[Bug c++/112968] New: Valgrind error on libstdc++-v3/testsuite/18_support/comparisons/object/93479.cc

[Bug c++/112968] New: Valgrind error on libstdc++-v3/testsuite/18_support/comparisons/object/93479.cc

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112968

            Bug ID: 112968
           Summary: Valgrind error on
                    libstdc++-v3/testsuite/18_support/comparisons/object/9
                    3479.cc
           Product: gcc
           Version: 14.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: jakub at gcc dot gnu.org
  Target Milestone: ---

With --enable-checking=release,valgrind --disable-bootstrap
--enable-valgrind-annotations build I'm seeing:
/home/jakub/src/gcc/obj88/./gcc/xg++ -shared-libgcc
-B/home/jakub/src/gcc/obj88/./gcc -nostdinc++
-L/home/jakub/src/gcc/obj88/x86_64-pc-linux-gnu/libstdc++-v3/sr
c -L/home/jakub/src/gcc/obj88/x86_64-pc-linux-gnu/libstdc++-v3/src/.libs
-L/home/jakub/src/gcc/obj88/x86_64-pc-linux-gnu/libstdc++-v3/libsupc++/.libs
-B/usr/local/x86_64-pc-linux-gnu
/bin/ -B/usr/local/x86_64-pc-linux-gnu/lib/ -isystem
/usr/local/x86_64-pc-linux-gnu/include -isystem
/usr/local/x86_64-pc-linux-gnu/sys-include
-B/home/jakub/src/gcc/obj88/x86_64-pc-
linux-gnu/./libstdc++-v3/src/.libs -fmessage-length=0 -fno-show-column
-ffunction-sections -fdata-sections -fcf-protection -mshstk -g -O2
-D_GNU_SOURCE -DLOCALEDIR="." -nostdinc++ -I
/home/jakub/src/gcc/obj88/x86_64-pc-linux-gnu/libstdc++-v3/include/x86_64-pc-linux-gnu
-I/home/jakub/src/gcc/obj88/x86_64-pc-linux-gnu/libstdc++-v3/include
-I/home/jakub/src/gcc/libs
tdc++-v3/libsupc++ -I/home/jakub/src/gcc/libstdc++-v3/include/backward
-I/home/jakub/src/gcc/libstdc++-v3/testsuite/util
/home/jakub/src/gcc/libstdc++-v3/testsuite/18_support/compari
sons/object/93479.cc -std=gnu++26 -include bits/stdc++.h
-fdiagnostics-plain-output -S -o 93479.s
...
==2009913== Conditional jump or move depends on uninitialised value(s)
==2009913==    at 0x914C59: gt_ggc_mx_lang_tree_node(void*) (gt-cp-tree.h:107)
==2009913==    by 0x8AB7A5: gt_ggc_mx_tinst_level(void*) (gt-cp-pt.h:32)
==2009913==    by 0xB89B25: ggc_mark_root_tab(ggc_root_tab const*)
(ggc-common.cc:75)
==2009913==    by 0xB89DF4: ggc_mark_roots() (ggc-common.cc:104)
==2009913==    by 0x9D6311: ggc_collect(ggc_collect) (ggc-page.cc:2227)
==2009913==    by 0xDB70F6: execute_one_pass(opt_pass*) (passes.cc:2738)
==2009913==    by 0xDB721F: execute_pass_list_1(opt_pass*) (passes.cc:2755)
==2009913==    by 0xDB7258: execute_pass_list(function*, opt_pass*)
(passes.cc:2766)
==2009913==    by 0xA55525: cgraph_node::analyze() (cgraphunit.cc:695)
==2009913==    by 0xA57CC7: analyze_functions(bool) (cgraphunit.cc:1248)
==2009913==    by 0xA5890D: symbol_table::finalize_compilation_unit()
(cgraphunit.cc:2555)
==2009913==    by 0xEB02A1: compile_file() (toplev.cc:473)
==2009913== 
==2009913== Conditional jump or move depends on uninitialised value(s)
==2009913==    at 0x914C63: gt_ggc_mx_lang_tree_node(void*) (gt-cp-tree.h:109)
==2009913==    by 0x8AB7A5: gt_ggc_mx_tinst_level(void*) (gt-cp-pt.h:32)
==2009913==    by 0xB89B25: ggc_mark_root_tab(ggc_root_tab const*)
(ggc-common.cc:75)
==2009913==    by 0xB89DF4: ggc_mark_roots() (ggc-common.cc:104)
==2009913==    by 0x9D6311: ggc_collect(ggc_collect) (ggc-page.cc:2227)
==2009913==    by 0xDB70F6: execute_one_pass(opt_pass*) (passes.cc:2738)
==2009913==    by 0xDB721F: execute_pass_list_1(opt_pass*) (passes.cc:2755)
==2009913==    by 0xDB7258: execute_pass_list(function*, opt_pass*)
(passes.cc:2766)
==2009913==    by 0xA55525: cgraph_node::analyze() (cgraphunit.cc:695)
==2009913==    by 0xA57CC7: analyze_functions(bool) (cgraphunit.cc:1248)
==2009913==    by 0xA5890D: symbol_table::finalize_compilation_unit()
(cgraphunit.cc:2555)
==2009913==    by 0xEB02A1: compile_file() (toplev.cc:473)
...
+FAIL: 18_support/comparisons/object/93479.cc  -std=gnu++26 (test for excess
errors)
+FAIL: 23_containers/span/101411.cc  -std=gnu++26 (test for excess errors)
+FAIL: 24_iterators/range_access/range_access_cpp20_neg.cc  -std=gnu++26  (test
for errors, line )
+FAIL: 24_iterators/range_access/range_access_cpp20_neg.cc  -std=gnu++26  (test
for errors, line 46)
+FAIL: 24_iterators/range_access/range_access_cpp20_neg.cc  -std=gnu++26 (test
for excess errors)
+FAIL: 26_numerics/numbers/nonfloat_neg.cc  -std=gnu++26 (test for excess
errors)
+FAIL: std/ranges/adaptors/100577.cc  -std=gnu++26 (test for excess errors)
+FAIL: std/ranges/adaptors/lazy_split_neg.cc  -std=gnu++26 (test for excess
errors)
+FAIL: std/ranges/adaptors/lwg3325_neg.cc  -std=gnu++26 (test for excess
errors)
+FAIL: std/ranges/subrange/lwg3282_neg.cc  -std=gnu++26 (test for excess
errors)
trigger same or similar diagnostics.

