[Bug middle-end/23408] New: ICE on valid, if checking enabled

[Bug middle-end/23408] New: ICE on valid, if checking enabled

[e9925248 at stud4 dot tuwien dot ac dot at]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 3486 bytes --]

If the following code is compiled by a GCC with checking enabled (configured
with --enable-checking=misc,tree,rtl,rtlflag,gc,gcac) and -O1, a ICE happen:
static __inline__ int f () { return g (); }
int g () { return f (); }

With checking disabled, the ICE does not happen.

gcc version:
GNU C version 4.1.0 20050815 (experimental) (i686-pc-linux-gnu)

Backtrace:Analyzing compilation unit {GC 733k -> 718k} {GC 719k -> 719k} {GC
719k -> 719k}Performing intraprocedural optimizations
 {GC 721k -> 694k}
Program received signal SIGSEGV, Segmentation fault.
0x08aea1eb in cgraph_decide_inlining_incrementally (node=0xb7c62c98, early=1
'\001') at ../.././gcc/ipa-inline.c:1029
1029        if (e->callee->local.disregard_inline_limits
(gdb) bt
#0  0x08aea1eb in cgraph_decide_inlining_incrementally (node=0xb7c62c98, early=1
'\001') at ../.././gcc/ipa-inline.c:1029
#1  0x08aea64d in cgraph_early_inlining () at ../.././gcc/ipa-inline.c:1131
#2  0x08a59ff0 in execute_one_pass (pass=0x8e71bc0) at ../.././gcc/passes.c:797
#3  0x08a5a0ed in execute_ipa_pass_list (pass=0x8e71bc0) at ../.././gcc/passes.c:843
#4  0x08ae6807 in ipa_passes () at ../.././gcc/cgraphunit.c:1202
#5  0x08ae68c7 in cgraph_optimize () at ../.././gcc/cgraphunit.c:1236
#6  0x0806cdf1 in c_write_global_declarations () at ../.././gcc/c-decl.c:7618
#7  0x089fcc5c in compile_file () at ../.././gcc/toplev.c:984
#8  0x089fe491 in do_compile () at ../.././gcc/toplev.c:1914
#9  0x089fe4f3 in toplev_main (argc=3, argv=0xbff6eb44) at ../.././gcc/toplev.c:1946
#10 0x080ed5ca in main (argc=3, argv=0xbff6eb44) at ../.././gcc/main.c:35
(gdb) p e
$1 = (struct cgraph_edge *) 0xa5a5a5a5

(gdb) up
#1  0x08aea64d in cgraph_early_inlining () at ../.././gcc/ipa-inline.c:1131
1131            cgraph_decide_inlining_incrementally (node, true);
(gdb) p *node
$2 = {decl = 0xa5a5a5a5, callees = 0xa5a5a5a5, callers = 0xa5a5a5a5, next =
0xa5a5a5a5, previous = 0xa5a5a5a5, origin = 0xa5a5a5a5,
  nested = 0xa5a5a5a5, next_nested = 0xa5a5a5a5, next_needed = 0xa5a5a5a5,
next_clone = 0xa5a5a5a5, prev_clone = 0xa5a5a5a5,
  master_clone = 0xa5a5a5a5, aux = 0xa5a5a5a5, local = {self_insns =
-1515870811, local = 165 '¥', externally_visible = 165 '¥',
    finalized = 165 '¥', inlinable = 165 '¥', disregard_inline_limits = 165 '¥',
redefined_extern_inline = 165 '¥',
    for_functions_valid = 165 '¥', vtable_method = 165 '¥'}, global =
{inlined_to = 0xa5a5a5a5, insns = -1515870811,
    estimated_growth = -1515870811, inlined = 165 '¥'}, rtl =
{preferred_incoming_stack_boundary = -1515870811},
  count = -6510615555426900571, uid = -1515870811, needed = 165 '¥', reachable =
165 '¥', lowered = 165 '¥', analyzed = 165 '¥',
  output = 165 '¥', externally_visible = 165 '¥', alias = 165 '¥'}

As far as I can tell, the garbage collector seems to free some used memory.

