[Bug rtl-optimization/103404] New: ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags

[Bug rtl-optimization/103404] New: ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags

[zsojka at seznam dot cz]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404

            Bug ID: 103404
           Summary: ICE: SIGSEGV in insert_with_costs (cse.c:1569) with
                    custom flags
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Keywords: ice-on-valid-code
          Severity: normal
          Priority: P3
         Component: rtl-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: zsojka at seznam dot cz
  Target Milestone: ---
              Host: x86_64-pc-linux-gnu

Created attachment 51865
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51865&action=edit
reduced testcase

Compiler output:
$ x86_64-pc-linux-gnu-gcc -Og -fcse-follow-jumps -fno-dce -fno-early-inlining
-fgcse -fharden-conditional-branches -frerun-cse-after-loop -fno-tree-ccp
-mavx5124fmaps testcase.c -wrapper valgrind,-q
==24674== Invalid read of size 4
==24674==    at 0x2242C56: insert_with_costs(rtx_def*, table_elt*, unsigned
int, machine_mode, int, int) (cse.c:1569)
==24674==    by 0x2244F70: insert (cse.c:1695)
==24674==    by 0x2244F70: merge_equiv_classes(table_elt*, table_elt*) [clone
.isra.0] (cse.c:1756)
==24674==    by 0x224F7F9: record_jump_equiv (cse.c:3891)
==24674==    by 0x224F7F9: cse_extended_basic_block (cse.c:6614)
==24674==    by 0x224F7F9: cse_main(rtx_insn*, int) [clone .constprop.0]
(cse.c:6706)
==24674==    by 0x224FE40: rest_of_handle_cse2 (cse.c:7592)
==24674==    by 0x224FE40: (anonymous namespace)::pass_cse2::execute(function*)
(cse.c:7645)
==24674==    by 0x126020C: execute_one_pass(opt_pass*) (passes.c:2567)
==24674==    by 0x1260A7F: execute_pass_list_1(opt_pass*) (passes.c:2656)
==24674==    by 0x1260A91: execute_pass_list_1(opt_pass*) (passes.c:2657)
==24674==    by 0x1260AB8: execute_pass_list(function*, opt_pass*)
(passes.c:2667)
==24674==    by 0xE947D5: expand (cgraphunit.c:1834)
==24674==    by 0xE947D5: cgraph_node::expand() (cgraphunit.c:1787)
==24674==    by 0xE95D1F: expand_all_functions (cgraphunit.c:1998)
==24674==    by 0xE95D1F: symbol_table::compile() [clone .part.0]
(cgraphunit.c:2362)
==24674==    by 0xE98957: compile (cgraphunit.c:2275)
==24674==    by 0xE98957: symbol_table::finalize_compilation_unit()
(cgraphunit.c:2543)
==24674==    by 0x1369EFF: compile_file() (toplev.c:479)
==24674==  Address 0x40 is not stack'd, malloc'd or (recently) free'd
==24674== 
during RTL pass: cse2
testcase.c: In function 'foo':
testcase.c:28:1: internal compiler error: Segmentation fault
   28 | }
      | ^
0x1369c3f crash_signal
        /repo/gcc-trunk/gcc/toplev.c:322
0x2242c56 insert_with_costs
        /repo/gcc-trunk/gcc/cse.c:1569
0x2244f70 insert
        /repo/gcc-trunk/gcc/cse.c:1695
0x2244f70 merge_equiv_classes
        /repo/gcc-trunk/gcc/cse.c:1756
0x224f7f9 record_jump_equiv
        /repo/gcc-trunk/gcc/cse.c:3891
0x224f7f9 cse_extended_basic_block
        /repo/gcc-trunk/gcc/cse.c:6614
0x224f7f9 cse_main
        /repo/gcc-trunk/gcc/cse.c:6706
0x224fe40 rest_of_handle_cse2
        /repo/gcc-trunk/gcc/cse.c:7592
0x224fe40 execute
        /repo/gcc-trunk/gcc/cse.c:7645
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.