[Bug c++/112968] Valgrind error on libstdc++-v3/testsuite/18_support/comparisons/object/93479.cc

[pinskia at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112968

--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Is the failure only with -std=gnu++26 ?

[Bug c++/112968] Valgrind error on libstdc++-v3/testsuite/18_support/comparisons/object/93479.cc

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112968

--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
The above listed failures are all FAILs in libstdc++, except for a couple of
compilation timed out ones (caused by valgrind being too slow and the box being
busy).
So yes, it is just -std=c++26.

[Bug c++/112968] Valgrind error on libstdc++-v3/testsuite/18_support/comparisons/object/93479.cc

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112968

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |aoliva at gcc dot gnu.org,
                   |                            |jason at gcc dot gnu.org,
                   |                            |ppalka at gcc dot gnu.org

--- Comment #3 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
I believe the bug is in
https://gcc.gnu.org/legacy-ml/gcc-patches/2018-04/msg00709.html
aka r8-7885-ga56e2f69fede451499cfcbb58bab7687e4b1643a
When tinst_level::to_list is called, if it allocates new TREE_LIST, all is
fine, but
otherwise it goes through:
  tree ret = tree_list_freelist ().alloc ();
  TREE_PURPOSE (ret) = tldcl;
  TREE_VALUE (ret) = targs;
where alloc does
        T *obj = head;
        head = next (head);
        reinit (obj);
        return obj;
and
template <>
inline void
freelist<tree_node>::reinit (tree obj ATTRIBUTE_UNUSED)
{
  tree_base *b ATTRIBUTE_UNUSED = &obj->base;

#ifdef ENABLE_GC_CHECKING
  gcc_checking_assert (TREE_CODE (obj) == TREE_LIST);
  VALGRIND_DISCARD (VALGRIND_MAKE_MEM_UNDEFINED (obj, sizeof (tree_list)));
  memset (obj, 0, sizeof (tree_list));
#endif

