public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug rtl-optimization/103404] New: ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags
@ 2021-11-24 9:47 zsojka at seznam dot cz
2021-11-24 10:14 ` [Bug rtl-optimization/103404] " rguenth at gcc dot gnu.org
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: zsojka at seznam dot cz @ 2021-11-24 9:47 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404
Bug ID: 103404
Summary: ICE: SIGSEGV in insert_with_costs (cse.c:1569) with
custom flags
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Keywords: ice-on-valid-code
Severity: normal
Priority: P3
Component: rtl-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: zsojka at seznam dot cz
Target Milestone: ---
Host: x86_64-pc-linux-gnu
Created attachment 51865
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51865&action=edit
reduced testcase
Compiler output:
$ x86_64-pc-linux-gnu-gcc -Og -fcse-follow-jumps -fno-dce -fno-early-inlining
-fgcse -fharden-conditional-branches -frerun-cse-after-loop -fno-tree-ccp
-mavx5124fmaps testcase.c -wrapper valgrind,-q
==24674== Invalid read of size 4
==24674== at 0x2242C56: insert_with_costs(rtx_def*, table_elt*, unsigned
int, machine_mode, int, int) (cse.c:1569)
==24674== by 0x2244F70: insert (cse.c:1695)
==24674== by 0x2244F70: merge_equiv_classes(table_elt*, table_elt*) [clone
.isra.0] (cse.c:1756)
==24674== by 0x224F7F9: record_jump_equiv (cse.c:3891)
==24674== by 0x224F7F9: cse_extended_basic_block (cse.c:6614)
==24674== by 0x224F7F9: cse_main(rtx_insn*, int) [clone .constprop.0]
(cse.c:6706)
==24674== by 0x224FE40: rest_of_handle_cse2 (cse.c:7592)
==24674== by 0x224FE40: (anonymous namespace)::pass_cse2::execute(function*)
(cse.c:7645)
==24674== by 0x126020C: execute_one_pass(opt_pass*) (passes.c:2567)
==24674== by 0x1260A7F: execute_pass_list_1(opt_pass*) (passes.c:2656)
==24674== by 0x1260A91: execute_pass_list_1(opt_pass*) (passes.c:2657)
==24674== by 0x1260AB8: execute_pass_list(function*, opt_pass*)
(passes.c:2667)
==24674== by 0xE947D5: expand (cgraphunit.c:1834)
==24674== by 0xE947D5: cgraph_node::expand() (cgraphunit.c:1787)
==24674== by 0xE95D1F: expand_all_functions (cgraphunit.c:1998)
==24674== by 0xE95D1F: symbol_table::compile() [clone .part.0]
(cgraphunit.c:2362)
==24674== by 0xE98957: compile (cgraphunit.c:2275)
==24674== by 0xE98957: symbol_table::finalize_compilation_unit()
(cgraphunit.c:2543)
==24674== by 0x1369EFF: compile_file() (toplev.c:479)
==24674== Address 0x40 is not stack'd, malloc'd or (recently) free'd
==24674==
during RTL pass: cse2
testcase.c: In function 'foo':
testcase.c:28:1: internal compiler error: Segmentation fault
28 | }
| ^
0x1369c3f crash_signal
/repo/gcc-trunk/gcc/toplev.c:322
0x2242c56 insert_with_costs
/repo/gcc-trunk/gcc/cse.c:1569
0x2244f70 insert
/repo/gcc-trunk/gcc/cse.c:1695
0x2244f70 merge_equiv_classes
/repo/gcc-trunk/gcc/cse.c:1756
0x224f7f9 record_jump_equiv
/repo/gcc-trunk/gcc/cse.c:3891
0x224f7f9 cse_extended_basic_block
/repo/gcc-trunk/gcc/cse.c:6614
0x224f7f9 cse_main
/repo/gcc-trunk/gcc/cse.c:6706
0x224fe40 rest_of_handle_cse2
/repo/gcc-trunk/gcc/cse.c:7592
0x224fe40 execute
/repo/gcc-trunk/gcc/cse.c:7645
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
$ x86_64-pc-linux-gnu-gcc -v
Using built-in specs.
