encounter the bug, but a little differently:

reallocarray.c:

#include <errno.h>
#include <stdio.h>

void *
reallocarray(void *optr, size_t nmemb, size_t size)
{
	errno = 1;
	printf("    errno val before return: %d\n", errno);
	errno = 1;
	return NULL;
}

reallocarray_test.c:

#include <errno.h>
#include <stdio.h>

void *reallocarray(void *optr, size_t nmemb, size_t size);

int
main(void)
{
	int saved_errno_1, saved_errno_2;
	errno = 0;

	reallocarray(0, 0, 0);
	saved_errno_1 = errno;
	saved_errno_2 = errno;
	printf("1st errno val after  return: %d\n", saved_errno_1);
	printf("2nd errno val after  return: %d\n", saved_errno_2);
	return 0;
}

$ clang -O2 -o builtin_on reallocarray_test.c reallocarray.c
$ ./builtin_on
    errno val before return: 1
1st errno val after  return: 0
2nd errno val after  return: 0

Here, errno isn't the right value of 1, and it doesn't change to 1 after being read once.

The use case is that I have a library to provide reallocarray on systems that don't have it, and I noticed my test case fails when the project is compiled with clang:
reallocarray implementation:
https://github.com/guijan/libobsd/blob/45ad2a4690095da85dec4437c9494dffe89dd6ce/src/stdlib/reallocarray.c
The lines of the test case that error:
https://github.com/guijan/libobsd/blob/45ad2a4690095da85dec4437c9494dffe89dd6ce/test/reallocarray.c#L71-L80

[frederick-vs-ja]

This is probably caused by #114818. reallocarray wasn't specially handled in Clang 19.