  /* Let valgrind know the entire object is available, but
     uninitialized.  */
  VALGRIND_DISCARD (VALGRIND_MAKE_MEM_UNDEFINED (obj, sizeof (tree_list)));

#ifdef ENABLE_GC_CHECKING
  TREE_SET_CODE (obj, TREE_LIST);
#else
  VALGRIND_DISCARD (VALGRIND_MAKE_MEM_DEFINED (b, sizeof (*b)));
#endif
}

Now, tree_list is:
struct GTY(()) tree_list {
  struct tree_common common;
  tree purpose;
  tree value;
};
struct GTY(()) tree_common {
  struct tree_typed typed;
  tree chain;
};
struct GTY(()) tree_typed {
  struct tree_base base;
  tree type;
};
and the 2 stores to TREE_PURPOSE/TREE_VALUE afterwards initialize those 2, so I
believe
this leaves from valgrind annotation POV TREE_TYPE and TREE_CHAIN of the
TREE_LIST allocated from the freelist uninitialized (even when it actually is
in reality initialized from the initial build_tree_list call before it got put
into the cache).

I must say it is unclear what should be TREE_CHAIN value after
tinst_level::to_list
and what should be TREE_TYPE.  Right now it is sometimes well defined NULL and
NULL (if we allocated it freshly), sometimes NULL and NULL with valgrind think
it is uninitialized (if ENABLE_GC_CHECKING where reinit clears the whole object
and sets TREE_CODE again) and sometimes garbage with valgrind thinking it is
undefined (otherwise).
After pending_template_freelist ().alloc (); we already clear pt->next = NULL;
and
similarly after tinst_level_freelist ().alloc (); we clear new_level->next =
NULL;
so I think it is just the tree_list case.

So, wonder about
--- gcc/cp/pt.cc.jj     2023-12-11 23:52:03.592513063 +0100
+++ gcc/cp/pt.cc        2023-12-12 16:40:09.259903877 +0100
@@ -9525,7 +9525,7 @@ template <>
 inline void
 freelist<tree_node>::reinit (tree obj ATTRIBUTE_UNUSED)
 {
-  tree_base *b ATTRIBUTE_UNUSED = &obj->base;
+  tree_common *c ATTRIBUTE_UNUSED = &obj->common;

 #ifdef ENABLE_GC_CHECKING
   gcc_checking_assert (TREE_CODE (obj) == TREE_LIST);
@@ -9540,8 +9540,9 @@ freelist<tree_node>::reinit (tree obj AT
 #ifdef ENABLE_GC_CHECKING
   TREE_SET_CODE (obj, TREE_LIST);
 #else
-  VALGRIND_DISCARD (VALGRIND_MAKE_MEM_DEFINED (b, sizeof (*b)));
+  TREE_CHAIN (obj) = NULL_TREE;
 #endif
+  VALGRIND_DISCARD (VALGRIND_MAKE_MEM_DEFINED (c, sizeof (*c)));
 }

 /* Point to the first object in the TREE_LIST freelist.  */
where this (IMHO) ought to ensure that both TREE_TYPE and TREE_CHAIN is
accessible and NULL after tinst_level::to_list regardless of whether it was
freshly allocated or not
and regardless of ENABLE_GC_CHECKING or not.

[Bug c++/112968] Valgrind error on libstdc++-v3/testsuite/18_support/comparisons/object/93479.cc

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112968

--- Comment #4 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Jakub Jelinek <jakub@gcc.gnu.org>:

https://gcc.gnu.org/g:7ff33c609a64319583223d6d39a89e971f993ecf

commit r14-6529-g7ff33c609a64319583223d6d39a89e971f993ecf
Author: Jakub Jelinek <jakub@redhat.com>
Date:   Thu Dec 14 07:57:34 2023 +0100

    c++: Fix tinst_level::to_list [PR112968]

