[Bug c/24599] New: segv after overflow detection

[Bug c/24599] New: segv after overflow detection

[dje at transmeta dot com]

The following testcase crashes when compiled with -O3.

#include <stdbool.h>

bool v_2 = true;
bool *v_3 = &v_2;
int idv_2 = 0;
int idv_3 = 0;

int
main (int argc, char **argv)
{
    if ((bool)((1527719483 + 1477819644))) {
    }

    for (idv_2 = 0; idv_2 < 15; ++idv_2) {
        for (idv_3 = 0; idv_3 < (v_2 ? 1 : *v_3) ; ++idv_3) {
        }
    }

    return 0;
}

claire:~/claire/gnu/tmp/gcc402/gcc$ ./xgcc -B./ -O3 -c foo.c
foo.c: In function 'main':
foo.c:11: warning: integer overflow in expression
foo.c:10: internal compiler error: Segmentation fault
Please submit a full bug report,
with preprocessed source if appropriate.
See <URL:http://gcc.gnu.org/bugs.html> for instructions.


NOTE: I haven't confirmed the following, but am passing it on in case it speeds
up root-causing this.

GCC 4.x's tree infrastructure introduces a new mechanism to create constant
tree
node. Instead of creating a new tree node for every reference of certain type
constant as in GCC 3.4.1, a global tree node is created and shared by all
references of a constant in GCC 4.x. The attributes of the global tree node is
shared by all the references of the constant as well.

--------------------------------------------
    if ((bool)((1527719483 + 1477819644))) {
    }

    for (...) {
       if (invariant_cond)  
         A
       else 
         B        
    }   
-----------------------------------------------------------------

During const-folding optimization, overflow is detected for the expression
"(1527719483 + 1477819644)". The folded constant is casted to a boolean
constant
"1", which is represented by a global tree node "boolean_true_node", and the
attribute is passed to the tree node.

During the later unswitch optimization, the loop segment is transformed:

      if (invariant_cond) 
         for (...) {
            if (1) 
              A
            else 
              B
         }
      if (!invariant_cond) 
         for (...) {
            if (0) 
              A
            else
              B
         }

During the later induction variable reduction optimization, the "1" expression
in "if (1)" is checked in the following sequence in
find_interesting_uses_cond():

         if (integer_zerop(exp) || integer_nonzerop(exp)) {return;}
         else {
          ...  = exp->operands[0]
          ...  = exp->operands[1]          ===> segmentation fault
         }                                 ===> only one operand in "1" exp  

The reason is because after the overflow attribute is passed to the
boolean_true_node, integer_nonzerop(exp) returns false while it should return
true.


-- 
           Summary: segv after overflow detection
           Product: gcc
           Version: 4.0.2
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
        AssignedTo: unassigned at gcc dot gnu dot org
        ReportedBy: dje at transmeta dot com
  GCC host triplet: x86_64-unknown-linux-gnu


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24599

[Bug tree-optimization/24599] [4.0 regression] segv after overflow detection

[pinskia at gcc dot gnu dot org]

------- Comment #1 from pinskia at gcc dot gnu dot org  2005-10-31 20:09 -------
Confirmed, only a 4.0 regression.  Back trace:
#0  0x00000000004a1ff2 in find_interesting_uses_cond (data=0x7fffffc1d340,
stmt=0x2aaaaafc0320, 
    cond_p=0x2aaaaafc0358) at
/home/pinskia/src/gcc-4.0/gcc/gcc/tree-ssa-loop-ivopts.c:1299
#1  0x00000000004a6e9c in tree_ssa_iv_optimize_loop (data=0x7fffffc1d340,
loop=Variable "loop" is not available.
)
    at /home/pinskia/src/gcc-4.0/gcc/gcc/tree-ssa-loop-ivopts.c:1723
#2  0x00000000004a783b in tree_ssa_iv_optimize (loops=0xa86550)
    at /home/pinskia/src/gcc-4.0/gcc/gcc/tree-ssa-loop-ivopts.c:5387