COLLECT_GCC=/repo/gcc-trunk/binary-latest-amd64/bin/x86_64-pc-linux-gnu-gcc
COLLECT_LTO_WRAPPER=/repo/gcc-trunk/binary-trunk-r12-5492-20211124095444-g04eccbbe3d9-checking-yes-rtl-df-extra-nobootstrap-amd64/bin/../libexec/gcc/x86_64-pc-linux-gnu/12.0.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /repo/gcc-trunk//configure --enable-languages=c,c++
--enable-valgrind-annotations --disable-nls --enable-checking=yes,rtl,df,extra
--disable-bootstrap --with-cloog --with-ppl --with-isl
--build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu
--target=x86_64-pc-linux-gnu --with-ld=/usr/bin/x86_64-pc-linux-gnu-ld
--with-as=/usr/bin/x86_64-pc-linux-gnu-as --disable-libstdcxx-pch
--prefix=/repo/gcc-trunk//binary-trunk-r12-5492-20211124095444-g04eccbbe3d9-checking-yes-rtl-df-extra-nobootstrap-amd64
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.0.0 20211124 (experimental) (GCC)
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags
2021-11-24 9:47 [Bug rtl-optimization/103404] New: ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags zsojka at seznam dot cz
@ 2021-11-24 10:14 ` rguenth at gcc dot gnu.org
2021-11-24 10:39 ` rguenth at gcc dot gnu.org
` (5 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: rguenth at gcc dot gnu.org @ 2021-11-24 10:14 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Last reconfirmed| |2021-11-24
Status|UNCONFIRMED |NEW
--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
Confirmed.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags
2021-11-24 9:47 [Bug rtl-optimization/103404] New: ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags zsojka at seznam dot cz
2021-11-24 10:14 ` [Bug rtl-optimization/103404] " rguenth at gcc dot gnu.org
@ 2021-11-24 10:39 ` rguenth at gcc dot gnu.org
2021-11-24 10:52 ` marxin at gcc dot gnu.org
` (4 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: rguenth at gcc dot gnu.org @ 2021-11-24 10:39 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404
--- Comment #2 from Richard Biener <rguenth at gcc dot gnu.org> ---
Program received signal SIGSEGV, Segmentation fault.
0x00000000028071dc in insert_with_costs (x=0x7ffff6739090, classp=0x0,
hash=13, mode=E_SImode, cost=0, reg_cost=1)
at /home/rguenther/src/gcc3/gcc/cse.c:1569
1569 if (CHEAPER (elt, classp))
where classp is NULL. The passed in class is
#2 0x00000000028079e7 in merge_equiv_classes (class1=0x40b8700,
class2=0x3f0a950) at /home/rguenther/src/gcc3/gcc/cse.c:1756
1756 new_elt = insert (exp, class1, hash, mode);
(gdb) p *class1
$4 = {exp = 0x7ffff6739090, canon_exp = 0x0, next_same_hash = 0x40b85e0,
prev_same_hash = 0x0, next_same_value = 0x0, prev_same_value = 0x0,
first_same_value = 0x0, related_value = 0x0, cost = 0, regcost = 1,
mode = E_SImode, in_memory = 0 '\000', is_const = 0 '\000', flag = 0 '\000'}
It seems we remove class1 from the table while processing the merge:
#0 remove_from_table (elt=0x40b8700, hash=11)
at /home/rguenther/src/gcc3/gcc/cse.c:1354
#1 0x0000000002806cc5 in remove_pseudo_from_table (x=0x7ffff6739090, hash=11)
at /home/rguenther/src/gcc3/gcc/cse.c:1426
#2 0x000000000280792d in merge_equiv_classes (class1=0x40b8700,
class2=0x3f0a950) at /home/rguenther/src/gcc3/gcc/cse.c:1747
and note it may even get re-used via the free_element_chain so it might
stay in the table but have a different purpose. Somebody more familiar
with the equivalence code needs to look at this. I'd try postponing
remove_pseudo_from_table until after the merge for example.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags
2021-11-24 9:47 [Bug rtl-optimization/103404] New: ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags zsojka at seznam dot cz
2021-11-24 10:14 ` [Bug rtl-optimization/103404] " rguenth at gcc dot gnu.org
2021-11-24 10:39 ` rguenth at gcc dot gnu.org
@ 2021-11-24 10:52 ` marxin at gcc dot gnu.org
2021-11-24 11:27 ` tnfchris at gcc dot gnu.org
` (3 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: marxin at gcc dot gnu.org @ 2021-11-24 10:52 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |marxin at gcc dot gnu.org,
| |tnfchris at gcc dot gnu.org
--- Comment #3 from Martin Liška <marxin at gcc dot gnu.org> ---
Likely started with r12-4827-g68b48f3f4c49132c.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags
2021-11-24 9:47 [Bug rtl-optimization/103404] New: ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags zsojka at seznam dot cz
` (2 preceding siblings ...)
