[Bug tree-optimization/103551] New: [12 Regression] wrong code with -O1 -fno-tree-dominator-opts -ftree-vectorize -ftree-vrp

[Bug tree-optimization/103551] New: [12 Regression] wrong code with -O1 -fno-tree-dominator-opts -ftree-vectorize -ftree-vrp

[zsojka at seznam dot cz]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103551

            Bug ID: 103551
           Summary: [12 Regression] wrong code with -O1
                    -fno-tree-dominator-opts -ftree-vectorize -ftree-vrp
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Keywords: wrong-code
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: zsojka at seznam dot cz
  Target Milestone: ---
              Host: x86_64-pc-linux-gnu

Created attachment 51925
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51925&action=edit
reduced testcase (from OpenTTD sources)

Output:
$ x86_64-pc-linux-gnu-g++ -O1 -fno-tree-dominator-opts -ftree-vectorize
-ftree-vrp testcase.C
$ valgrind -q ./a.out 
==4448== Invalid write of size 8
==4448==    at 0x40116E: S::S(unsigned short, unsigned short, unsigned short)
(in /home/smatz/gcc-bug/97/a.out)
==4448==    by 0x4011EC: _GLOBAL__sub_I__ZN1SC2Ettt (in
/home/smatz/gcc-bug/97/a.out)
==4448==    by 0x40124C: __libc_csu_init (in /home/smatz/gcc-bug/97/a.out)
==4448==    by 0x4C8777C: (below main) (in /lib64/libc-2.33.so)
==4448==  Address 0x4e31c88 is 8 bytes inside a block of size 10 alloc'd
==4448==    at 0x483F835: malloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4448==    by 0x401144: S::S(unsigned short, unsigned short, unsigned short)
(in /home/smatz/gcc-bug/97/a.out)
==4448==    by 0x4011EC: _GLOBAL__sub_I__ZN1SC2Ettt (in
/home/smatz/gcc-bug/97/a.out)
==4448==    by 0x40124C: __libc_csu_init (in /home/smatz/gcc-bug/97/a.out)
==4448==    by 0x4C8777C: (below main) (in /lib64/libc-2.33.so)
==4448== 
==4448== Invalid write of size 8
==4448==    at 0x401178: S::S(unsigned short, unsigned short, unsigned short)
(in /home/smatz/gcc-bug/97/a.out)
==4448==    by 0x4011EC: _GLOBAL__sub_I__ZN1SC2Ettt (in
/home/smatz/gcc-bug/97/a.out)
==4448==    by 0x40124C: __libc_csu_init (in /home/smatz/gcc-bug/97/a.out)
==4448==    by 0x4C8777C: (below main) (in /lib64/libc-2.33.so)
==4448==  Address 0x4e31ca0 is 22 bytes after a block of size 10 alloc'd
==4448==    at 0x483F835: malloc (in
/usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so)
==4448==    by 0x401144: S::S(unsigned short, unsigned short, unsigned short)
(in /home/smatz/gcc-bug/97/a.out)
==4448==    by 0x4011EC: _GLOBAL__sub_I__ZN1SC2Ettt (in
/home/smatz/gcc-bug/97/a.out)
==4448==    by 0x40124C: __libc_csu_init (in /home/smatz/gcc-bug/97/a.out)
==4448==    by 0x4C8777C: (below main) (in /lib64/libc-2.33.so)
==4448== 
==4448== 
==4448== Process terminating with default action of signal 11 (SIGSEGV)
==4448==  Access not within mapped region at address 0x5220000
==4448==    at 0x401178: S::S(unsigned short, unsigned short, unsigned short)
(in /home/smatz/gcc-bug/97/a.out)
==4448==    by 0x4011EC: _GLOBAL__sub_I__ZN1SC2Ettt (in
/home/smatz/gcc-bug/97/a.out)
==4448==    by 0x40124C: __libc_csu_init (in /home/smatz/gcc-bug/97/a.out)
==4448==    by 0x4C8777C: (below main) (in /lib64/libc-2.33.so)
==4448==  If you believe this happened as a result of a stack
==4448==  overflow in your program's main thread (unlikely but
==4448==  possible), you can try to increase the size of the
==4448==  main thread stack using the --main-stacksize= flag.
==4448==  The main thread stack size used in this run was 8388608.
Segmentation fault

