[Bug c/110282] New: Segmentation fault with specific optimizations

[Bug c/110282] New: Segmentation fault with specific optimizations

[19373742 at buaa dot edu.cn]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282

            Bug ID: 110282
           Summary: Segmentation fault with specific optimizations
           Product: gcc
           Version: 11.4.1
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: 19373742 at buaa dot edu.cn
  Target Milestone: ---

Created attachment 55343
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55343&action=edit
The preprocessed file

*******************************************************************************
OS and Platform:
CentOS Linux release 7.9.2009 (Core), x86_64 GNU/Linux
*******************************************************************************
gcc version:

# /home/gcc-releases/gcc-11-0615/bin/gcc -v
Using built-in specs.
COLLECT_GCC=/home/gcc-releases/gcc-11-0615/bin/gcc
COLLECT_LTO_WRAPPER=/home/gcc-releases/gcc-11-0615/libexec/gcc/x86_64-pc-linux-gnu/11.4.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: ./configure --prefix=/home/gcc-releases/gcc-11-0615/
--disable-multilib --enable-languages=c,c++
Thread model: posix
Supported LTO compression algorithms: zlib zstd
gcc version 11.4.1 20230615 (GCC)
*******************************************************************************
Command Lines:

/home/gcc-releases/gcc-11-0615/bin/gcc -I
/home/csmith_record/include/csmith-2.3.0/  -O3
-fno-aggressive-loop-optimizations -fno-align-functions -fno-align-jumps
-fno-align-labels -fno-align-loops -fno-allocation-dce
-fno-asynchronous-unwind-tables -fno-auto-inc-dec -fno-bit-tests
-fno-branch-count-reg -fno-caller-saves -fno-code-hoisting
-fno-combine-stack-adjustments -fno-compare-elim -fno-cprop-registers
-fno-crossjumping -fno-cse-follow-jumps -fno-dce -fno-defer-pop
-fno-delete-null-pointer-checks -fno-devirtualize
-fno-devirtualize-speculatively -fno-dse -fno-early-inlining
-fno-expensive-optimizations -fno-forward-propagate -fno-fp-int-builtin-inexact
-fno-function-cse -fno-gcse -fno-gcse-after-reload -fno-gcse-lm
-fno-guess-branch-probability -fno-hoist-adjacent-loads -fno-if-conversion
-fno-if-conversion2 -fno-indirect-inlining -fno-inline -fno-inline-atomics
-fno-inline-functions -fno-inline-functions-called-once
-fno-inline-small-functions -fno-ipa-bit-cp -fno-ipa-cp -fno-ipa-cp-clone
-fno-ipa-icf -fno-ipa-icf-functions -fno-ipa-icf-variables -fno-ipa-modref
-fno-ipa-profile -fno-ipa-pure-const -fno-ipa-ra -fno-ipa-reference
-fno-ipa-reference-addressable -fno-ipa-sra -fno-ipa-stack-alignment
-fno-ipa-vrp -fno-ira-hoist-pressure -fno-ira-share-save-slots
-fno-ira-share-spill-slots -fno-isolate-erroneous-paths-dereference -fno-ivopts
-fno-jump-tables -fno-lifetime-dse -fno-loop-interchange
-fno-loop-unroll-and-jam -fno-lra-remat -fno-math-errno
-fno-move-loop-invariants -fno-omit-frame-pointer -fno-optimize-sibling-calls
-fno-optimize-strlen -fno-partial-inlining -fno-peel-loops -fno-peephole
-fno-peephole2 -fno-plt -fno-predictive-commoning -fno-prefetch-loop-arrays
-fno-printf-return-value -fno-ree -fno-reg-struct-return -fno-rename-registers
-fno-reorder-blocks -fno-reorder-blocks-and-partition -fno-reorder-functions
-fno-rerun-cse-after-loop -fno-sched-critical-path-heuristic
-fno-sched-dep-count-heuristic -fno-sched-group-heuristic -fno-sched-interblock
-fno-sched-last-insn-heuristic -fno-sched-rank-heuristic -fno-sched-spec
-fno-sched-spec-insn-heuristic -fno-sched-stalled-insns-dep
-fno-schedule-fusion -fno-schedule-insns2 -fno-short-enums -fno-shrink-wrap
-fno-shrink-wrap-separate -fno-signed-zeros -fno-split-ivs-in-unroller
-fno-split-loops -fno-split-paths -fno-split-wide-types -fno-ssa-backprop
-fno-ssa-phiopt -fno-stdarg-opt -fno-store-merging -fno-strict-aliasing
-fno-strict-volatile-bitfields -fno-thread-jumps -fno-toplevel-reorder
