public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug tree-optimization/114998] New: ICE on valid code at -O3 with "-fno-inline -fno-tree-dce -fno-ipa-cp" on x86_64-linux-gnu: Segmentation fault
@ 2024-05-08 21:38 zhendong.su at inf dot ethz.ch
2024-05-09 8:05 ` [Bug tree-optimization/114998] [14/15 Regression] ICE on valid code at -O3 with "-fno-tree-dce" " pinskia at gcc dot gnu.org
` (7 more replies)
0 siblings, 8 replies; 9+ messages in thread
From: zhendong.su at inf dot ethz.ch @ 2024-05-08 21:38 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114998
Bug ID: 114998
Summary: ICE on valid code at -O3 with "-fno-inline
-fno-tree-dce -fno-ipa-cp" on x86_64-linux-gnu:
Segmentation fault
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: zhendong.su at inf dot ethz.ch
Target Milestone: ---
It reproduces for 14.1 and trunk, but not 13.2 and earlier.
Compiler Explorer: https://godbolt.org/z/7xjf7EWGs
[865] % gcctk -v
Using built-in specs.
COLLECT_GCC=gcctk
COLLECT_LTO_WRAPPER=/local/suz-local/software/local/gcc-trunk/libexec/gcc/x86_64-pc-linux-gnu/15.0.0/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: ../gcc-trunk/configure --disable-bootstrap
--enable-checking=yes --prefix=/local/suz-local/software/local/gcc-trunk
--enable-sanitizers --enable-languages=c,c++ --disable-werror --enable-multilib
Thread model: posix
Supported LTO compression algorithms: zlib
gcc version 15.0.0 20240507 (experimental) (GCC)
[866] %
[866] % gcctk -O3 -fno-inline -fno-tree-dce -fno-ipa-cp small.c
during GIMPLE pass: ldist
small.c: In function ‘main’:
small.c:4:5: internal compiler error: Segmentation fault
4 | int main() {
| ^~~~
0x1175773 crash_signal
../../gcc-trunk/gcc/toplev.cc:319
0x7f4aef65008f ???
/build/glibc-e2p3jK/glibc-2.31/signal/../sysdeps/unix/sysv/linux/x86_64/sigaction.c:0
0x140bb04 vec<tree_node*, va_gc, vl_embed>::quick_push(tree_node* const&)
../../gcc-trunk/gcc/vec.h:1043
0x140bb04 tree_node** vec_safe_push<tree_node*, va_gc>(vec<tree_node*, va_gc,
vl_embed>*&, tree_node* const&)
../../gcc-trunk/gcc/vec.h:835
0x140bb04 release_ssa_name_fn(function*, tree_node*)
../../gcc-trunk/gcc/tree-ssanames.cc:619
0x1249bba release_ssa_name(tree_node*)
../../gcc-trunk/gcc/tree-ssanames.h:124
0x1249bba remove_phi_node(gimple_stmt_iterator*, bool)
../../gcc-trunk/gcc/tree-phinodes.cc:457
0x11bc34e gimple_merge_blocks
../../gcc-trunk/gcc/tree-cfg.cc:2175
0xbf0b63 merge_blocks(basic_block_def*, basic_block_def*)
../../gcc-trunk/gcc/cfghooks.cc:820
0x11cbc29 cleanup_tree_cfg_bb
../../gcc-trunk/gcc/tree-cfgcleanup.cc:791
0x11cd564 cleanup_tree_cfg_noloop
../../gcc-trunk/gcc/tree-cfgcleanup.cc:1122
0x11cd564 cleanup_tree_cfg(unsigned int)
../../gcc-trunk/gcc/tree-cfgcleanup.cc:1205
0x102c29c execute_function_todo
../../gcc-trunk/gcc/passes.cc:2058
0x102cb4e execute_todo
../../gcc-trunk/gcc/passes.cc:2143
Please submit a full bug report, with preprocessed source (by using
-freport-bug).
