[Bug c/107898] New: [11/12/13 Regression] ICE in irange_intersect, at value-range.cc:1640

[Bug c/107898] New: [11/12/13 Regression] ICE in irange_intersect, at value-range.cc:1640

[gscfq@t-online.de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107898

            Bug ID: 107898
           Summary: [11/12/13 Regression] ICE in irange_intersect, at
                    value-range.cc:1640
           Product: gcc
           Version: 13.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: gscfq@t-online.de
  Target Milestone: ---

Started between 20220403 and 20220410, 
with file gcc.dg/Walloca-larger-than-2.c :
(and started between 20201018 and 20201108 with -O1+)


$ gcc-13-20221127 -c Walloca-larger-than-2.c -fsanitize=address
-fsanitize=pointer-subtract -fpreprocessed -Walloca-larger-than=5000
Walloca-larger-than-2.c:7:1: warning: parameter names (without types) in
function declaration
    7 | extern void* alloca (__SIZE_TYPE__);
      | ^~~~~~
Walloca-larger-than-2.c: In function 'test_alloca':
Walloca-larger-than-2.c:17:5: warning: implicit declaration of function 'T'
[-Wimplicit-function-declaration]
   17 |     T (alloca (0));
      |     ^
Walloca-larger-than-2.c:17:16: warning: 'alloca' argument 1 type is 'int' where
'long unsigned int' is expected in a call to built-in function declared without
prototype [-Wbuiltin-declaration-mismatch]
   17 |     T (alloca (0));
      |                ^
Walloca-larger-than-2.c:7:14: note: built-in 'alloca' declared here
    7 | extern void* alloca (__SIZE_TYPE__);
      |              ^~~~~~
Walloca-larger-than-2.c:21:16: warning: 'alloca' argument 1 type is 'int' where
'long unsigned int' is expected in a call to built-in function declared without
prototype [-Wbuiltin-declaration-mismatch]
   21 |     T (alloca (1));
      |                ^
Walloca-larger-than-2.c:7:14: note: built-in 'alloca' declared here
    7 | extern void* alloca (__SIZE_TYPE__);
      |              ^~~~~~
Walloca-larger-than-2.c:24:16: warning: 'alloca' argument 1 type is 'unsigned
int' where 'long unsigned int' is expected in a call to built-in function
declared without prototype [-Wbuiltin-declaration-mismatch]
   24 |     T (alloca (n));
      |                ^
Walloca-larger-than-2.c:7:14: note: built-in 'alloca' declared here
    7 | extern void* alloca (__SIZE_TYPE__);
      |              ^~~~~~
Walloca-larger-than-2.c:17:5: warning: argument to 'alloca' is zero
[-Walloca-larger-than=]
   17 |     T (alloca (0));
      |     ^~~~~~~~~~~~~~
Walloca-larger-than-2.c:21:5: warning: use of 'alloca' within a loop
[-Walloca-larger-than=]
   21 |     T (alloca (1));
      |     ^~~~~~~~~~~~~~
during GIMPLE pass: walloca
Walloca-larger-than-2.c:25:1: internal compiler error: in irange_intersect, at
value-range.cc:2560
   25 | }
      | ^
0x12550c8 irange::irange_intersect(irange const&)
        ../../gcc/value-range.cc:2559
0x1251a81 irange::legacy_verbose_intersect(irange const*)
        ../../gcc/value-range.cc:2324
0x1cc78dc irange::intersect(vrange const&)
        ../../gcc/value-range.h:969
0x1cc78dc alloca_call_type
        ../../gcc/gimple-ssa-warn-alloca.cc:228
0x1cc8243 pass_walloca::execute(function*)
        ../../gcc/gimple-ssa-warn-alloca.cc:292

[Bug tree-optimization/107898] [11/12/13 Regression] ICE in irange_intersect, at value-range.cc:1640

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107898

Andrew Pinski <pinskia at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |11.4

[Bug c/107898] [11/12/13 Regression] ICE in irange_intersect, at value-range.cc:1640

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107898

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2022-11-29
          Component|tree-optimization           |c
     Ever confirmed|0                           |1
                 CC|                            |aldyh at gcc dot gnu.org,
                   |                            |mpolacek at gcc dot gnu.org
             Status|UNCONFIRMED                 |NEW

--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
Confirmed.

