public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug tree-optimization/113013] New: [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined
@ 2023-12-14 3:10 sjames at gcc dot gnu.org
2023-12-14 3:17 ` [Bug tree-optimization/113013] " pinskia at gcc dot gnu.org
` (10 more replies)
0 siblings, 11 replies; 12+ messages in thread
From: sjames at gcc dot gnu.org @ 2023-12-14 3:10 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113013
Bug ID: 113013
Summary: [12/13/14 regression] ICE in fold_convert_loc with
-fsanitize=undefined
Product: gcc
Version: 14.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: sjames at gcc dot gnu.org
Target Milestone: ---
Created attachment 56876
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56876&action=edit
reduced.i
Hit this when reducing PR113012.
```
$ gcc -c /tmp/foo.c -O2 -fsanitize=undefined
during GIMPLE pass: objsz
/tmp/foo.c: In function ‘miZeroLine_list_len’:
/tmp/foo.c:9:6: internal compiler error: in fold_convert_loc, at
fold-const.cc:2602
9 | void miZeroLine_list_len() {
| ^~~~~~~~~~~~~~~~~~~
0x55eb4274eca3 fold_convert_loc(unsigned int, tree_node*, tree_node*)
/usr/src/debug/sys-devel/gcc-14.0.0_pre20231210/gcc-14-20231210/gcc/fold-const.cc:2602
0x55eb446f7d13 alloc_object_size
/usr/src/debug/sys-devel/gcc-14.0.0_pre20231210/gcc-14-20231210/gcc/tree-object-size.cc:811
0x55eb446f7d13 call_object_size
/usr/src/debug/sys-devel/gcc-14.0.0_pre20231210/gcc-14-20231210/gcc/tree-object-size.cc:1339
0x55eb446f7d13 collect_object_sizes_for
/usr/src/debug/sys-devel/gcc-14.0.0_pre20231210/gcc-14-20231210/gcc/tree-object-size.cc:1779
0x55eb4418920f compute_builtin_object_size(tree_node*, int, tree_node**)
/usr/src/debug/sys-devel/gcc-14.0.0_pre20231210/gcc-14-20231210/gcc/tree-object-size.cc:1194
0x55eb43fab777 fold_builtin_object_size
/usr/src/debug/sys-devel/gcc-14.0.0_pre20231210/gcc-14-20231210/gcc/builtins.cc:11556
0x55eb43fab777 fold_builtin_2
/usr/src/debug/sys-devel/gcc-14.0.0_pre20231210/gcc-14-20231210/gcc/builtins.cc:10575
0x55eb43fab777 fold_builtin_n(unsigned int, tree_node*, tree_node*,
tree_node**, int, bool) [clone .isra.0]
/usr/src/debug/sys-devel/gcc-14.0.0_pre20231210/gcc-14-20231210/gcc/builtins.cc:10687
0x55eb440cd22d dynamic_object_sizes_execute_one
/usr/src/debug/sys-devel/gcc-14.0.0_pre20231210/gcc-14-20231210/gcc/tree-object-size.cc:2078
0x55eb440cd22d object_sizes_execute
/usr/src/debug/sys-devel/gcc-14.0.0_pre20231210/gcc-14-20231210/gcc/tree-object-size.cc:2140
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://bugs.gentoo.org/> for instructions.
```
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug tree-optimization/113013] [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined
2023-12-14 3:10 [Bug tree-optimization/113013] New: [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined sjames at gcc dot gnu.org
@ 2023-12-14 3:17 ` pinskia at gcc dot gnu.org
2023-12-14 3:18 ` pinskia at gcc dot gnu.org
` (9 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-12-14 3:17 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113013
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Ever confirmed|0 |1
Keywords| |ice-on-valid-code
Status|UNCONFIRMED |NEW
Last reconfirmed| |2023-12-14
--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Reduced slightly more:
```
struct _xPoint {
short x;
} xPoint;
void *reallocarray() __attribute__((__alloc_size__(1)));
struct _xPoint * miZeroLine_pspanInit;
void miZeroLine_list_len(void) {
miZeroLine_pspanInit = reallocarray(xPoint);
miZeroLine_pspanInit->x = 0;
}
``
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug tree-optimization/113013] [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined
2023-12-14 3:10 [Bug tree-optimization/113013] New: [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined sjames at gcc dot gnu.org
2023-12-14 3:17 ` [Bug tree-optimization/113013] " pinskia at gcc dot gnu.org
@ 2023-12-14 3:18 ` pinskia at gcc dot gnu.org
2023-12-14 3:20 ` pinskia at gcc dot gnu.org
` (8 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-12-14 3:18 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113013
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |12.4
--- Comment #2 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Most likely r12-6479-g404c787e2bfe8cae666b075ed903990ea452220e or
r12-6482-g06bc1b0c539e3a60692d7432d15e701c38610f80 .