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
[867] %
[867] % cat small.c
short a, d;
int b, c, f, g, h, i, j[2], o;
void s(char r) {}
int main() {
int l, m, k, n;
if (b) {
char p;
for (; p >= 0; p--) {
int e[] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0,
1, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 1,
0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0};
if (j[p]) {
int q[1];
i = o;
o = q[h];
if (g)
n = d;
m = 4;
for (; m; m--) {
if (l)
k |= c;
if (a)
break;
}
}
s(n);
f |= b;
}
}
return 0;
}
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug tree-optimization/114998] [14/15 Regression] ICE on valid code at -O3 with "-fno-tree-dce" on x86_64-linux-gnu: Segmentation fault
2024-05-08 21:38 [Bug tree-optimization/114998] New: ICE on valid code at -O3 with "-fno-inline -fno-tree-dce -fno-ipa-cp" on x86_64-linux-gnu: Segmentation fault zhendong.su at inf dot ethz.ch
@ 2024-05-09 8:05 ` pinskia at gcc dot gnu.org
2024-05-09 10:09 ` [Bug tree-optimization/114998] [14/15 Regression] ICE on valid code at -O3 with "-fno-tree-dce" on x86_64-linux-gnu: Segmentation fault since r14-9767 jakub at gcc dot gnu.org
` (6 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: pinskia at gcc dot gnu.org @ 2024-05-09 8:05 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114998
Andrew Pinski <pinskia at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Summary|ICE on valid code at -O3 |[14/15 Regression] ICE on
|with "-fno-inline |valid code at -O3 with
|-fno-tree-dce -fno-ipa-cp" |"-fno-tree-dce" on
|on x86_64-linux-gnu: |x86_64-linux-gnu:
|Segmentation fault |Segmentation fault
Last reconfirmed| |2024-05-09
Target Milestone|--- |14.2
Ever confirmed|0 |1
--- Comment #1 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
Confirmed. here is a testcase with only `-O3 -fno-tree-dce` as this basically
does what `-fno-inline` and `-fno-ipa-cp` cause:
```
short a, d;
int b, c, f, g, h, i, j[2], o;
__attribute__((const)) int s(char r);
int main() {
int l, m, k, n;
if (b) {
char p;
for (; p >= 0; p--) {
int e[] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0,
1, 0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0, 0, 1,
0, 0, 1, 1, 0, 0, 0, 1, 0, 0, 1, 1, 0, 0};
if (j[p]) {
int q[1];
i = o;
o = q[h];
if (g)
n = d;
m = 4;
for (; m; m--) {
if (l)
k |= c;
if (a)
break;
}
}
s(n);
f |= b;
}
}
return 0;
}
```
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug tree-optimization/114998] [14/15 Regression] ICE on valid code at -O3 with "-fno-tree-dce" on x86_64-linux-gnu: Segmentation fault since r14-9767
2024-05-08 21:38 [Bug tree-optimization/114998] New: ICE on valid code at -O3 with "-fno-inline -fno-tree-dce -fno-ipa-cp" on x86_64-linux-gnu: Segmentation fault zhendong.su at inf dot ethz.ch
2024-05-09 8:05 ` [Bug tree-optimization/114998] [14/15 Regression] ICE on valid code at -O3 with "-fno-tree-dce" " pinskia at gcc dot gnu.org
@ 2024-05-09 10:09 ` jakub at gcc dot gnu.org
2024-05-10 6:49 ` rguenth at gcc dot gnu.org
` (5 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: jakub at gcc dot gnu.org @ 2024-05-09 10:09 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114998
Jakub Jelinek <jakub at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P3 |P2
CC| |jakub at gcc dot gnu.org,
| |rguenth at gcc dot gnu.org
Summary|[14/15 Regression] ICE on |[14/15 Regression] ICE on
|valid code at -O3 with |valid code at -O3 with
|"-fno-tree-dce" on |"-fno-tree-dce" on
|x86_64-linux-gnu: |x86_64-linux-gnu:
|Segmentation fault |Segmentation fault since
| |r14-9767
--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Started with r14-9767-ge7b7188b1cf8c174f0e890d4ac279ff480b51043
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug tree-optimization/114998] [14/15 Regression] ICE on valid code at -O3 with "-fno-tree-dce" on x86_64-linux-gnu: Segmentation fault since r14-9767
2024-05-08 21:38 [Bug tree-optimization/114998] New: ICE on valid code at -O3 with "-fno-inline -fno-tree-dce -fno-ipa-cp" on x86_64-linux-gnu: Segmentation fault zhendong.su at inf dot ethz.ch
2024-05-09 8:05 ` [Bug tree-optimization/114998] [14/15 Regression] ICE on valid code at -O3 with "-fno-tree-dce" " pinskia at gcc dot gnu.org
2024-05-09 10:09 ` [Bug tree-optimization/114998] [14/15 Regression] ICE on valid code at -O3 with "-fno-tree-dce" on x86_64-linux-gnu: Segmentation fault since r14-9767 jakub at gcc dot gnu.org
@ 2024-05-10 6:49 ` rguenth at gcc dot gnu.org
2024-05-10 11:14 ` rguenth at gcc dot gnu.org
` (4 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: rguenth at gcc dot gnu.org @ 2024-05-10 6:49 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114998
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Version|unknown |14.1.0
Assignee|unassigned at gcc dot gnu.org |rguenth at gcc dot gnu.org
Status|NEW |ASSIGNED
--- Comment #3 from Richard Biener <rguenth at gcc dot gnu.org> ---
I will have a look. Likely use-after-free.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug tree-optimization/114998] [14/15 Regression] ICE on valid code at -O3 with "-fno-tree-dce" on x86_64-linux-gnu: Segmentation fault since r14-9767
2024-05-08 21:38 [Bug tree-optimization/114998] New: ICE on valid code at -O3 with "-fno-inline -fno-tree-dce -fno-ipa-cp" on x86_64-linux-gnu: Segmentation fault zhendong.su at inf dot ethz.ch
` (2 preceding siblings ...)
