Wrong assembly code generated with -flto -mfloat-abi=hard options

Hi,

When compiling the following code:

/********************************************************************/

typedef struct {
  double m_a;
  double m_b;
  double m_c;
  double m_d;
} AtLeast32BytesObject;

AtLeast32BytesObject __attribute__((noinline)) CalledFunction() {
  AtLeast32BytesObject result = {1.1, 2.2, 3.3, 4.4};
  return result;
}

void __attribute__((noinline)) _start() {
  volatile AtLeast32BytesObject result = CalledFunction();
  while(1) {}
}

/********************************************************************/

with "arm-none-eabi-gcc -Os -flto -mthumb -mfloat-abi=hard -mcpu=cortex-m4 -ffreestanding -nostdlib -lgcc", the assembly instructions emitted for the symbol "CalledFunction" use callee-save registers r4-r7 to store the result of the CalledFunction procedure (cf following disassemble function addresses range 0x0000805e-0x0000806e). The registers r4-r7 are overwritten just when leaving the subroutine (since they're callee-save registers) leading to a corrupted result from "CalledFunction" (cf following disassemble function at address 0x00008072).

Dump of assembler code for function CalledFunction:
   0x00008000 <+0>: push {r4, r5, r6, r7, lr}
   0x00008002 <+2>: ldr r5, [pc, #112] ; (0x8074 <CalledFunction+116>)
   0x00008004 <+4>: ldmia r5!, {r0, r1, r2, r3}
   0x00008006 <+6>: sub sp, #132 ; 0x84
   0x00008008 <+8>: add r4, sp, #64 ; 0x40
   0x0000800a <+10>: stmia r4!, {r0, r1, r2, r3}
   0x0000800c <+12>: ldmia.w r5, {r0, r1, r2, r3}
   0x00008010 <+16>: add r5, sp, #64 ; 0x40
   0x00008012 <+18>: stmia.w r4, {r0, r1, r2, r3}
   0x00008016 <+22>: ldmia r5!, {r0, r1, r2, r3}
   0x00008018 <+24>: add r4, sp, #96 ; 0x60
   0x0000801a <+26>: stmia r4!, {r0, r1, r2, r3}
   0x0000801c <+28>: ldmia.w r5, {r0, r1, r2, r3}
   0x00008020 <+32>: stmia.w r4, {r0, r1, r2, r3}
   0x00008024 <+36>: ldr r3, [sp, #96] ; 0x60
   0x00008026 <+38>: str r3, [sp, #0]
   0x00008028 <+40>: ldr r3, [sp, #100] ; 0x64
   0x0000802a <+42>: str r3, [sp, #4]
   0x0000802c <+44>: ldr r3, [sp, #104] ; 0x68
   0x0000802e <+46>: str r3, [sp, #8]
   0x00008030 <+48>: ldr r3, [sp, #108] ; 0x6c
   0x00008032 <+50>: str r3, [sp, #12]
   0x00008034 <+52>: ldr r3, [sp, #112] ; 0x70
   0x00008036 <+54>: str r3, [sp, #16]
   0x00008038 <+56>: ldr r3, [sp, #116] ; 0x74
   0x0000803a <+58>: ldr r7, [sp, #124] ; 0x7c
   0x0000803c <+60>: str r3, [sp, #20]
   0x0000803e <+62>: ldr r3, [sp, #120] ; 0x78
   0x00008040 <+64>: strd r3, r7, [sp, #24]
   0x00008044 <+68>: ldr r3, [sp, #0]
   0x00008046 <+70>: str r3, [sp, #32]
   0x00008048 <+72>: ldr r3, [sp, #4]
   0x0000804a <+74>: str r3, [sp, #36] ; 0x24
   0x0000804c <+76>: ldr r3, [sp, #8]
   0x0000804e <+78>: str r3, [sp, #40] ; 0x28
   0x00008050 <+80>: ldr r3, [sp, #12]
   0x00008052 <+82>: str r3, [sp, #44] ; 0x2c
   0x00008054 <+84>: ldr r3, [sp, #16]
   0x00008056 <+86>: str r3, [sp, #48] ; 0x30
   0x00008058 <+88>: ldr r3, [sp, #20]
   0x0000805a <+90>: str r3, [sp, #52] ; 0x34
   0x0000805c <+92>: ldr r3, [sp, #24]
   0x0000805e <+94>: strd r3, r7, [sp, #56] ; 0x38 // HERE, we store
   0x00008062 <+98>: ldrd r0, r1, [sp, #32] // the result
   0x00008066 <+102>: ldrd r2, r3, [sp, #40] ; 0x28 // in r0-r7
   0x0000806a <+106>: ldrd r4, r5, [sp, #48] ; 0x30 //
   0x0000806e <+110>: ldr r6, [sp, #56] ; 0x38 //
   0x00008070 <+112>: add sp, #132 ; 0x84
   0x00008072 <+114>: pop {r4, r5, r6, r7, pc} // HERE, we overwrite r4-r7
   0x00008074 <+116>: strh r0, [r5, #4]
   0x00008076 <+118>: movs r0, r0
End of assembler dump.

I attach to this report the "main.c" containing the previous code and a "Makefile" resuming the options used to compile and which also disassembles the symbol "CalledFunction" to highlight the bug.

The toolchain version is arm-none-eabi-gcc (GNU Arm Embedded Toolchain 9-2020-q2-update) 9.3.1 20200408 (release). It was from the binary package gcc-arm-none-eabi-9-2020-q2-update-mac.pkg. The host machine is a MacBook Pro with Catalina version 10.15.4 (19E287).