[Bug tree-optimization/106157] New: ICE verify_ssa failed since r13-1268-g8c99e307b20c502e

[Bug tree-optimization/106157] New: ICE verify_ssa failed since r13-1268-g8c99e307b20c502e

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106157

            Bug ID: 106157
           Summary: ICE verify_ssa failed since r13-1268-g8c99e307b20c502e
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Keywords: ice-on-valid-code
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
                CC: aldyh at redhat dot com, amacleod at redhat dot com
  Target Milestone: ---

The following crashes:

$ cat 1.ii
namespace ffmpegthumbnailer {

struct VideoFrame {
  unsigned lineSize;
  void *xxx;
};


} // namespace ffmpegthumbnailer
class QString;
class QImage;
namespace ffmpegthumbnailer {
struct VideoThumbnailer {
  void generateThumbnail(const QString &, QImage &);
  int m_ThumbnailSize;
  bool m_MaintainAspectRatio;
};
struct MovieDecoder {
  void getScaledVideoFrame(int, bool, VideoFrame &);
};
void VideoThumbnailer::generateThumbnail(const QString &, QImage &) {
  MovieDecoder movieDecoder;
  VideoFrame videoFrame;
  movieDecoder.getScaledVideoFrame(m_ThumbnailSize, m_MaintainAspectRatio,
                                   videoFrame);
}
} // namespace ffmpegthumbnailer


class QString;
class QImage;
namespace ffmpegthumbnailer {
} // namespace ffmpegthumbnailer
struct FFMpegThumbnailer {
  bool create(const QString &, QImage &);
  ffmpegthumbnailer::VideoThumbnailer m_Thumbnailer;
};
__attribute__((visibility("default"))) bool
FFMpegThumbnailer::create(const QString &path, QImage &img) {
  m_Thumbnailer.generateThumbnail(path, img);
}

$ cat 2.ii
void __throw_length_error(char);
struct __is_integer {
  enum { __value = 1 };
};
struct __is_integer_nonstrict : __is_integer {
  enum { __width = __value ? sizeof(long) * 8 : 0 };
};
struct __numeric_traits_integer {
  static const int __digits = __is_integer_nonstrict::__width - 1;
  static const long __max = 1 ? (((long)1 << __digits - 1) - 1 << 1) + 1 : 0;
};
template <typename _FIte, typename _Tp>
void __fill_a(_FIte __first, _FIte __last, _Tp &__value) {
  if (long __len = __last - __first)
    __builtin_memset(__first, __value, __len);
}
template <typename _OI, typename _Size, typename _Tp>
void fill_n(_OI __first, _Size __n, _Tp __value) {
  __fill_a(__first, __first + __n, __value);
}
template <typename> struct allocator;
template <typename> struct allocator_traits;
template <typename _Tp> struct allocator_traits<allocator<_Tp>> {
  using pointer = _Tp *;
};
struct __alloc_traits : allocator_traits<allocator<char>> {};
template <typename _ForwardIterator, typename _Size, typename _Tp>
void __uninitialized_default_n_a(_ForwardIterator __first, _Size __n, _Tp) {
  typename __val = *++__first;
  fill_n(__first, __n - 1, __val);
}
struct _Vector_base {
  struct {
    __alloc_traits::pointer _M_start;
    __alloc_traits::pointer _M_finish;
  } _M_impl;
  __alloc_traits::pointer _M_allocate(long);
};
template <typename> struct vector : _Vector_base {
  void resize(unsigned long __new_size) {
    long __trans_tmp_5, __trans_tmp_4(_M_impl._M_finish - _M_impl._M_start);
    if (__new_size > __trans_tmp_4) {
      __trans_tmp_5 = _M_impl._M_finish - _M_impl._M_start;
      _M_default_append(__new_size - __trans_tmp_5);
    }
  }
  void clear() {
    __alloc_traits::pointer __pos = _M_impl._M_start;
    if (_M_impl._M_finish - _M_impl._M_start)
      _M_impl._M_finish = __pos;
  }
  void _M_default_append(unsigned long);
};
template <typename _Tp> void vector<_Tp>::_M_default_append(unsigned long __n)
{
  long __trans_tmp_12, __trans_tmp_9(_M_impl._M_finish - _M_impl._M_start),
      __navail;
  unsigned long __diffmax = __numeric_traits_integer::__max;
  if (__trans_tmp_9 > __diffmax - __trans_tmp_9)
    ;
  if (__navail) {
    long __trans_tmp_8(_M_impl._M_finish - _M_impl._M_start);
    if (__diffmax - __trans_tmp_8 < __n)
      __throw_length_error(0);
    __alloc_traits::pointer __new_start(_M_allocate(__trans_tmp_12));
    char __trans_tmp_2;
    __uninitialized_default_n_a(__new_start, __n, __trans_tmp_2);
  }
}
namespace ffmpegthumbnailer {
struct VideoFrame {
  unsigned lineSize;
  vector<char> frameData;
};
struct MovieDecoder {
  void getScaledVideoFrame(int, bool, VideoFrame &);
};
void MovieDecoder::getScaledVideoFrame(int, bool, VideoFrame &videoFrame) {
  videoFrame.frameData.clear();
  videoFrame.frameData.resize(videoFrame.lineSize);
}
} // namespace ffmpegthumbnailer