2021-11-24 10:52 ` marxin at gcc dot gnu.org
@ 2021-11-24 11:27 ` tnfchris at gcc dot gnu.org
2021-11-25 3:07 ` tnfchris at gcc dot gnu.org
` (2 subsequent siblings)
6 siblings, 0 replies; 8+ messages in thread
From: tnfchris at gcc dot gnu.org @ 2021-11-24 11:27 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404
Tamar Christina <tnfchris at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Assignee|unassigned at gcc dot gnu.org |tnfchris at gcc dot gnu.org
--- Comment #4 from Tamar Christina <tnfchris at gcc dot gnu.org> ---
Looks like it did start with my patch, so will take a look.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags
2021-11-24 9:47 [Bug rtl-optimization/103404] New: ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags zsojka at seznam dot cz
` (3 preceding siblings ...)
2021-11-24 11:27 ` tnfchris at gcc dot gnu.org
@ 2021-11-25 3:07 ` tnfchris at gcc dot gnu.org
2021-12-06 10:16 ` cvs-commit at gcc dot gnu.org
2021-12-06 10:17 ` tnfchris at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: tnfchris at gcc dot gnu.org @ 2021-11-25 3:07 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404
--- Comment #5 from Tamar Christina <tnfchris at gcc dot gnu.org> ---
This is a somewhat latent bug in CSE where merge_equiv_classes assumes that all
entries into the equivalence table are unique but CSE makes no attempt to
enforce this constraint.
So inserting the same equivalence into the table twice results in the same
entry being added twice but pointed to the same expression.
Normally this doesn't happen during normal value CSEing because a virtual reg
is assigned only once so you ever only get one SET statement with the given
DEST.
What changed with my patch is that the vectors of const_int also get
equivalences to constants inside a vector, i.e. you can extract an element from
the vector should you need it.
e.g. this instruction
(insn 18 17 24 2 (set (subreg:V1SI (reg:SI 97 [ _10 ]) 0)
(const_vector:V1SI [
(const_int 0 [0])
])) "cse.c":11:9 1363 {*movv1si_internal}
(expr_list:REG_UNUSED (reg:SI 97 [ _10 ])
(nil)))
ends up generating two equivalences. the first one is that
reg:SI 97 is 0.
The second one is that 0 can be extracted from the V1SI, so subreg (subreg:V1SI
(reg:SI 97) 0) 0 == 0.
This nested subreg gets folded away to just reg:SI 97 and we re-insert the same
equivalence and end up with:
(rr) p dump_class (class1)
Equivalence chain for (reg:SI 105 [ iD.2893 ]):
(reg:SI 105 [ iD.2893 ])
$3 = void
(rr) p dump_class (class2)
Equivalence chain for (const_int 0 [0]):
(const_int 0 [0])
(reg:SI 97 [ _10 ])
(reg:SI 97 [ _10 ])
$4 = void
merge_equiv_classes then crashes because after it merges the first (reg:SI 97 [
_10 ]) the reference to it in class2 is invalid.
So I believe the fix should be that the hash table insertion code should not
insert a value if it already exists
in the table.
Testing a patch.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags
2021-11-24 9:47 [Bug rtl-optimization/103404] New: ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags zsojka at seznam dot cz
` (4 preceding siblings ...)
2021-11-25 3:07 ` tnfchris at gcc dot gnu.org
@ 2021-12-06 10:16 ` cvs-commit at gcc dot gnu.org
2021-12-06 10:17 ` tnfchris at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2021-12-06 10:16 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404
--- Comment #6 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Tamar Christina <tnfchris@gcc.gnu.org>:
https://gcc.gnu.org/g:c2c843849a3392654d1c2191bd9931c0fff1f8ce
commit r12-5801-gc2c843849a3392654d1c2191bd9931c0fff1f8ce
Author: Tamar Christina <tamar.christina@arm.com>
Date: Mon Dec 6 10:15:15 2021 +0000
cse: Make sure duplicate elements are not entered into the equivalence set
[PR103404]
CSE uses equivalence classes to keep track of expressions that all have the
same
values at the current point in the program.