-fno-trapping-math -fno-tree-bit-ccp -fno-tree-builtin-call-dce -fno-tree-ccp
-fno-tree-ch -fno-tree-coalesce-vars -fno-tree-copy-prop -fno-tree-cselim
-fno-tree-dce -fno-tree-dominator-opts -fno-tree-dse -fno-tree-forwprop
-fno-tree-fre -fno-tree-loop-distribute-patterns -fno-tree-loop-distribution
-fno-tree-loop-if-convert -fno-tree-loop-im -fno-tree-loop-ivcanon
-fno-tree-loop-optimize -fno-tree-loop-vectorize -fno-tree-partial-pre
-fno-tree-phiprop -fno-tree-pre -fno-tree-pta -fno-tree-reassoc
-fno-tree-scev-cprop -fno-tree-sink -fno-tree-slp-vectorize -fno-tree-slsr
-fno-tree-sra -fno-tree-switch-conversion -fno-tree-tail-merge -fno-tree-ter
-fno-tree-vrp -fno-unroll-completely-grow-size -fno-unswitch-loops
-fno-unwind-tables -fno-var-tracking -fno-var-tracking-assignments
-fno-version-loops-for-strides -fno-web -faggressive-loop-optimizations
-fno-align-functions -fno-align-jumps -fno-align-labels -fno-align-loops
-fallocation-dce -fasynchronous-unwind-tables -fauto-inc-dec -fbit-tests
-fbranch-count-reg -fno-caller-saves -fno-code-hoisting
-fcombine-stack-adjustments -fcompare-elim -fno-cprop-registers
-fno-crossjumping -fno-cse-follow-jumps -fno-dce -fno-defer-pop
-fdelete-null-pointer-checks -fno-devirtualize -fdevirtualize-speculatively
-fdse -fno-early-inlining -fexpensive-optimizations -fno-forward-propagate
-fno-fp-int-builtin-inexact -ffunction-cse -fno-gcse -fgcse-after-reload
-fgcse-lm -fguess-branch-probability -fno-hoist-adjacent-loads -fif-conversion
-fif-conversion2 -findirect-inlining -fno-inline -fno-inline-atomics
-fno-inline-functions -finline-functions-called-once
-fno-inline-small-functions -fno-ipa-bit-cp -fno-ipa-cp -fno-ipa-cp-clone
-fipa-icf -fno-ipa-icf-functions -fipa-icf-variables -fipa-modref -fipa-profile
-fno-ipa-pure-const -fipa-ra -fipa-reference -fipa-reference-addressable
-fipa-sra -fno-ipa-stack-alignment -fipa-vrp -fno-ira-hoist-pressure
-fira-share-save-slots -fno-ira-share-spill-slots
-fno-isolate-erroneous-paths-dereference -fivopts -fno-jump-tables
-flifetime-dse -fno-loop-interchange -fno-loop-unroll-and-jam -flra-remat
-fno-math-errno -fmove-loop-invariants -fomit-frame-pointer
-fno-optimize-sibling-calls -fno-optimize-strlen -fpartial-inlining
-fno-peel-loops -fpeephole -fpeephole2 -fplt -fno-predictive-commoning
-fprefetch-loop-arrays -fno-printf-return-value -free -fno-reg-struct-return
-fno-rename-registers -fno-reorder-blocks -freorder-blocks-and-partition
-fno-reorder-functions -fno-rerun-cse-after-loop
-fsched-critical-path-heuristic -fno-sched-dep-count-heuristic
-fno-sched-group-heuristic -fsched-interblock -fno-sched-last-insn-heuristic
-fno-sched-rank-heuristic -fno-sched-spec -fno-sched-spec-insn-heuristic
-fsched-stalled-insns-dep -fno-schedule-fusion -fno-schedule-insns2
-fshort-enums -fno-shrink-wrap -fshrink-wrap-separate -fno-signed-zeros
-fsplit-ivs-in-unroller -fsplit-loops -fno-split-paths -fno-split-wide-types
-fssa-backprop -fno-ssa-phiopt -fno-stdarg-opt -fstore-merging
-fno-strict-aliasing -fno-strict-volatile-bitfields -fno-thread-jumps
-ftoplevel-reorder -ftrapping-math -fno-tree-bit-ccp -ftree-builtin-call-dce
-fno-tree-ccp -ftree-ch -fno-tree-coalesce-vars -fno-tree-copy-prop
-ftree-cselim -fno-tree-dce -ftree-dominator-opts -fno-tree-dse -ftree-forwprop
-fno-tree-fre -fno-tree-loop-distribute-patterns -fno-tree-loop-distribution
-fno-tree-loop-if-convert -fno-tree-loop-im -fno-tree-loop-ivcanon
-fno-tree-loop-optimize -fno-tree-loop-vectorize -ftree-partial-pre
-fno-tree-phiprop -ftree-pre -fno-tree-pta -fno-tree-reassoc
-fno-tree-scev-cprop -fno-tree-sink -fno-tree-slp-vectorize -fno-tree-slsr
-ftree-sra -fno-tree-switch-conversion -fno-tree-tail-merge -ftree-ter
-ftree-vrp -fno-unroll-completely-grow-size -funswitch-loops -funwind-tables
-fvar-tracking -fno-var-tracking-assignments -fno-version-loops-for-strides
-fweb -save-temps s.c -o s.o 2>s_error.txt