(gdb) up
#1  0x00000000019f5fed in irange::irange_intersect (this=0x7fffffffc500, r=...)
    at /home/rguenther/src/trunk/gcc/value-range.cc:2559
2559      gcc_checking_assert (undefined_p () || r.undefined_p ()
(gdb) l
2554
2555    bool
2556    irange::irange_intersect (const irange &r)
2557    {
2558      gcc_checking_assert (!legacy_mode_p () && !r.legacy_mode_p ());
2559      gcc_checking_assert (undefined_p () || r.undefined_p ()
2560                           || range_compatible_p (type (), r.type ()));
2561
2562      if (undefined_p ())
2563        return false;
(gdb) p debug (r)
[irange] long unsigned int [5001, +INF]
$1 = void
(gdb) p debug (*this)
[irange] unsigned int [1, +INF]

and we invoke this from

#4  0x0000000002bf496d in alloca_call_type (stmt=<gimple_call 0x7ffff631c120>, 
    is_vla=false)
    at /home/rguenther/src/trunk/gcc/gimple-ssa-warn-alloca.cc:228
(gdb) l
223           // The invalid bits are anything outside of [0, MAX_SIZE].
224           int_range<2> invalid_range (build_int_cst (size_type_node, 0),
225                                       build_int_cst (size_type_node,
max_size),
226                                       VR_ANTI_RANGE);
227
228           r.intersect (invalid_range);
229           if (r.undefined_p ())
230             return alloca_type_and_limit (ALLOCA_OK);

and the issue is that the argument of the 'alloca' call is of type
unsigned int due to the "parsing" error with -fpreprocessed.  The C frontend
again makes 'alloca' built-in with a mismatched prototype here.

I'm not sure why we have to require compatible ranges on intersection
of irange though?  Since we don't have anti-ranges there's no implicit
min/max of types involved here, only symbolics (if they could creep in)
would make things difficult.  There's

  if (varying_p ())
    {
      operator= (r);
      return true;
    }

that would require range "conversion" (we don't want to change the type
of 'this') and all the ::to_wide would instead require ::to_widest.

Anyway, it's easy to "fix" the Walloca pass here.

Unfortunately there's no conversion operator or operator> for irange,
we just want to ask if (r > max_size) (and have max_size converted to
the type of r with saturation).

[Bug c/107898] [11/12/13 Regression] ICE in irange_intersect, at value-range.cc:1640

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107898

--- Comment #2 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Richard Biener <rguenth@gcc.gnu.org>:

https://gcc.gnu.org/g:9948daa4fd0f0ea0a9d56c2fefe1bca478554d27

commit r13-4385-g9948daa4fd0f0ea0a9d56c2fefe1bca478554d27
Author: Richard Biener <rguenther@suse.de>
Date:   Tue Nov 29 09:03:46 2022 +0100

    tree-optimization/107898 - ICE with -Walloca-larger-than

    The following avoids ICEing with a mismatched prototype for alloca
    and -Walloca-larger-than using irange for checks which doesn't
    like mismatched types.

            PR tree-optimization/107898
            * gimple-ssa-warn-alloca.cc (alloca_call_type): Check
            the type of the alloca argument is compatible with size_t
            before querying ranges.

[Bug c/107898] [11/12 Regression] ICE in irange_intersect, at value-range.cc:1640

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107898

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
            Summary|[11/12/13 Regression] ICE   |[11/12 Regression] ICE in
                   |in irange_intersect, at     |irange_intersect, at
                   |value-range.cc:1640         |value-range.cc:1640
           Assignee|unassigned at gcc dot gnu.org      |rguenth at gcc dot gnu.org
      Known to work|                            |13.0

[Bug c/107898] [11/12 Regression] ICE in irange_intersect, at value-range.cc:1640

[amacleod at redhat dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107898

Andrew Macleod <amacleod at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |amacleod at redhat dot com

--- Comment #3 from Andrew Macleod <amacleod at redhat dot com> ---
(In reply to Richard Biener from comment #1)

> I'm not sure why we have to require compatible ranges on intersection
> of irange though?  Since we don't have anti-ranges there's no implicit

Its doesnt require compatible types, it requires compatible precisions. From
gimple-range-fold.h:

static inline bool
range_compatible_p (tree type1, tree type2)
{
  // types_compatible_p requires conversion in both directions to be useless.
  // GIMPLE only requires a cast one way in order to be compatible.
  // Ranges really only need the sign and precision to be the same.
  return (TYPE_PRECISION (type1) == TYPE_PRECISION (type2)
          && TYPE_SIGN (type1) == TYPE_SIGN (type2)); 
}



> 
> Unfortunately there's no conversion operator or operator> for irange,
> we just want to ask if (r > max_size) (and have max_size converted to
> the type of r with saturation).