-- 

pinskia at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rakdver at gcc dot gnu dot
                   |                            |org
             Status|UNCONFIRMED                 |NEW
          Component|c                           |tree-optimization
     Ever Confirmed|0                           |1
   Last reconfirmed|0000-00-00 00:00:00         |2005-10-31 20:09:11
               date|                            |


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24599

[Bug tree-optimization/24599] [4.0 regression] segv after overflow detection

[pinskia at gcc dot gnu dot org]

-- 

pinskia at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |4.0.3


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24599

[Bug tree-optimization/24599] [4.0 regression] segv after overflow detection

[dje at transmeta dot com]

------- Comment #2 from dje at transmeta dot com  2005-11-03 18:18 -------
I'm not sure the root cause of this bug is fixed in 4.1.  It looks to me like
it's still there and is only (currently) hidden.  Am I mistaken?

Apply this patch to gcc-4.1-20051029 and recompile the testcase with -O3.
I'm seeing an abort.  If I set a breakpoint on integer_nonzerop and print the
boolean_true_node tree I see it's marked as "overflow".  Oops.

--- tree-ssa-loop-ivopts.c.~1~  2005-09-22 04:24:00.000000000 -0700
+++ tree-ssa-loop-ivopts.c      2005-11-03 10:06:59.997691464 -0800
@@ -1291,6 +1291,8 @@ find_interesting_uses_cond (struct ivopt
   struct iv const_iv;
   tree zero = integer_zero_node;

+  gcc_assert (integer_nonzerop (boolean_true_node));
+
   const_iv.step = NULL_TREE;

   if (TREE_CODE (*cond_p) != SSA_NAME


(gdb) p expr
$1 = 0xb7c32630
(gdb) pt
 <integer_cst 0xb7c32630 type <boolean_type 0xb7c424ac _Bool> constant
invariant static overflow 1>
(gdb) f
#0  integer_nonzerop (expr=0xb7c32630) at ../../gcc/tree.c:1278
(gdb)


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24599

[Bug tree-optimization/24599] [4.0 regression] segv after overflow detection

[pinskia at gcc dot gnu dot org]

------- Comment #3 from pinskia at gcc dot gnu dot org  2005-11-03 18:25 -------
(In reply to comment #2)
> I'm not sure the root cause of this bug is fixed in 4.1.  It looks to me like
> it's still there and is only (currently) hidden.  Am I mistaken?
> Apply this patch to gcc-4.1-20051029 and recompile the testcase with -O3.
> I'm seeing an abort.  If I set a breakpoint on integer_nonzerop and print the
> boolean_true_node tree I see it's marked as "overflow".  Oops

Overflow should mean nothing to the optimizers or expanders.  It is only a
language term really that should only matter to the front-end. 
integer_nonzerop should not be used that much any more,  Yes I know it is but
really it needs to be changed to use nonzero_p instead.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24599

[Bug tree-optimization/24599] [4.0 regression] segv after overflow detection

[rakdver at gcc dot gnu dot org]

------- Comment #4 from rakdver at gcc dot gnu dot org  2005-11-04 13:39 -------
Nevertheless, the fact that boolean_true_node has overflow flag set is wrong,
this should not happen -- shared constants should not be modified.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24599

[Bug tree-optimization/24599] [4.0 regression] segv after overflow detection

[rakdver at gcc dot gnu dot org]

------- Comment #5 from rakdver at gcc dot gnu dot org  2005-11-04 14:02 -------
This happens in c-typeck.c:build_c_cast:

      value = convert (type, value);

      /* Ignore any integer overflow caused by the cast.  */
      if (TREE_CODE (value) == INTEGER_CST)
        {
          /* If OVALUE had overflow set, then so will VALUE, so it
             is safe to overwrite.  */
          if (CONSTANT_CLASS_P (ovalue))
            {
              TREE_OVERFLOW (value) = TREE_OVERFLOW (ovalue);
              /* Similarly, constant_overflow cannot have become cleared.  */
              TREE_CONSTANT_OVERFLOW (value) = TREE_CONSTANT_OVERFLOW (ovalue);
            }

build_c_cast assumes that convert will not return non-overflowed constant if it
received an overflowed one.  This however is not true, since
convert (boolean_type_node, ...) will sometimes return shared
boolean_{true,false}_node constants.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24599