Normal equivalences through SETs only insert and perform lookups in this
set but
equivalence determined from comparisons, e.g.
(insn 46 44 47 7 (set (reg:CCZ 17 flags)
(compare:CCZ (reg:SI 105 [ iD.2893 ])
(const_int 0 [0]))) "cse.c":18:22 7 {*cmpsi_ccno_1}
(expr_list:REG_DEAD (reg:SI 105 [ iD.2893 ])
(nil)))
creates the equivalence EQ on (reg:SI 105 [ iD.2893 ]) and (const_int 0
[0]).
This causes a merge to happen between the two equivalence sets denoted by
(const_int 0 [0]) and (reg:SI 105 [ iD.2893 ]) respectively.
The operation happens through merge_equiv_classes however this function has
an
invariant that the classes to be merge not contain any duplicates. This is
because it frees entries before merging.
The given testcase when using the supplied flags trigger an ICE due to the
equivalence set being
(rr) p dump_class (class1)
Equivalence chain for (reg:SI 105 [ iD.2893 ]):
(reg:SI 105 [ iD.2893 ])
$3 = void
(rr) p dump_class (class2)
Equivalence chain for (const_int 0 [0]):
(const_int 0 [0])
(reg:SI 97 [ _10 ])
(reg:SI 97 [ _10 ])
$4 = void
This happens because the original INSN being recorded is
(insn 18 17 24 2 (set (subreg:V1SI (reg:SI 97 [ _10 ]) 0)
(const_vector:V1SI [
(const_int 0 [0])
])) "cse.c":11:9 1363 {*movv1si_internal}
(expr_list:REG_UNUSED (reg:SI 97 [ _10 ])
(nil)))
and we end up generating two equivalences. the first one is simply that
reg:SI 97 is 0. The second one is that 0 can be extracted from the V1SI,
so
subreg (subreg:V1SI (reg:SI 97) 0) 0 == 0. This nested subreg gets folded
away
to just reg:SI 97 and we re-insert the same equivalence.
This patch changes it so that if the nunits of a subreg is 1 then don't
generate
a vec_select from the subreg as the subreg will be folded away and we get a
dup.
gcc/ChangeLog:
PR rtl-optimization/103404
* cse.c (find_sets_in_insn): Don't select elements out of a V1 mode
subreg.
gcc/testsuite/ChangeLog:
PR rtl-optimization/103404
* gcc.target/i386/pr103404.c: New test.
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug rtl-optimization/103404] ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags
2021-11-24 9:47 [Bug rtl-optimization/103404] New: ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags zsojka at seznam dot cz
` (5 preceding siblings ...)
2021-12-06 10:16 ` cvs-commit at gcc dot gnu.org
@ 2021-12-06 10:17 ` tnfchris at gcc dot gnu.org
6 siblings, 0 replies; 8+ messages in thread
From: tnfchris at gcc dot gnu.org @ 2021-12-06 10:17 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103404
Tamar Christina <tnfchris at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|ASSIGNED |RESOLVED
Resolution|--- |FIXED
--- Comment #7 from Tamar Christina <tnfchris at gcc dot gnu.org> ---
Fixed on master
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-12-06 10:17 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-11-24 9:47 [Bug rtl-optimization/103404] New: ICE: SIGSEGV in insert_with_costs (cse.c:1569) with custom flags zsojka at seznam dot cz
2021-11-24 10:14 ` [Bug rtl-optimization/103404] " rguenth at gcc dot gnu.org
2021-11-24 10:39 ` rguenth at gcc dot gnu.org
2021-11-24 10:52 ` marxin at gcc dot gnu.org
2021-11-24 11:27 ` tnfchris at gcc dot gnu.org
2021-11-25 3:07 ` tnfchris at gcc dot gnu.org
2021-12-06 10:16 ` cvs-commit at gcc dot gnu.org
2021-12-06 10:17 ` tnfchris at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).