2024-05-10 6:49 ` rguenth at gcc dot gnu.org
@ 2024-05-10 11:14 ` rguenth at gcc dot gnu.org
2024-05-10 13:44 ` cvs-commit at gcc dot gnu.org
` (3 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: rguenth at gcc dot gnu.org @ 2024-05-10 11:14 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114998
--- Comment #4 from Richard Biener <rguenth at gcc dot gnu.org> ---
Breakpoint 5, release_ssa_name_fn (fn=0x7ffff6be4000,
var=<ssa_name 0x7ffff6bebea0 52>)
at ../../src/gcc-14-branch/gcc/tree-ssanames.cc:619
619 vec_safe_push (FREE_SSANAMES_QUEUE (fn), var);
(gdb) p v.m_vecpfx
$7 = {m_alloc = 127, m_using_auto_storage = 0, m_num = 4294967295}
The issue is that loop distribution removes stmts from the last partition
(with the original stmts in the IL), and during cleanup in free_rdg
sets stmt UIDs to -1 again, but also to stmts that were released.
The simplest fix I think is to not re-set UIDs in free_rdg.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug tree-optimization/114998] [14/15 Regression] ICE on valid code at -O3 with "-fno-tree-dce" on x86_64-linux-gnu: Segmentation fault since r14-9767
2024-05-08 21:38 [Bug tree-optimization/114998] New: ICE on valid code at -O3 with "-fno-inline -fno-tree-dce -fno-ipa-cp" on x86_64-linux-gnu: Segmentation fault zhendong.su at inf dot ethz.ch
` (3 preceding siblings ...)
2024-05-10 11:14 ` rguenth at gcc dot gnu.org
@ 2024-05-10 13:44 ` cvs-commit at gcc dot gnu.org
2024-05-10 13:44 ` [Bug tree-optimization/114998] [14 " rguenth at gcc dot gnu.org
` (2 subsequent siblings)
7 siblings, 0 replies; 9+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2024-05-10 13:44 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114998
--- Comment #5 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Richard Biener <rguenth@gcc.gnu.org>:
https://gcc.gnu.org/g:34d15a4d630a0d54eddb99bdab086c506e10dac5
commit r15-362-g34d15a4d630a0d54eddb99bdab086c506e10dac5
Author: Richard Biener <rguenther@suse.de>
Date: Fri May 10 14:19:49 2024 +0200
tree-optimization/114998 - use-after-free with loop distribution
When loop distribution releases a PHI node of the original IL it
can end up clobbering memory that's re-used when it upon releasing
its RDG resets all stmt UIDs back to -1, even those that got released.
The fix is to avoid resetting UIDs based on stmts in the RDG but
instead reset only those still present in the loop.
PR tree-optimization/114998
* tree-loop-distribution.cc (free_rdg): Take loop argument.
Reset UIDs of stmts still in the IL rather than all stmts
referenced from the RDG.
(loop_distribution::build_rdg): Pass loop to free_rdg.
(loop_distribution::distribute_loop): Likewise.
(loop_distribution::transform_reduction_loop): Likewise.
* gcc.dg/torture/pr114998.c: New testcase.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug tree-optimization/114998] [14 Regression] ICE on valid code at -O3 with "-fno-tree-dce" on x86_64-linux-gnu: Segmentation fault since r14-9767
2024-05-08 21:38 [Bug tree-optimization/114998] New: ICE on valid code at -O3 with "-fno-inline -fno-tree-dce -fno-ipa-cp" on x86_64-linux-gnu: Segmentation fault zhendong.su at inf dot ethz.ch
` (4 preceding siblings ...)
2024-05-10 13:44 ` cvs-commit at gcc dot gnu.org
@ 2024-05-10 13:44 ` rguenth at gcc dot gnu.org
2024-05-17 10:39 ` cvs-commit at gcc dot gnu.org
2024-05-17 10:39 ` rguenth at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: rguenth at gcc dot gnu.org @ 2024-05-10 13:44 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114998
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Summary|[14/15 Regression] ICE on |[14 Regression] ICE on
|valid code at -O3 with |valid code at -O3 with
|"-fno-tree-dce" on |"-fno-tree-dce" on
|x86_64-linux-gnu: |x86_64-linux-gnu:
|Segmentation fault since |Segmentation fault since
|r14-9767 |r14-9767
Known to work| |15.0
--- Comment #6 from Richard Biener <rguenth at gcc dot gnu.org> ---
Fixed on trunk sofar.