   0x0000000000401164 <+78>:    movzwl %cx,%ecx
   0x0000000000401167 <+81>:    shl    $0x4,%rcx
   0x000000000040116b <+85>:    add    %rax,%rcx
=> 0x000000000040116e <+88>:    movups %xmm0,(%rax)
   0x0000000000401171 <+91>:    add    $0x10,%rax
   0x0000000000401175 <+95>:    cmp    %rax,%rcx
   0x0000000000401178 <+98>:    jne    0x40116e <_ZN1SC2Ettt+88>

$ x86_64-pc-linux-gnu-g++ -v
Using built-in specs.
COLLECT_GCC=/repo/gcc-trunk/binary-latest/bin/x86_64-pc-linux-gnu-g++
COLLECT_LTO_WRAPPER=/repo/gcc-trunk/binary-trunk-r12-5767-20211203172717-g6262e3a22b3-checking-yes-rtl-df-extra-nobootstrap-pr103149-amd64/bin/../libexec/gcc/x86_64-pc-linux-gnu/12.0.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: /repo/gcc-trunk//configure --enable-languages=c,c++
--enable-valgrind-annotations --disable-nls --enable-checking=yes,rtl,df,extra
--disable-bootstrap --with-cloog --with-ppl --with-isl
--build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu
--target=x86_64-pc-linux-gnu --with-ld=/usr/bin/x86_64-pc-linux-gnu-ld
--with-as=/usr/bin/x86_64-pc-linux-gnu-as --disable-libstdcxx-pch
--prefix=/repo/gcc-trunk//binary-trunk-r12-5767-20211203172717-g6262e3a22b3-checking-yes-rtl-df-extra-nobootstrap-pr103149-amd64
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 12.0.0 20211203 (experimental) (GCC)

[Bug tree-optimization/103551] [12 Regression] wrong code with -O1 -fno-tree-dominator-opts -ftree-vectorize -ftree-vrp

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103551

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |12.0

[Bug tree-optimization/103551] [12 Regression] wrong code with -O1 -fno-tree-dominator-opts -ftree-vectorize -ftree-vrp

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103551

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2021-12-04
             Status|UNCONFIRMED                 |NEW
     Ever confirmed|0                           |1

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
VRP2 is check in BB3:
;;   basic block 3, loop depth 0, count 105119324 (estimated locally), maybe
hot
;;    prev block 2, next block 4, flags: (NEW, VISITED)
;;    pred:       2 [89.0% (guessed)]  count:105119324 (estimated locally)
(TRUE_VALUE,EXECUTABLE)
  _35 = offset_13(D) + 65535;
  if (_35 <= 6)
    goto <bb 9>; [10.00%]
  else
    goto <bb 4>; [90.00%]
;;    succ:       4 [90.0% (guessed)]  count:94607391 (estimated locally)
(FALSE_VALUE,EXECUTABLE)
;;                9 [10.0% (guessed)]  count:10511933 (estimated locally)
(TRUE_VALUE)

Folding statement: _35 = offset_13(D) + 65535;
 Registering value_relation (_35 < offset_13(D)) (bb3) at _35 = offset_13(D) +
65535;
Not folded
Folding statement: if (_35 <= 6)

Visiting conditional with predicate: if (_35 <= 6)

With known ranges
        _35: short unsigned int [0, 65534]

Predicate evaluates to: DON'T KNOW
Folded into: if (0 != 0)

[Bug tree-optimization/103551] [12 Regression] wrong code with -O1 -fno-tree-dominator-opts -ftree-vectorize -ftree-vrp since r12-5014-g6b8b959675a3e14c

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103551

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|[12 Regression] wrong code  |[12 Regression] wrong code
                   |with -O1                    |with -O1
                   |-fno-tree-dominator-opts    |-fno-tree-dominator-opts
                   |-ftree-vectorize -ftree-vrp |-ftree-vectorize -ftree-vrp
                   |                            |since
                   |                            |r12-5014-g6b8b959675a3e14c
                 CC|                            |marxin at gcc dot gnu.org

--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
Started with r12-5014-g6b8b959675a3e14c.