$ g++ -flto=auto -O2 -shared 1.ii 2.ii -fPIC -fvisibility=hidden -w
1.ii: In member function ‘create’:
1.ii:39:1: error: definition in block 5 does not dominate use in block 6
   39 | FFMpegThumbnailer::create(const QString &path, QImage &img) {
      | ^
for SSA_NAME: _31 in statement:
_12 = _31;
during GIMPLE pass: dom
1.ii:39:1: internal compiler error: verify_ssa failed
0x106cfdd verify_ssa(bool, bool)
        /home/marxin/Programming/gcc/gcc/tree-ssa.cc:1211
0xd29c58 execute_function_todo
        /home/marxin/Programming/gcc/gcc/passes.cc:2098
0xd2a0ba execute_todo
        /home/marxin/Programming/gcc/gcc/passes.cc:2145
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
make: *** [/tmp/ccXPfUiR.mk:2: /tmp/ccMES7RX.ltrans0.ltrans.o] Error 1
lto-wrapper: fatal error: make returned 2 exit status
compilation terminated.
mold: lto-wrapper failed

[Bug tree-optimization/106157] [13 Regression] ICE verify_ssa failed since r13-1268-g8c99e307b20c502e

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106157

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Target Milestone|---                         |13.0
     Ever confirmed|0                           |1
            Summary|ICE verify_ssa failed since |[13 Regression] ICE
                   |r13-1268-g8c99e307b20c502e  |verify_ssa failed since
                   |                            |r13-1268-g8c99e307b20c502e
   Last reconfirmed|                            |2022-07-01

[Bug tree-optimization/106157] [13 Regression] ICE verify_ssa failed since r13-1268-g8c99e307b20c502e

[aldyh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106157

--- Comment #1 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
Silly question...

In the lto1 that ICEs, we have the following in
a.ltrans0.ltrans.094t.fixup_cfg3 (i.e. before DOM even comes into the picture):

  // Local variable
  struct VideoFrame videoFrame;
...
...
...
  <bb 2> [local count: 1073741824]:
  _5 = MEM[(struct VideoThumbnailer *)this_1(D)].m_MaintainAspectRatio;
  _6 = (int) _5;
  _7 = MEM[(struct VideoThumbnailer *)this_1(D)].m_ThumbnailSize;
  _12 = &MEM[(struct VideoFrame &)&videoFrame].frameData;
  __pos_13 = MEM[(struct vector *)&videoFrame + 8B].D.4741._M_impl._M_start;
  _14 = MEM[(struct vector *)&videoFrame + 8B].D.4741._M_impl._M_finish;
  if (__pos_13 != _14)
    goto <bb 3>; [70.00%]
  else
    goto <bb 4>; [30.00%]

Aren't we reading from videoFrame before it's set?