It is a regression, as GCC version 20050606 did not showed this error.

-- 
           Summary: ICE on valid, if checking enabled
           Product: gcc
           Version: 4.1.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: middle-end
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: e9925248 at stud4 dot tuwien dot ac dot at
                CC: gcc-bugs at gcc dot gnu dot org
 GCC build triplet: i686-pc-linux-gnu
  GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu (exists also on avr)


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=23408

[Bug middle-end/23408] [4.1 Regression] ICE in cgraph_decide_inlining_incrementally (using freed GC memory)

[pinskia at gcc dot gnu dot org]

------- Additional Comments From pinskia at gcc dot gnu dot org  2005-08-15 21:37 -------
Also reproduced with --enable-checking=yes (default) and --param ggc-min-expand=0 --param 
ggc-min-heapsize=0 -O1.  This means we are using already freed GC memory.
Honza could you look into this since it seems like it was caused by one of your functions.  Smells like 
we are missing a GTY somwhere.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hubicka at gcc dot gnu dot
                   |                            |org
             Status|UNCONFIRMED                 |NEW
     Ever Confirmed|                            |1
  GCC build triplet|i686-pc-linux-gnu           |
   GCC host triplet|i686-pc-linux-gnu           |
 GCC target triplet|i686-pc-linux-gnu (exists   |
                   |also on avr)                |
           Keywords|                            |ice-on-valid-code
   Last reconfirmed|0000-00-00 00:00:00         |2005-08-15 21:37:39
               date|                            |
            Summary|ICE on valid, if checking   |[4.1 Regression] ICE in
                   |enabled                     |cgraph_decide_inlining_incre
                   |                            |mentally (using freed GC
                   |                            |memory)
   Target Milestone|---                         |4.1.0


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=23408

[Bug middle-end/23408] [4.1 Regression] ICE in cgraph_decide_inlining_incrementally (using freed GC memory)

[e9925248 at stud4 dot tuwien dot ac dot at]

------- Additional Comments From e9925248 at stud4 dot tuwien dot ac dot at  2005-08-16 21:20 -------
I think, I found the cause of this:
cgraph_early_inlining holds a list of cgraph nodes in the array order.

In this example, cgraph_decide_inlining_incrementally removes all references
known by the garbage collector to a node contained in this array, which has not
been processed. Then it calls the ggc_collect. With checking enabled, the freed
memory is overwritten so that the following access cause a segementation fault.

If the call to the garbage collector in cgraph_decide_inlining_incrementally is
removed, the file compiles:
Index: ipa-inline.c
===================================================================
RCS file: /cvs/gcc/gcc/gcc/ipa-inline.c,v
retrieving revision 2.15
diff -u -p -r2.15 ipa-inline.c
--- ipa-inline.c        28 Jul 2005 21:45:25 -0000      2.15
+++ ipa-inline.c        16 Aug 2005 21:18:18 -0000
@@ -1073,7 +1073,6 @@ cgraph_decide_inlining_incrementally (st
       node->local.self_insns = node->global.insns;
       current_function_decl = NULL;
       pop_cfun ();
-      ggc_collect ();
     }
   return inlined;
 }

-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=23408

Re: [Bug middle-end/23408] [4.1 Regression] ICE in cgraph_decide_inlining_incrementally (using freed GC memory)

[Andrew Pinski]

> 
> 
> ------- Additional Comments From e9925248 at stud4 dot tuwien dot ac dot at  2005-08-16 21:20 -------
> I think, I found the cause of this:
> cgraph_early_inlining holds a list of cgraph nodes in the array order.
> 
> In this example, cgraph_decide_inlining_incrementally removes all references
> known by the garbage collector to a node contained in this array, which has not
> been processed. Then it calls the ggc_collect. With checking enabled, the freed
> memory is overwritten so that the following access cause a segementation fault.

The other way to fix it, would be move the order array to GC memory so we call
still call ggc_collect.