[Bug tree-optimization/103551] [12 Regression] wrong code with -O1 -fno-tree-dominator-opts -ftree-vectorize -ftree-vrp since r12-5014-g6b8b959675a3e14c

[aldyh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103551

--- Comment #3 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
Haven't looked, but things to look out for are the global ranges that the
strlen pass sets that may affect VRP decisions. Also, one of the calls to
ranger from within the strlen pass may have the wrong context.

[Bug tree-optimization/103551] [12 Regression] wrong code with -O1 -fno-tree-dominator-opts -ftree-vectorize -ftree-vrp since r12-5014-g6b8b959675a3e14c

[amacleod at redhat dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103551

Andrew Macleod <amacleod at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at gcc dot gnu.org      |amacleod at redhat dot com

--- Comment #4 from Andrew Macleod <amacleod at redhat dot com> ---
Created attachment 51935
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=51935&action=edit
proposed patch

It gets eliminated/folded by propagation in VRP2 because it shosws one edge as
being executable and the other not:   (from *.169t.vect)

  _35 = offset_13(D) + 65535;
  if (_35 <= 6)
    goto <bb 14>; [10.00%]
  else
    goto <bb 9>; [90.00%]
;;    succ:       9 [90.0% (guessed)]  count:94607391 (estimated locally)
(FALSE_VALUE,EXECUTABLE)
;;                14 [10.0% (guessed)]  count:10511933 (estimated locally)
(TRUE_VALUE)

substitute_and_fold_dom_walker::before_dom_children keys off of:

     if (gimple_code (stmt) == GIMPLE_COND)
        {
          if ((EDGE_SUCC (bb, 0)->flags & EDGE_EXECUTABLE)
              ^ (EDGE_SUCC (bb, 1)->flags & EDGE_EXECUTABLE))

And folds the IF away.

I see inconsistencies in the value of the executable flag.  Im a little
confused, because this code using EDGE_EXECUTABLE is in
substitute_and_fold_dom_walker, and will fold away conditions like this, yet it
does not initialize the domwalker with  REACHABLE_BLOCKS, so non of the edges
are set.   The old VRP use to invoke set_all_edges_as_executable() itself,
ranger is currently only doing it when we run warn_array_bounds_p.

SO my questions are
1) are EDGE_EXECUTABLE flags allowed to be in garbage state outside the
propagation passes?  I think the answer is yes?
2) If this code can always be triggered in substitute_and_fold, should it not
create the dom_walker class with REACHABLE_BLOCKS so that they are in a known
state before any pass triggers them?
3) if that is undesirable for some reason, then I could always set them in
ranger vrp set up, but (2) seems more rational to me.

I've attached a patch which does that... and seems to solve the problem.   Is
this the direction to go?

[Bug tree-optimization/103551] [12 Regression] wrong code with -O1 -fno-tree-dominator-opts -ftree-vectorize -ftree-vrp since r12-5014-g6b8b959675a3e14c

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103551

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Andrew Macleod <amacleod@gcc.gnu.org>:

https://gcc.gnu.org/g:77184b7446196eae1a70452939ccd3e99e0d2e3b

commit r12-6528-g77184b7446196eae1a70452939ccd3e99e0d2e3b
Author: Andrew MacLeod <amacleod@redhat.com>
Date:   Tue Jan 11 09:59:21 2022 -0500

    Always set EDGE_EXECUTABLE in VRP2.

            PR tree-optimization/103551
            * tree-vrp.c (execute_ranger_vrp): Always set EDGE_EXECUTABLE.

[Bug tree-optimization/103551] [12 Regression] wrong code with -O1 -fno-tree-dominator-opts -ftree-vectorize -ftree-vrp since r12-5014-g6b8b959675a3e14c

[amacleod at redhat dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103551

Andrew Macleod <amacleod at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #6 from Andrew Macleod <amacleod at redhat dot com> ---
In the end, simply set the EDGE_EXECUTABLE flag on all edges before running
ranger VRP and using the simplify engine.  
Fixed.