# ./s.o
Segmentation fault

# /home/gcc-releases/gcc-11-0615/bin/gcc -I
/home/csmith_record/include/csmith-2.3.0/  -O3 s.c -o s.o

# ./s.o
checksum = C3B59C18

[Bug c/110282] Segmentation fault with specific optimizations

[19373742 at buaa dot edu.cn]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282

--- Comment #1 from CTC <19373742 at buaa dot edu.cn> ---
Created attachment 55344
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=55344&action=edit
The compiler output

[Bug middle-end/110282] Segmentation fault with specific optimizations

[xry111 at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282

Xi Ruoyao <xry111 at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |xry111 at gcc dot gnu.org

--- Comment #2 from Xi Ruoyao <xry111 at gcc dot gnu.org> ---
Not reproducible with GCC 13.1 too.

[Bug middle-end/110282] Segmentation fault with specific optimizations

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
      Known to fail|                            |10.4.0, 11.1.0, 11.3.0
      Known to work|                            |12.3.0, 13.1.0

--- Comment #3 from Richard Biener <rguenth at gcc dot gnu.org> ---
Confirmed behavior also with GCC 10, with -fno-bit-tests -fbit-tests
-fno-ipa-modref -fipa-modref removed.

Can you please adjust your script to not pointlessly increase the command line
by adding both positive and neagtive variants of an option?  Can you please try
to reduce the set of arbitrary options that reproduce the issue?

25kB garbage testcases are painfully enough to even look at.  Other fuzzing
people manage to file bugs with < 100 lines of code and a command line that
remotely makes sense.

[Bug middle-end/110282] Segmentation fault with specific optimizations

[19373742 at buaa dot edu.cn]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282

--- Comment #4 from CTC <19373742 at buaa dot edu.cn> ---
(In reply to Richard Biener from comment #3)
> Confirmed behavior also with GCC 10, with -fno-bit-tests -fbit-tests
> -fno-ipa-modref -fipa-modref removed.
> 
> Can you please adjust your script to not pointlessly increase the command
> line
> by adding both positive and neagtive variants of an option?  Can you please
> try to reduce the set of arbitrary options that reproduce the issue?
> 
> 25kB garbage testcases are painfully enough to even look at.  Other fuzzing
> people manage to file bugs with < 100 lines of code and a command line that
> remotely makes sense.

Sorry for the long command lines. This issue can be reproduced with -O3
-fno-dce -fno-ipa-cp -fno-tree-dce -fno-tree-sink.

[Bug middle-end/110282] Segmentation fault with specific optimizations

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282

--- Comment #5 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Note I suspect r12-248-gb58dc0b803057c0e6032e0d9b made the problem latent in
GCC 12+. But turning off DSE in GCC 12.1.0 does not reproduce the bug ....

[Bug middle-end/110282] Segmentation fault with specific optimizations

[19373742 at buaa dot edu.cn]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282

--- Comment #6 from CTC <19373742 at buaa dot edu.cn> ---
Another related and smaller reproducer:

# cat tmp.i
main() {
  int *a = 0;
  int b = *a;
}

[Bug middle-end/110282] Segmentation fault with specific optimizations

[xry111 at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282

--- Comment #7 from Xi Ruoyao <xry111 at gcc dot gnu.org> ---
(In reply to CTC from comment #6)
> Another related and smaller reproducer:
> 
> # cat tmp.i
> main() {
>   int *a = 0;
>   int b = *a;
> }

No, this is an undefined behavior and the compiler is allowed to generate code
to crash.