[Bug tree-optimization/106157] [13 Regression] ICE verify_ssa failed since r13-1268-g8c99e307b20c502e

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106157

--- Comment #2 from Richard Biener <rguenth at gcc dot gnu.org> ---
the reduction probably ended up removing the initialization as that's not
needed to reproduce the ICE

[Bug tree-optimization/106157] [13 Regression] ICE verify_ssa failed since r13-1268-g8c99e307b20c502e

[aldyh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106157

--- Comment #3 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
(In reply to Richard Biener from comment #2)
> the reduction probably ended up removing the initialization as that's not
> needed to reproduce the ICE

Ah.

I'm seeing a whole slew of uses before initialization in the IL before DOM gets
going.  Dereferences of uninitialized pointers, returnless functions, etc etc. 
This is causing all sorts of things in DOM to be assumed to be equal / etc, and
ranger is making other assumptions on top of that.

Could I trouble the reporter in submitting a reduced testcase with sane IL?  If
this is impossible, then the closest thing you can provide.

[Bug tree-optimization/106157] [13 Regression] ICE verify_ssa failed since r13-1268-g8c99e307b20c502e

[aldyh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106157

--- Comment #4 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
For example, in create():

  <bb 4> [local count: 1073741824]:
  _15 = MEM[(struct VideoFrame &)&videoFrame].lineSize;
  _16 = (long unsigned int) _15;
  _17 = MEM[(struct vector *)&videoFrame + 8B].D.4741._M_impl._M_finish;
  __trans_tmp_4_19 = _17 - __pos_13;
  _20 = (long unsigned int) __trans_tmp_4_19;
  if (_16 > _20)
    goto <bb 5>; [100.00%]
  else
    goto <bb 10>; [0.00%]


In dom2, lineSize is read uninitialized.  As a bonus create() has no return. 
So BB10 has a __builtin_unreachable, which makes DOM2 set _16 to nonzero.  This
is set globally, which then causes one of the threaders to thread paths through
BB4, then DOM3 to simplify things further, with the ranger setting some ranges
to UNDEFINED...  This cannot end well ;-).

So yeah...we need valid IL.

That being said, the compiler should never ICE.  So if the original testcase
has undefined behavior and that's the reason for the ICE, we should fix that as
well.

[Bug tree-optimization/106157] [13 Regression] ICE verify_ssa failed since r13-1268-g8c99e307b20c502e

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106157

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P3                          |P1

[Bug tree-optimization/106157] [13 Regression] ICE verify_ssa failed since r13-1268-g8c99e307b20c502e

[amacleod at redhat dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106157

--- Comment #5 from Andrew Macleod <amacleod at redhat dot com> ---
I do not seem to be able to reproduce this... is it still valid?

[Bug tree-optimization/106157] [13 Regression] ICE verify_ssa failed since r13-1268-g8c99e307b20c502e

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106157

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |rguenth at gcc dot gnu.org

--- Comment #6 from Martin Liška <marxin at gcc dot gnu.org> ---
It's gone since r13-2020-g16b013c9d9b4d9. I'm curious if the change made it
latent?

[Bug tree-optimization/106157] [13 Regression] ICE verify_ssa failed since r13-1268-g8c99e307b20c502e

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=106157

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #7 from Richard Biener <rguenth at gcc dot gnu.org> ---
The fix looks unrelated and probably changed the IL flowing into DOM.  I'd
still say "fixed" here and wait for a new testcase.  Does the original ICE on
unreduced sources still happen?

There have been many fixes in threading inbetween that could have been the real
fix as well btw.