$ x86_64-pc-linux-gnu-gcc -v
Using built-in specs.
COLLECT_GCC=/repo/gcc-trunk/binary-latest-amd64/bin/x86_64-pc-linux-gnu-gcc
COLLECT_LTO_WRAPPER=/repo/gcc-trunk/binary-trunk-r12-5492-20211124095444-g04eccbbe3d9-checking-yes-rtl-df-extra-nobootstrap-amd64/bin/../libexec/gcc/x86_64-pc-linux-gnu/12.0.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /repo/gcc-trunk//configure --enable-languages=c,c++
--enable-valgrind-annotations --disable-nls --enable-checking=yes,rtl,df,extra
--disable-bootstrap --with-cloog --with-ppl --with-isl
--build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu
--target=x86_64-pc-linux-gnu --with-ld=/usr/bin/x86_64-pc-linux-gnu-ld
--with-as=/usr/bin/x86_64-pc-linux-gnu-as --disable-libstdcxx-pch
--prefix=/repo/gcc-trunk//binary-trunk-r12-5492-20211124095444-g04eccbbe3d9-checking-yes-rtl-df-extra-nobootstrap-amd64
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.0.0 20211124 (experimental) (GCC)

[Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2021-11-24
             Status|UNCONFIRMED                 |NEW

--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
Confirmed.

[Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404

--- Comment #2 from Richard Biener <rguenth at gcc dot gnu.org> ---
Program received signal SIGSEGV, Segmentation fault.
0x00000000028071dc in insert_with_costs (x=0x7ffff6739090, classp=0x0, 
    hash=13, mode=E_SImode, cost=0, reg_cost=1)
    at /home/rguenther/src/gcc3/gcc/cse.c:1569
1569          if (CHEAPER (elt, classp))

where classp is NULL.  The passed in class is

#2  0x00000000028079e7 in merge_equiv_classes (class1=0x40b8700, 
    class2=0x3f0a950) at /home/rguenther/src/gcc3/gcc/cse.c:1756
1756              new_elt = insert (exp, class1, hash, mode);
(gdb) p *class1 
$4 = {exp = 0x7ffff6739090, canon_exp = 0x0, next_same_hash = 0x40b85e0, 
  prev_same_hash = 0x0, next_same_value = 0x0, prev_same_value = 0x0, 
  first_same_value = 0x0, related_value = 0x0, cost = 0, regcost = 1, 
  mode = E_SImode, in_memory = 0 '\000', is_const = 0 '\000', flag = 0 '\000'}

It seems we remove class1 from the table while processing the merge:

#0  remove_from_table (elt=0x40b8700, hash=11)
    at /home/rguenther/src/gcc3/gcc/cse.c:1354
#1  0x0000000002806cc5 in remove_pseudo_from_table (x=0x7ffff6739090, hash=11)
    at /home/rguenther/src/gcc3/gcc/cse.c:1426
#2  0x000000000280792d in merge_equiv_classes (class1=0x40b8700, 
    class2=0x3f0a950) at /home/rguenther/src/gcc3/gcc/cse.c:1747

and note it may even get re-used via the free_element_chain so it might
stay in the table but have a different purpose.  Somebody more familiar
with the equivalence code needs to look at this.  I'd try postponing
remove_pseudo_from_table until after the merge for example.

[Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |marxin at gcc dot gnu.org,
                   |                            |tnfchris at gcc dot gnu.org

--- Comment #3 from Martin Liška <marxin at gcc dot gnu.org> ---
Likely started with r12-4827-g68b48f3f4c49132c.

[Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags

[tnfchris at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404

Tamar Christina <tnfchris at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at gcc dot gnu.org      |tnfchris at gcc dot gnu.org

--- Comment #4 from Tamar Christina <tnfchris at gcc dot gnu.org> ---
Looks like it did start with my patch, so will take a look.

[Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags

[tnfchris at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404

--- Comment #5 from Tamar Christina <tnfchris at gcc dot gnu.org> ---
This is a somewhat latent bug in CSE where merge_equiv_classes assumes that all
entries into the equivalence table are unique but CSE makes no attempt to
enforce this constraint.

So inserting the same equivalence into the table twice results in the same
entry being added twice but pointed to the same expression.

Normally this doesn't happen during normal value CSEing because a virtual reg
is assigned only once so you ever only get one SET statement with the given
DEST.

What changed with my patch is that the vectors of const_int also get
equivalences to constants inside a vector, i.e. you can extract an element from
the vector should you need it.

e.g. this instruction

(insn 18 17 24 2 (set (subreg:V1SI (reg:SI 97 [ _10 ]) 0)
        (const_vector:V1SI [
                (const_int 0 [0])
            ])) "cse.c":11:9 1363 {*movv1si_internal}
     (expr_list:REG_UNUSED (reg:SI 97 [ _10 ])
        (nil)))

ends up generating two equivalences. the first one is that

reg:SI 97 is 0.