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug tree-optimization/113013] [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined
2023-12-14 3:10 [Bug tree-optimization/113013] New: [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined sjames at gcc dot gnu.org
2023-12-14 3:17 ` [Bug tree-optimization/113013] " pinskia at gcc dot gnu.org
2023-12-14 3:18 ` pinskia at gcc dot gnu.org
@ 2023-12-14 3:20 ` pinskia at gcc dot gnu.org
2023-12-14 12:52 ` siddhesh at gcc dot gnu.org
` (7 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: pinskia at gcc dot gnu.org @ 2023-12-14 3:20 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113013
--- Comment #3 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
The use of __alloc_size__ here is definitely not well defined but GCC should
NOT crash.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug tree-optimization/113013] [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined
2023-12-14 3:10 [Bug tree-optimization/113013] New: [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined sjames at gcc dot gnu.org
` (2 preceding siblings ...)
2023-12-14 3:20 ` pinskia at gcc dot gnu.org
@ 2023-12-14 12:52 ` siddhesh at gcc dot gnu.org
2023-12-14 14:00 ` rguenth at gcc dot gnu.org
` (6 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: siddhesh at gcc dot gnu.org @ 2023-12-14 12:52 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113013
Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords|ice-on-valid-code |ice-on-invalid-code
CC| |siddhesh at gcc dot gnu.org
--- Comment #4 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> ---
Agreed, the attribute is invalid and maybe the frontend needs to flag it early
and flag an error.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug tree-optimization/113013] [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined
2023-12-14 3:10 [Bug tree-optimization/113013] New: [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined sjames at gcc dot gnu.org
` (3 preceding siblings ...)
2023-12-14 12:52 ` siddhesh at gcc dot gnu.org
@ 2023-12-14 14:00 ` rguenth at gcc dot gnu.org
2023-12-15 13:28 ` jakub at gcc dot gnu.org
` (5 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: rguenth at gcc dot gnu.org @ 2023-12-14 14:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113013
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P3 |P2
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug tree-optimization/113013] [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined
2023-12-14 3:10 [Bug tree-optimization/113013] New: [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined sjames at gcc dot gnu.org
` (4 preceding siblings ...)
2023-12-14 14:00 ` rguenth at gcc dot gnu.org
@ 2023-12-15 13:28 ` jakub at gcc dot gnu.org
2023-12-15 13:54 ` siddhesh at gcc dot gnu.org
` (4 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: jakub at gcc dot gnu.org @ 2023-12-15 13:28 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113013
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Assignee|unassigned at gcc dot gnu.org |jakub at gcc dot gnu.org
--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Created attachment 56885
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=56885&action=edit
gcc14-pr113013.patch
I don't see how FEs could do anything, especially on declarations like this
where the argument types aren't specified.
For attributes like this, it is generally responsibility of the function
using those to use it only if they are sane, and after all, even the
tree-object-size.cc code does that (e.g. verify that such argument exists at
all). Just doesn't check that it is convertible to sizetype.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug tree-optimization/113013] [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined
2023-12-14 3:10 [Bug tree-optimization/113013] New: [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined sjames at gcc dot gnu.org
` (5 preceding siblings ...)
2023-12-15 13:28 ` jakub at gcc dot gnu.org
@ 2023-12-15 13:54 ` siddhesh at gcc dot gnu.org
2023-12-18 9:00 ` cvs-commit at gcc dot gnu.org
` (3 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: siddhesh at gcc dot gnu.org @ 2023-12-15 13:54 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113013
--- Comment #6 from Siddhesh Poyarekar <siddhesh at gcc dot gnu.org> ---
Sorry I misread the reproducer as void *reallocarray(void)
__attribute__((__alloc_size__(1)));
Your fix looks fine to me, thanks.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug tree-optimization/113013] [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined
2023-12-14 3:10 [Bug tree-optimization/113013] New: [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined sjames at gcc dot gnu.org
` (6 preceding siblings ...)