You can cast an irange to another type using range_cast. ie something like

diff --git a/gcc/gimple-ssa-warn-alloca.cc b/gcc/gimple-ssa-warn-alloca.cc
index 83a241a3a4b..0502c433f93 100644
--- a/gcc/gimple-ssa-warn-alloca.cc
+++ b/gcc/gimple-ssa-warn-alloca.cc
@@ -225,6 +225,8 @@ alloca_call_type (gimple *stmt, bool is_vla)
                                  build_int_cst (size_type_node, max_size),
                                  VR_ANTI_RANGE);

+      if (!types_compatible_p (r.type (), invalid_range.type ()))
+       range_cast (invalid_range, r.type ());
       r.intersect (invalid_range);
       if (r.undefined_p ())
        return alloca_type_and_limit (ALLOCA_OK)

We decided to force something like this to be explicit by the caller rather
than make assumptions in intersect/union and silently do conversions.  We've
caught a number of bugs along the way because of this.

Another option would be to simply create the invalid_range with the same type
upfront instead of assuming size_type_node. ie:

@@ -221,8 +221,8 @@ alloca_call_type (gimple *stmt, bool is_vla)
       && !r.varying_p ())
     {
       // The invalid bits are anything outside of [0, MAX_SIZE].
-      int_range<2> invalid_range (build_int_cst (size_type_node, 0),
-                                 build_int_cst (size_type_node, max_size),
+      int_range<2> invalid_range (build_int_cst (r.type (), 0),
+                                 build_int_cst (r.type (), max_size),
                                  VR_ANTI_RANGE);

       r.intersect (invalid_range);

As long as r.type () is irange::supports_p (r.type ())

[Bug c/107898] [11/12 Regression] ICE in irange_intersect, at value-range.cc:1640

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107898

--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-12 branch has been updated by Richard Biener
<rguenth@gcc.gnu.org>:

https://gcc.gnu.org/g:1a8af012222a8386fcda16a61dc17f11ba9cfbfd

commit r12-8979-g1a8af012222a8386fcda16a61dc17f11ba9cfbfd
Author: Richard Biener <rguenther@suse.de>
Date:   Tue Nov 29 09:03:46 2022 +0100

    tree-optimization/107898 - ICE with -Walloca-larger-than

    The following avoids ICEing with a mismatched prototype for alloca
    and -Walloca-larger-than using irange for checks which doesn't
    like mismatched types.

            PR tree-optimization/107898
            * gimple-ssa-warn-alloca.cc (alloca_call_type): Check
            the type of the alloca argument is compatible with size_t
            before querying ranges.

    (cherry picked from commit 9948daa4fd0f0ea0a9d56c2fefe1bca478554d27)

[Bug c/107898] [11 Regression] ICE in irange_intersect, at value-range.cc:1640

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107898

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-11 branch has been updated by Richard Biener
<rguenth@gcc.gnu.org>:

https://gcc.gnu.org/g:bca26e97f167ccc3161488113d8bed48542b4ca2

commit r11-10746-gbca26e97f167ccc3161488113d8bed48542b4ca2
Author: Richard Biener <rguenther@suse.de>
Date:   Tue Nov 29 09:03:46 2022 +0100

    tree-optimization/107898 - ICE with -Walloca-larger-than

    The following avoids ICEing with a mismatched prototype for alloca
    and -Walloca-larger-than using irange for checks which doesn't
    like mismatched types.

            PR tree-optimization/107898
            * gimple-ssa-warn-alloca.c (alloca_call_type): Check
            the type of the alloca argument is compatible with size_t
            before querying ranges.

    (cherry picked from commit 9948daa4fd0f0ea0a9d56c2fefe1bca478554d27)

[Bug c/107898] [11 Regression] ICE in irange_intersect, at value-range.cc:1640

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=107898

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|ASSIGNED                    |RESOLVED

--- Comment #6 from Richard Biener <rguenth at gcc dot gnu.org> ---
Fixed.