[Bug jit/105279] New: Using libgccjit produces a null pointer access in GCC's tree-optimization code

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug jit/105279] New: Using libgccjit produces a null pointer access in GCC's tree-optimization code
@ 2022-04-14 21:44 marc@nieper-wisskirchen.de
  2022-04-15 18:36 ` [Bug jit/105279] " marc@nieper-wisskirchen.de
  2022-04-19 14:08 ` marxin at gcc dot gnu.org
  0 siblings, 2 replies; 3+ messages in thread
From: marc@nieper-wisskirchen.de @ 2022-04-14 21:44 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105279

            Bug ID: 105279
           Summary: Using libgccjit produces a null pointer access in
                    GCC's tree-optimization code
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: jit
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: marc@nieper-wisskirchen.de
  Target Milestone: ---

Created attachment 52812
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=52812&action=edit
libgccjit reproducer file

Compiling and running the attached libgccjit reproducer file produces a null
pointer access in GCC's tree-optimization path.  The error goes away if I
comment out the call to gcc_jit_block_add_assignment on line 1181 or if I
replace the pointer to the function there ("address_of_program") with a null
pointer in the form of gcc_jit_context_new_rvalue_from_ptr (ctxt_0x6fe3ff0,
ptr_to_union_value______struct_processor____union_value_, NULL).

The error also goes away if I replace both occurrences of "-O3" in reproducer.c
with "-O1" or lower.

$ gcc -lgccjit reproducer.c && valgrind ./a.out 
==979255== Memcheck, a memory error detector
==979255== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==979255== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==979255== Command: ./a.out
==979255== 
==979255== Invalid read of size 8
==979255==    at 0x5D85753: operator_minus::op1_range(irange&, tree_node*,
irange const&, irange const&, tree_code) const (range-op.cc:1460)
==979255==    by 0x5CAAC75: gori_compute::compute_operand1_range(irange&,
gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1024)
==979255==    by 0x5CAACD9: gori_compute::compute_operand1_range(irange&,
gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1077)
==979255==    by 0x5CAC775: gori_compute::outgoing_edge_range_p(irange&,
edge_def*, tree_node*, range_query&) (gimple-range-gori.cc:1271)
==979255==    by 0x5CA0FDC: ranger_cache::range_on_edge(irange&, edge_def*,
tree_node*) [clone .part.0] (gimple-range-cache.cc:1083)
==979255==    by 0x5C9DFE1: gimple_ranger::range_on_edge(irange&, edge_def*,
tree_node*) (gimple-range.cc:245)
==979255==    by 0x52DB39E: range_query::value_on_edge(edge_def*, tree_node*)
(value-query.cc:107)
==979255==    by 0x52BDDE7: rvrp_folder::value_on_edge(edge_def*, tree_node*)
(tree-vrp.cc:4281)
==979255==    by 0x51D419C:
substitute_and_fold_engine::propagate_into_phi_args(basic_block_def*)
(tree-ssa-propagate.cc:742)
==979255==    by 0x51D4CD7:
substitute_and_fold_dom_walker::before_dom_children(basic_block_def*)
(tree-ssa-propagate.cc:942)
==979255==    by 0x5C70125: dom_walker::walk(basic_block_def*) (domwalk.cc:309)
==979255==    by 0x51D3B6E:
substitute_and_fold_engine::substitute_and_fold(basic_block_def*)
(tree-ssa-propagate.cc:987)
==979255==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==979255== 
==979255== 
==979255== Process terminating with default action of signal 11 (SIGSEGV)
==979255==  Access not within mapped region at address 0x0
==979255==    at 0x5D85753: operator_minus::op1_range(irange&, tree_node*,
irange const&, irange const&, tree_code) const (range-op.cc:1460)
==979255==    by 0x5CAAC75: gori_compute::compute_operand1_range(irange&,
gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1024)
==979255==    by 0x5CAACD9: gori_compute::compute_operand1_range(irange&,
gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1077)
==979255==    by 0x5CAC775: gori_compute::outgoing_edge_range_p(irange&,
edge_def*, tree_node*, range_query&) (gimple-range-gori.cc:1271)
==979255==    by 0x5CA0FDC: ranger_cache::range_on_edge(irange&, edge_def*,
tree_node*) [clone .part.0] (gimple-range-cache.cc:1083)
==979255==    by 0x5C9DFE1: gimple_ranger::range_on_edge(irange&, edge_def*,
tree_node*) (gimple-range.cc:245)
==979255==    by 0x52DB39E: range_query::value_on_edge(edge_def*, tree_node*)
(value-query.cc:107)
==979255==    by 0x52BDDE7: rvrp_folder::value_on_edge(edge_def*, tree_node*)
(tree-vrp.cc:4281)
==979255==    by 0x51D419C:
substitute_and_fold_engine::propagate_into_phi_args(basic_block_def*)
(tree-ssa-propagate.cc:742)
==979255==    by 0x51D4CD7:
substitute_and_fold_dom_walker::before_dom_children(basic_block_def*)
(tree-ssa-propagate.cc:942)
==979255==    by 0x5C70125: dom_walker::walk(basic_block_def*) (domwalk.cc:309)
==979255==    by 0x51D3B6E:
substitute_and_fold_engine::substitute_and_fold(basic_block_def*)
(tree-ssa-propagate.cc:987)
==979255==  If you believe this happened as a result of a stack
==979255==  overflow in your program's main thread (unlikely but
==979255==  possible), you can try to increase the size of the
==979255==  main thread stack using the --main-stacksize= flag.
==979255==  The main thread stack size used in this run was 67108864.
==979255== 
==979255== HEAP SUMMARY:
==979255==     in use at exit: 1,635,492 bytes in 3,683 blocks
==979255==   total heap usage: 5,493 allocs, 1,810 frees, 2,427,473 bytes
allocated
==979255== 
==979255== LEAK SUMMARY:
==979255==    definitely lost: 0 bytes in 0 blocks
==979255==    indirectly lost: 0 bytes in 0 blocks
==979255==      possibly lost: 0 bytes in 0 blocks
==979255==    still reachable: 1,635,492 bytes in 3,683 blocks
==979255==         suppressed: 0 bytes in 0 blocks
==979255== Rerun with --leak-check=full to see details of leaked memory
==979255== 
==979255== For lists of detected and suppressed errors, rerun with: -s
==979255== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Speicherzugriffsfehler (Speicherabzug geschrieben)