2023-12-15 13:54 ` siddhesh at gcc dot gnu.org
@ 2023-12-18 9:00 ` cvs-commit at gcc dot gnu.org
2023-12-18 9:14 ` cvs-commit at gcc dot gnu.org
` (2 subsequent siblings)
10 siblings, 0 replies; 12+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-12-18 9:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113013
--- Comment #7 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Jakub Jelinek <jakub@gcc.gnu.org>:
https://gcc.gnu.org/g:5347263b347d02e875879ca40ca6e289ac178919
commit r14-6654-g5347263b347d02e875879ca40ca6e289ac178919
Author: Jakub Jelinek <jakub@redhat.com>
Date: Mon Dec 18 09:59:28 2023 +0100
tree-object-size: Robustify alloc_size attribute handling [PR113013]
The following testcase ICEs because we aren't careful enough with
alloc_size attribute. We do check that such an argument exists
(although wouldn't handle correctly functions with more than INT_MAX
arguments), but didn't check that it is scalar integer, the ICE is
trying to fold_convert a structure to sizetype.
Given that the attribute can also appear on non-prototyped functions
where the arguments aren't known, I don't see how the FE could diagnose
that and because we already handle the case where argument doesn't exist,
I think we should also verify the argument is scalar integer convertible
to sizetype. Furthermore, given this is not just in diagnostics but
used for code generation, I think it is better to punt on arguments with
larger precision then sizetype, the upper bits are then truncated.
The patch also fixes some formatting issues and avoids duplication of the
fold_convert, plus removes unnecessary check for if (arg1 >= 0), that is
always the case after if (arg1 < 0) return ...;
2023-12-18 Jakub Jelinek <jakub@redhat.com>
PR tree-optimization/113013
* tree-object-size.cc (alloc_object_size): Return size_unknown if
corresponding argument(s) don't have integral type or have integral
type with higher precision than sizetype. Don't check arg1 >= 0
uselessly. Compare argument indexes against gimple_call_num_args
in unsigned type rather than int. Formatting fixes.
* gcc.dg/pr113013.c: New test.
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug tree-optimization/113013] [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined
2023-12-14 3:10 [Bug tree-optimization/113013] New: [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined sjames at gcc dot gnu.org
` (7 preceding siblings ...)
2023-12-18 9:00 ` cvs-commit at gcc dot gnu.org
@ 2023-12-18 9:14 ` cvs-commit at gcc dot gnu.org
2023-12-18 9:26 ` cvs-commit at gcc dot gnu.org
2023-12-18 9:38 ` jakub at gcc dot gnu.org
10 siblings, 0 replies; 12+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-12-18 9:14 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113013
--- Comment #8 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-13 branch has been updated by Jakub Jelinek
<jakub@gcc.gnu.org>:
https://gcc.gnu.org/g:2ea5a22b3e594cdf88e916b3df774883ce9dbc3a
commit r13-8165-g2ea5a22b3e594cdf88e916b3df774883ce9dbc3a
Author: Jakub Jelinek <jakub@redhat.com>
Date: Mon Dec 18 09:59:28 2023 +0100
tree-object-size: Robustify alloc_size attribute handling [PR113013]
The following testcase ICEs because we aren't careful enough with
alloc_size attribute. We do check that such an argument exists
(although wouldn't handle correctly functions with more than INT_MAX
arguments), but didn't check that it is scalar integer, the ICE is
trying to fold_convert a structure to sizetype.
Given that the attribute can also appear on non-prototyped functions
where the arguments aren't known, I don't see how the FE could diagnose
that and because we already handle the case where argument doesn't exist,
I think we should also verify the argument is scalar integer convertible
to sizetype. Furthermore, given this is not just in diagnostics but
used for code generation, I think it is better to punt on arguments with
larger precision then sizetype, the upper bits are then truncated.
The patch also fixes some formatting issues and avoids duplication of the
fold_convert, plus removes unnecessary check for if (arg1 >= 0), that is
always the case after if (arg1 < 0) return ...;
2023-12-18 Jakub Jelinek <jakub@redhat.com>
PR tree-optimization/113013
* tree-object-size.cc (alloc_object_size): Return size_unknown if
corresponding argument(s) don't have integral type or have integral
type with higher precision than sizetype. Don't check arg1 >= 0
uselessly. Compare argument indexes against gimple_call_num_args
in unsigned type rather than int. Formatting fixes.