The second one is that 0 can be extracted from the V1SI, so subreg (subreg:V1SI
(reg:SI 97) 0) 0 == 0.
This nested subreg gets folded away to just reg:SI 97 and we re-insert the same
equivalence and end up with:

(rr) p dump_class (class1)
Equivalence chain for (reg:SI 105 [ iD.2893 ]):
(reg:SI 105 [ iD.2893 ])
$3 = void

(rr) p dump_class (class2)
Equivalence chain for (const_int 0 [0]):
(const_int 0 [0])
(reg:SI 97 [ _10 ])
(reg:SI 97 [ _10 ])
$4 = void

merge_equiv_classes then crashes because after it merges the first (reg:SI 97 [
_10 ]) the reference to it in class2 is invalid.

So I believe the fix should be that the hash table insertion code should not
insert a value if it already exists
in the table.

Testing a patch.

[Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404

--- Comment #6 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tamar Christina <tnfchris@gcc.gnu.org>:

https://gcc.gnu.org/g:c2c843849a3392654d1c2191bd9931c0fff1f8ce

commit r12-5801-gc2c843849a3392654d1c2191bd9931c0fff1f8ce
Author: Tamar Christina <tamar.christina@arm.com>
Date:   Mon Dec 6 10:15:15 2021 +0000

    cse: Make sure duplicate elements are not entered into the equivalence set
[PR103404]

    CSE uses equivalence classes to keep track of expressions that all have the
same
    values at the current point in the program.

    Normal equivalences through SETs only insert and perform lookups in this
set but
    equivalence determined from comparisons, e.g.

    (insn 46 44 47 7 (set (reg:CCZ 17 flags)
            (compare:CCZ (reg:SI 105 [ iD.2893 ])
                (const_int 0 [0]))) "cse.c":18:22 7 {*cmpsi_ccno_1}
         (expr_list:REG_DEAD (reg:SI 105 [ iD.2893 ])
            (nil)))

    creates the equivalence EQ on (reg:SI 105 [ iD.2893 ]) and (const_int 0
[0]).

    This causes a merge to happen between the two equivalence sets denoted by
    (const_int 0 [0]) and (reg:SI 105 [ iD.2893 ]) respectively.

    The operation happens through merge_equiv_classes however this function has
an
    invariant that the classes to be merge not contain any duplicates.  This is
    because it frees entries before merging.

    The given testcase when using the supplied flags trigger an ICE due to the
    equivalence set being

    (rr) p dump_class (class1)
    Equivalence chain for (reg:SI 105 [ iD.2893 ]):
    (reg:SI 105 [ iD.2893 ])
    $3 = void

    (rr) p dump_class (class2)
    Equivalence chain for (const_int 0 [0]):
    (const_int 0 [0])
    (reg:SI 97 [ _10 ])
    (reg:SI 97 [ _10 ])
    $4 = void

    This happens because the original INSN being recorded is

    (insn 18 17 24 2 (set (subreg:V1SI (reg:SI 97 [ _10 ]) 0)
            (const_vector:V1SI [
                    (const_int 0 [0])
                ])) "cse.c":11:9 1363 {*movv1si_internal}
         (expr_list:REG_UNUSED (reg:SI 97 [ _10 ])
            (nil)))

    and we end up generating two equivalences. the first one is simply that
    reg:SI 97 is 0.  The second one is that 0 can be extracted from the V1SI,
so
    subreg (subreg:V1SI (reg:SI 97) 0) 0 == 0.  This nested subreg gets folded
away
    to just reg:SI 97 and we re-insert the same equivalence.

    This patch changes it so that if the nunits of a subreg is 1 then don't
generate
    a vec_select from the subreg as the subreg will be folded away and we get a
dup.

    gcc/ChangeLog:

            PR rtl-optimization/103404
            * cse.c (find_sets_in_insn): Don't select elements out of a V1 mode
            subreg.

    gcc/testsuite/ChangeLog:

            PR rtl-optimization/103404
            * gcc.target/i386/pr103404.c: New test.

[Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags

[tnfchris at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404

Tamar Christina <tnfchris at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #7 from Tamar Christina <tnfchris at gcc dot gnu.org> ---
Fixed on master