From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 1FB393858D20; Wed, 21 Feb 2024 19:59:26 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1FB393858D20 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1708545566; bh=YM/x6GR4KarHMV0zBqgtg2b/nG71q+sPnK4sntI68tM=; h=From:To:Subject:Date:In-Reply-To:References:From; b=T2KURBqQmoi/BdNSpzjCqgmSH6+X2eRSbW6d7btrnihJ85+UpfyA3Z8L7iYIKEBZI 1b6L+D9oFjIwMxAyu8v8q3QOR0xPIRJzekYq5p2+YnirI03DmorfrmtIkiloum/uwm QoZ09TO66nZ7yIVgTDyDhhb4NM1/DP3kbBz99oXo= From: "jakub at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug ipa/111960] [14 Regression] ICE: during GIMPLE pass: rebuild_frequencies: SIGSEGV (Invalid read of size 4) with -fdump-tree-rebuild_frequencies-all Date: Wed, 21 Feb 2024 19:59:24 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: ipa X-Bugzilla-Version: 14.0 X-Bugzilla-Keywords: ice-on-valid-code X-Bugzilla-Severity: normal X-Bugzilla-Who: jakub at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P1 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: 14.0 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D111960 --- Comment #9 from Jakub Jelinek --- Ok, so what I see is a buffer overflow during 97 sprintf (buffer, "%" PRId64 " (%s, freq %.4f)", m_val, 98 profile_quality_display_names[m_quality], 99 to_sreal_scale (ENTRY_BLOCK_PTR_FOR_FN (fun)->count).to_double ()); in #0 profile_count::dump (this=3D0x7fffe9f37a18, buffer=3D0x7fffffffd7a0 "\300\327\377\377\377\177", fun=3D0x7fffea3020b8) at ../../gcc/profile-count.cc:97 #1 0x0000000000c92609 in profile_count::dump (this=3D0x7fffe9f37a18, f=3D0x3ab2930, fun=3D0x7fffea3020b8) at ../../gcc/profile-count.cc:111 #2 0x000000000065fefc in dump_bb_info (outf=3D0x3ab2930, bb=3D, indent=3D2, flags=3D266692985, do_header=3Dtrue, do_footer=3Dfalse) at ../../gcc/cfg.cc:812 #3 0x000000000068f3eb in dump_bb (outf=3D0x3ab2930, bb=3D, indent=3D2, flags=3D266692985) at ../../gcc/cfghooks.c= c:302 #4 0x0000000000e31800 in dump_function_to_file (fndecl=3D, file=3D0x3ab2930, flags=3D266692985) at ../../gcc/tree-cfg.cc:8458 #5 0x0000000000c4e038 in execute_function_dump (fn=3D0x7fffea3020b8, data=3D0x3a156d0) at ../../gcc/passes.cc:1797 #6 0x0000000000c4dbd9 in do_per_function (callback=3D0xc4dfd0 , data=3D0x3a156d0) at ../../gcc/passes.cc:1687 #7 0x0000000000c503e1 in execute_one_pass (pass=3D) at ../../gcc/passes.cc:2722 buffer points to 107 void 108 profile_count::dump (FILE *f, struct function *fun) const 109 { 110 char buffer[64]; variable and the values I see are: (gdb) p m_val $18 =3D 2305843009213693950 (gdb) p profile_quality_display_names[m_quality] $19 =3D 0x2ba5722 "estimated locally" (gdb) p to_sreal_scale (((basic_block)0x7fffea2df600)->count, (bool *) 0).to_double () $20 =3D 1.4411518807585587e+17 So, that is 19 chars for m_val, 17 chars for the name and printing 144115188075855872.0000 double value, 23 chars, plus 11 chars on top of tha= t. That is 70 chars, overflow by 6 bytes. Whether the above comes from some badly initialized values or what, no idea. That said, generally %PRId64 can print at most 20 chars, %s 38 chars and %.= 4f can print at most 309 digits before the decimal dot, then 1 char for the decimal dot = and 4 digits after the dot. That is already 69 chars without the double at all, plus 314 for the double. Are you sure you want to print %.4f and not say %.4g so that there is a reasonable upper bound for the size of the double printing? Or use %.4f or %.4e conditionally depending on if the double is larger than some limit.=