* gcc.dg/pr113013.c: New test.
(cherry picked from commit 5347263b347d02e875879ca40ca6e289ac178919)
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug tree-optimization/113013] [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined
2023-12-14 3:10 [Bug tree-optimization/113013] New: [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined sjames at gcc dot gnu.org
` (8 preceding siblings ...)
2023-12-18 9:14 ` cvs-commit at gcc dot gnu.org
@ 2023-12-18 9:26 ` cvs-commit at gcc dot gnu.org
2023-12-18 9:38 ` jakub at gcc dot gnu.org
10 siblings, 0 replies; 12+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2023-12-18 9:26 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113013
--- Comment #9 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-12 branch has been updated by Jakub Jelinek
<jakub@gcc.gnu.org>:
https://gcc.gnu.org/g:febb86b366047e0ea48da85c9b52ee03878cb5bf
commit r12-10059-gfebb86b366047e0ea48da85c9b52ee03878cb5bf
Author: Jakub Jelinek <jakub@redhat.com>
Date: Mon Dec 18 09:59:28 2023 +0100
tree-object-size: Robustify alloc_size attribute handling [PR113013]
The following testcase ICEs because we aren't careful enough with
alloc_size attribute. We do check that such an argument exists
(although wouldn't handle correctly functions with more than INT_MAX
arguments), but didn't check that it is scalar integer, the ICE is
trying to fold_convert a structure to sizetype.
Given that the attribute can also appear on non-prototyped functions
where the arguments aren't known, I don't see how the FE could diagnose
that and because we already handle the case where argument doesn't exist,
I think we should also verify the argument is scalar integer convertible
to sizetype. Furthermore, given this is not just in diagnostics but
used for code generation, I think it is better to punt on arguments with
larger precision then sizetype, the upper bits are then truncated.
The patch also fixes some formatting issues and avoids duplication of the
fold_convert, plus removes unnecessary check for if (arg1 >= 0), that is
always the case after if (arg1 < 0) return ...;
2023-12-18 Jakub Jelinek <jakub@redhat.com>
PR tree-optimization/113013
* tree-object-size.cc (alloc_object_size): Return size_unknown if
corresponding argument(s) don't have integral type or have integral
type with higher precision than sizetype. Don't check arg1 >= 0
uselessly. Compare argument indexes against gimple_call_num_args
in unsigned type rather than int. Formatting fixes.
* gcc.dg/pr113013.c: New test.
(cherry picked from commit 5347263b347d02e875879ca40ca6e289ac178919)
^ permalink raw reply [flat|nested] 12+ messages in thread
* [Bug tree-optimization/113013] [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined
2023-12-14 3:10 [Bug tree-optimization/113013] New: [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined sjames at gcc dot gnu.org
` (9 preceding siblings ...)
2023-12-18 9:26 ` cvs-commit at gcc dot gnu.org
@ 2023-12-18 9:38 ` jakub at gcc dot gnu.org
10 siblings, 0 replies; 12+ messages in thread
From: jakub at gcc dot gnu.org @ 2023-12-18 9:38 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113013
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #10 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Should be fixed now.
^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2023-12-18 9:38 UTC | newest]
Thread overview: 12+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-12-14 3:10 [Bug tree-optimization/113013] New: [12/13/14 regression] ICE in fold_convert_loc with -fsanitize=undefined sjames at gcc dot gnu.org
2023-12-14 3:17 ` [Bug tree-optimization/113013] " pinskia at gcc dot gnu.org
2023-12-14 3:18 ` pinskia at gcc dot gnu.org
2023-12-14 3:20 ` pinskia at gcc dot gnu.org
2023-12-14 12:52 ` siddhesh at gcc dot gnu.org
2023-12-14 14:00 ` rguenth at gcc dot gnu.org
2023-12-15 13:28 ` jakub at gcc dot gnu.org
2023-12-15 13:54 ` siddhesh at gcc dot gnu.org
2023-12-18 9:00 ` cvs-commit at gcc dot gnu.org
2023-12-18 9:14 ` cvs-commit at gcc dot gnu.org
2023-12-18 9:26 ` cvs-commit at gcc dot gnu.org
2023-12-18 9:38 ` jakub at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).