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug jit/105279] Using libgccjit produces a null pointer access in GCC's tree-optimization code
  2022-04-14 21:44 [Bug jit/105279] New: Using libgccjit produces a null pointer access in GCC's tree-optimization code marc@nieper-wisskirchen.de
@ 2022-04-15 18:36 ` marc@nieper-wisskirchen.de
  2022-04-19 14:08 ` marxin at gcc dot gnu.org
  1 sibling, 0 replies; 3+ messages in thread
From: marc@nieper-wisskirchen.de @ 2022-04-15 18:36 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105279

--- Comment #1 from Marc Nieper-Wißkirchen <marc@nieper-wisskirchen.de> ---
The internal compiler error also seems to go away if I remove the pointer
subtraction around line 1833 in reproducer.c.  Maybe this is the real problem
because I am not subtracting pointers the way I should do in libgccjit (but
still, it shouldn't crash).  But if this is not the way to do it, is there
another way to achieve pointer subtraction (besides bitcasting the pointers to
integers)?

^ permalink raw reply	[flat|nested] 3+ messages in thread

* [Bug jit/105279] Using libgccjit produces a null pointer access in GCC's tree-optimization code
  2022-04-14 21:44 [Bug jit/105279] New: Using libgccjit produces a null pointer access in GCC's tree-optimization code marc@nieper-wisskirchen.de
  2022-04-15 18:36 ` [Bug jit/105279] " marc@nieper-wisskirchen.de
@ 2022-04-19 14:08 ` marxin at gcc dot gnu.org
  1 sibling, 0 replies; 3+ messages in thread
From: marxin at gcc dot gnu.org @ 2022-04-19 14:08 UTC (permalink / raw)
  To: gcc-bugs

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105279

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2022-04-19
                 CC|                            |marxin at gcc dot gnu.org

--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
It really crashes in the unary minus_expr:

$ gcc pr105279.c -lgccjit && ./a.out
libgccjit.so: error: invalid (pointer) operands ‘minus_expr’
_1 = ip - &labels[0];
libgccjit.so: error: ‘verify_gimple’ failed
0x7ffff648d684 verify_gimple_in_seq(gimple*)
        /home/marxin/Programming/gcc/gcc/tree-cfg.cc:5213
0x7ffff6157045 gimplify_body(tree_node*, bool)
        /home/marxin/Programming/gcc/gcc/gimplify.cc:16438
0x7ffff61571bc gimplify_function_tree(tree_node*)
        /home/marxin/Programming/gcc/gcc/gimplify.cc:16509
0x7ffff5ed876e gcc::jit::playback::function::postprocess()
        /home/marxin/Programming/gcc/gcc/jit/jit-playback.cc:1917
0x7ffff5ed9cac gcc::jit::playback::context::replay()
        /home/marxin/Programming/gcc/gcc/jit/jit-playback.cc:3258
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2022-04-19 14:08 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-04-14 21:44 [Bug jit/105279] New: Using libgccjit produces a null pointer access in GCC's tree-optimization code marc@nieper-wisskirchen.de
2022-04-15 18:36 ` [Bug jit/105279] " marc@nieper-wisskirchen.de
2022-04-19 14:08 ` marxin at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).