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug tree-optimization/114998] [14 Regression] ICE on valid code at -O3 with "-fno-tree-dce" on x86_64-linux-gnu: Segmentation fault since r14-9767
2024-05-08 21:38 [Bug tree-optimization/114998] New: ICE on valid code at -O3 with "-fno-inline -fno-tree-dce -fno-ipa-cp" on x86_64-linux-gnu: Segmentation fault zhendong.su at inf dot ethz.ch
` (5 preceding siblings ...)
2024-05-10 13:44 ` [Bug tree-optimization/114998] [14 " rguenth at gcc dot gnu.org
@ 2024-05-17 10:39 ` cvs-commit at gcc dot gnu.org
2024-05-17 10:39 ` rguenth at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2024-05-17 10:39 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114998
--- Comment #7 from GCC Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-14 branch has been updated by Richard Biener
<rguenth@gcc.gnu.org>:
https://gcc.gnu.org/g:1e9ae50d4d160f6d557fc4cbbe95c4a36897c09f
commit r14-10214-g1e9ae50d4d160f6d557fc4cbbe95c4a36897c09f
Author: Richard Biener <rguenther@suse.de>
Date: Fri May 10 14:19:49 2024 +0200
tree-optimization/114998 - use-after-free with loop distribution
When loop distribution releases a PHI node of the original IL it
can end up clobbering memory that's re-used when it upon releasing
its RDG resets all stmt UIDs back to -1, even those that got released.
The fix is to avoid resetting UIDs based on stmts in the RDG but
instead reset only those still present in the loop.
PR tree-optimization/114998
* tree-loop-distribution.cc (free_rdg): Take loop argument.
Reset UIDs of stmts still in the IL rather than all stmts
referenced from the RDG.
(loop_distribution::build_rdg): Pass loop to free_rdg.
(loop_distribution::distribute_loop): Likewise.
(loop_distribution::transform_reduction_loop): Likewise.
* gcc.dg/torture/pr114998.c: New testcase.
(cherry picked from commit 34d15a4d630a0d54eddb99bdab086c506e10dac5)
^ permalink raw reply [flat|nested] 9+ messages in thread
* [Bug tree-optimization/114998] [14 Regression] ICE on valid code at -O3 with "-fno-tree-dce" on x86_64-linux-gnu: Segmentation fault since r14-9767
2024-05-08 21:38 [Bug tree-optimization/114998] New: ICE on valid code at -O3 with "-fno-inline -fno-tree-dce -fno-ipa-cp" on x86_64-linux-gnu: Segmentation fault zhendong.su at inf dot ethz.ch
` (6 preceding siblings ...)
2024-05-17 10:39 ` cvs-commit at gcc dot gnu.org
@ 2024-05-17 10:39 ` rguenth at gcc dot gnu.org
7 siblings, 0 replies; 9+ messages in thread
From: rguenth at gcc dot gnu.org @ 2024-05-17 10:39 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=114998
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #8 from Richard Biener <rguenth at gcc dot gnu.org> ---
Fixed.
^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2024-05-17 10:39 UTC | newest]
Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2024-05-08 21:38 [Bug tree-optimization/114998] New: ICE on valid code at -O3 with "-fno-inline -fno-tree-dce -fno-ipa-cp" on x86_64-linux-gnu: Segmentation fault zhendong.su at inf dot ethz.ch
2024-05-09 8:05 ` [Bug tree-optimization/114998] [14/15 Regression] ICE on valid code at -O3 with "-fno-tree-dce" " pinskia at gcc dot gnu.org
2024-05-09 10:09 ` [Bug tree-optimization/114998] [14/15 Regression] ICE on valid code at -O3 with "-fno-tree-dce" on x86_64-linux-gnu: Segmentation fault since r14-9767 jakub at gcc dot gnu.org
2024-05-10 6:49 ` rguenth at gcc dot gnu.org
2024-05-10 11:14 ` rguenth at gcc dot gnu.org
2024-05-10 13:44 ` cvs-commit at gcc dot gnu.org
2024-05-10 13:44 ` [Bug tree-optimization/114998] [14 " rguenth at gcc dot gnu.org
2024-05-17 10:39 ` cvs-commit at gcc dot gnu.org
2024-05-17 10:39 ` rguenth at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).