-- Pinski

[Bug middle-end/23408] [4.1 Regression] ICE in cgraph_decide_inlining_incrementally (using freed GC memory)

[pinskia at physics dot uc dot edu]

------- Additional Comments From pinskia at physics dot uc dot edu  2005-08-16 21:23 -------
Subject: Re:  [4.1 Regression] ICE in cgraph_decide_inlining_incrementally (using freed GC memory)

> 
> 
> ------- Additional Comments From e9925248 at stud4 dot tuwien dot ac dot at  2005-08-16 21:20 -------
> I think, I found the cause of this:
> cgraph_early_inlining holds a list of cgraph nodes in the array order.
> 
> In this example, cgraph_decide_inlining_incrementally removes all references
> known by the garbage collector to a node contained in this array, which has not
> been processed. Then it calls the ggc_collect. With checking enabled, the freed
> memory is overwritten so that the following access cause a segementation fault.

The other way to fix it, would be move the order array to GC memory so we call
still call ggc_collect.

-- Pinski


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=23408

[Bug middle-end/23408] [4.1 Regression] ICE in cgraph_decide_inlining_incrementally (using freed GC memory)

[pinskia at gcc dot gnu dot org]

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |critical


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=23408

[Bug middle-end/23408] [4.1 Regression] ICE in cgraph_decide_inlining_incrementally (using freed GC memory)

[pinskia at gcc dot gnu dot org]

------- Additional Comments From pinskia at gcc dot gnu dot org  2005-08-28 03:05 -------
I am testing a patch for which I recommended in comment #3.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|unassigned at gcc dot gnu   |pinskia at gcc dot gnu dot
                   |dot org                     |org
             Status|NEW                         |ASSIGNED


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=23408

[Bug middle-end/23408] [4.1 Regression] ICE in cgraph_decide_inlining_incrementally (using freed GC memory)

[pinskia at gcc dot gnu dot org]

------- Additional Comments From pinskia at gcc dot gnu dot org  2005-08-28 04:45 -------
And that did not work.  Just going to get approval for your patch after a bootstrap/test.

-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=23408

[Bug middle-end/23408] [4.1 Regression] ICE in cgraph_decide_inlining_incrementally (using freed GC memory)

[cvs-commit at gcc dot gnu dot org]

------- Additional Comments From cvs-commit at gcc dot gnu dot org  2005-08-29 17:49 -------
Subject: Bug 23408

CVSROOT:	/cvs/gcc
Module name:	gcc
Changes by:	pinskia@gcc.gnu.org	2005-08-29 17:48:59

Modified files:
	gcc            : ChangeLog ipa-inline.c 
	gcc/testsuite  : ChangeLog 
Added files:
	gcc/testsuite/gcc.dg: pr23408.c 

Log message:
	2005-08-18  Andrew Pinski  <pinskia@physics.uc.edu>
	
	PR middle-end/23408
	* ipa-inline.c (cgraph_decide_inlining_incrementally): Remove the
	call to ggc_collect.
	2005-08-28  Andrew Pinski  <pinskia@physics.uc.edu>
	
	PR middle-end/23408
	* gcc.dg/pr23408.c: New test.

Patches:
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/ChangeLog.diff?cvsroot=gcc&r1=2.9849&r2=2.9850
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/ipa-inline.c.diff?cvsroot=gcc&r1=2.15&r2=2.16
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/testsuite/ChangeLog.diff?cvsroot=gcc&r1=1.5977&r2=1.5978
http://gcc.gnu.org/cgi-bin/cvsweb.cgi/gcc/gcc/testsuite/gcc.dg/pr23408.c.diff?cvsroot=gcc&r1=NONE&r2=1.1



-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=23408

[Bug middle-end/23408] [4.1 Regression] ICE in cgraph_decide_inlining_incrementally (using freed GC memory)

[pinskia at gcc dot gnu dot org]

------- Additional Comments From pinskia at gcc dot gnu dot org  2005-08-29 17:49 -------
Fixed.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=23408