    With valgrind checking, there are various errors reported on some C++26
    libstdc++ tests, like:
    ==2009913== Conditional jump or move depends on uninitialised value(s)
    ==2009913==    at 0x914C59: gt_ggc_mx_lang_tree_node(void*)
(gt-cp-tree.h:107)
    ==2009913==    by 0x8AB7A5: gt_ggc_mx_tinst_level(void*) (gt-cp-pt.h:32)
    ==2009913==    by 0xB89B25: ggc_mark_root_tab(ggc_root_tab const*)
(ggc-common.cc:75)
    ==2009913==    by 0xB89DF4: ggc_mark_roots() (ggc-common.cc:104)
    ==2009913==    by 0x9D6311: ggc_collect(ggc_collect) (ggc-page.cc:2227)
    ==2009913==    by 0xDB70F6: execute_one_pass(opt_pass*) (passes.cc:2738)
    ==2009913==    by 0xDB721F: execute_pass_list_1(opt_pass*) (passes.cc:2755)
    ==2009913==    by 0xDB7258: execute_pass_list(function*, opt_pass*)
(passes.cc:2766)
    ==2009913==    by 0xA55525: cgraph_node::analyze() (cgraphunit.cc:695)
    ==2009913==    by 0xA57CC7: analyze_functions(bool) (cgraphunit.cc:1248)
    ==2009913==    by 0xA5890D: symbol_table::finalize_compilation_unit()
(cgraphunit.cc:2555)
    ==2009913==    by 0xEB02A1: compile_file() (toplev.cc:473)

    I think the problem is in the tinst_level::to_list optimization from 2018.
    That function returns a TREE_LIST with TREE_PURPOSE/TREE_VALUE filled in.
    Either it freshly allocates using build_tree_list (NULL, NULL); + stores
    TREE_PURPOSE/TREE_VALUE, that case is fine (the whole tree_list object
    is zeros, except for TREE_CODE set to TREE_LIST and TREE_PURPOSE/TREE_VALUE
    modified later; the above also means in particular TREE_TYPE of it is NULL
    and TREE_CHAIN is NULL and both are accessible/initialized even in valgrind
    annotations.
    Or it grabs a TREE_LIST node from a freelist.
    If defined(ENABLE_GC_CHECKING), the object is still all zeros except
    for TREE_CODE/TREE_PURPOSE/TREE_VALUE like in the fresh allocation case
    (but unlike the build_tree_list case in the valgrind annotations
    TREE_TYPE and TREE_CHAIN are marked as uninitialized).
    If !defined(ENABLE_GC_CHECKING), I believe the actual memory content
    is that everything but TREE_CODE/TREE_PURPOSE/TREE_VALUE/TREE_CHAIN is
    zeros and TREE_CHAIN is something random (whatever next entry is in the
    freelist, nothing overwrote it) and from valgrind POV again,
    TREE_TYPE and TREE_CHAIN are marked as uninitialized.

    When using the other freelist instantiations (pending_template and
    tinst_level) I believe everything is correct, from valgrind POV it marks
    the whole pending_template or tinst_level as uninitialized, but the
    caller initializes it all).

    One way to fix this would be let tinst_level::to_list not store just
      TREE_PURPOSE (ret) = tldcl;
      TREE_VALUE (ret) = targs;
    but also
      TREE_TYPE (ret) = NULL_TREE;
      TREE_CHAIN (ret) = NULL_TREE;
    Though, that seems like wasted effort in the build_tree_list case to me.

    So, the following patch instead does that TREE_CHAIN = NULL_TREE store only
    in the case where it isn't already done (and likewise for TREE_TYPE just to
    be sure) and marks both TREE_CHAIN and TREE_TYPE as initialized (the latter
    is at that spot, the former is because we never really touch TREE_TYPE of a
    TREE_LIST anywhere and so the NULL gets stored into the freelist and
    restored from there (except for ENABLE_GC_CHECKING where it is poisoned
    and then cleared again).

    2023-12-14  Jakub Jelinek  <jakub@redhat.com>

            PR c++/112968
            * pt.cc (freelist<tree_node>::reinit): Make whole obj->common
            defined for valgrind annotations rather than just obj->base,
            and do it even for ENABLE_GC_CHECKING.  If not ENABLE_GC_CHECKING,
            clear TREE_CHAIN (obj) and TREE_TYPE (obj).

[Bug c++/112968] Valgrind error on libstdc++-v3/testsuite/18_support/comparisons/object/93479.cc

[jakub at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=112968

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|UNCONFIRMED                 |RESOLVED

--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Fixed.