[Bug c/24599] [4.0/4.1 regression] Overflow for true value

[pinskia at gcc dot gnu dot org]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain, Size: 1095 bytes --]



------- Comment #6 from pinskia at gcc dot gnu dot org  2005-11-04 15:28 -------
Here is a testcase which is better representive of the issue (compile with
-std=c99 -pedantic-errors):
#include <stdbool.h>

int
main (int argc, char **argv)
{
  if ((bool)((1527719483 + 1477819644))) {
  }

  return 0;
}

bool t1 = true;
--------------
t.c: In function ‘main’:
t.c:6: warning: integer overflow in expression
t.c: At top level:
t.c:12: error: overflow in constant expression


-- 

pinskia at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|tree-optimization           |c
           Keywords|                            |diagnostic, rejects-valid
      Known to fail|4.0.3                       |4.0.3 4.1.0
      Known to work|4.1.0 3.4.0                 |3.4.0
            Summary|[4.0 regression] segv after |[4.0/4.1 regression]
                   |overflow detection          |Overflow for true value


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24599

[Bug c/24599] [4.0/4.1 regression] Overflow for true value

[bonzini at gcc dot gnu dot org]

-- 

bonzini at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|unassigned at gcc dot gnu   |bonzini at gcc dot gnu dot
                   |dot org                     |org
                URL|                            |http://gcc.gnu.org/ml/gcc-
                   |                            |patches/2005-
                   |                            |11/msg00340.html
             Status|NEW                         |ASSIGNED
   Last reconfirmed|2005-10-31 20:09:11         |2005-11-05 12:13:01
               date|                            |


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24599

[Bug c/24599] [4.0 regression] Overflow for true value

[bonzini at gcc dot gnu dot org]

------- Comment #7 from bonzini at gcc dot gnu dot org  2005-11-07 12:14 -------
patch committed to trunk, it's a bit different for 4.0 branch so it'll take a
while to test it.


-- 

bonzini at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
      Known to fail|4.0.3 4.1.0                 |4.0.3
      Known to work|3.4.0                       |3.4.0 4.1.0
            Summary|[4.0/4.1 regression]        |[4.0 regression] Overflow
                   |Overflow for true value     |for true value


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24599

[Bug c/24599] [4.0 regression] Overflow for true value

[bonzini at gcc dot gnu dot org]

------- Comment #8 from bonzini at gcc dot gnu dot org  2005-11-07 18:17 -------
Subject: Bug 24599

Author: bonzini
Date: Mon Nov  7 18:17:35 2005
New Revision: 106600

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=106600
Log:
2005-11-07  Paolo Bonzini  <bonzini@gnu.org>

        PR c/24599
        * c-typeck.c (build_c_cast): Try using a shared constant, and see
        if TREE_OVERFLOW or TREE_CONSTANT_OVERFLOW really changed.
        (readonly_error): Fix formatting error.

testsuite:
2005-11-07  Paolo Bonzini  <bonzini@gnu.org>

        PR c/24599
        * gcc.dg/overflow-2.c: New testcase.


Added:
    branches/gcc-4_0-branch/gcc/testsuite/gcc.dg/overflow-2.c
      - copied unchanged from r106587, trunk/gcc/testsuite/gcc.dg/overflow-2.c
Modified:
    branches/gcc-4_0-branch/gcc/ChangeLog
    branches/gcc-4_0-branch/gcc/c-typeck.c
    branches/gcc-4_0-branch/gcc/testsuite/ChangeLog


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24599

[Bug c/24599] [4.0 regression] Overflow for true value

[bonzini at gcc dot gnu dot org]

------- Comment #9 from bonzini at gcc dot gnu dot org  2005-11-07 18:18 -------
fixed on 4.0 branch too


-- 

bonzini at gcc dot gnu dot org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
      Known to fail|4.0.3                       |4.0.2
      Known to work|3.4.0 4.1.0                 |3.4.0 4.0.3 4.1.0
         Resolution|                            |FIXED


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=24599