[Bug target/53886] New: Seg fault in sh_insn_length_adjustment

[Bug target/53886] New: Seg fault in sh_insn_length_adjustment

[rmansfield at qnx dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53886

             Bug #: 53886
           Summary: Seg fault in sh_insn_length_adjustment
    Classification: Unclassified
           Product: gcc
           Version: 4.8.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: target
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: rmansfield@qnx.com
              Host: x86_64-linux-gnu
            Target: sh4-unknown-linux-gnu
             Build: x86_64-linux-gnu


$ ./xgcc -v
Using built-in specs.
COLLECT_GCC=./xgcc
Target: sh4-unknown-linux-gnu
Configured with: ../configure --target=sh4-unknown-linux-gnu
--prefix=/home/ryan/x-tools/sh4-unknown-linux-gnuc
--with-local-prefix=/home/ryan/x-tools/sh4-unknown-linux-gnu/sh4-unknown-linux-gnu/sys-root
--disable-multilib
--with-sysroot=/home/ryan/x-tools/sh4-unknown-linux-gnu/sh4-unknown-linux-gnu/sys-root
--with-newlib --enable-threads=no --disable-shared --enable-__cxa_atexit
--disable-nls --enable-symvers=gnu --enable-languages=c
--enable-target-optspace --enable-checking --disable-libmudflap
--disable-libssp
Thread model: single
gcc version 4.8.0 20120707 (experimental) [trunk revision 189349] (GCC) 

$ ./xgcc -B. /home/ryan/r.i -c -Os
/home/ryan/r.i: In function 'i2d_ECPrivateKey':
/home/ryan/r.i:31:17: warning: assignment makes pointer from integer without a
cast [enabled by default]
   if ((priv_key = EC_PRIVATEKEY_new ()) == 0)
                 ^
/home/ryan/r.i:47:6: warning: initialization makes pointer from integer without
a cast [enabled by default]
      CRYPTO_realloc ((char *) buffer, (int) tmp_len, "", 1293);
      ^
/home/ryan/r.i:60:1: internal compiler error: Segmentation fault
 }
 ^
Please submit a full bug report,
with preprocessed source if appropriate.
See <http://gcc.gnu.org/bugs.html> for instructions.

(gdb) bt
#0  0x0000000000abcab6 in sh_insn_length_adjustment (insn=0x7ffff7053168)
    at ../../gcc/config/sh/sh.c:9665
#1  0x000000000066d00c in get_attr_length_1 (fallback_fn=<optimized out>, 
    insn=0x7ffff7053168) at ../../gcc/final.c:433
#2  get_attr_length (insn=0x7ffff7053168) at ../../gcc/final.c:448
#3  0x0000000000ac6e1b in get_attr_in_delay_slot (insn=0x7ffff7053168)
    at ../../gcc/config/sh/sh.md:241
#4  0x0000000000ac6fc6 in get_attr_cond_delay_slot (insn=0x7ffff7053168)
    at ../../gcc/config/sh/sh.md:239
#5  0x0000000000aca638 in eligible_for_annul_true (delay_insn=0x7ffff70507d0, 
    slot=4, candidate_insn=0x7ffff7053168, flags=<optimized out>)
    at ../../gcc/config/sh/sh.md:444
#6  0x0000000000825f8e in optimize_skip (insn=0x7ffff70507d0)
    at ../../gcc/reorg.c:864
#7  fill_simple_delay_slots (non_jumps_p=0) at ../../gcc/reorg.c:2201
#8  0x0000000000826c71 in dbr_schedule (first=0x7ffff7042f40)
    at ../../gcc/reorg.c:3931
#9  0x0000000000828640 in rest_of_handle_delay_slots ()
    at ../../gcc/reorg.c:4115
#10 0x00000000007d5a17 in execute_one_pass (pass=0x108a600)
    at ../../gcc/passes.c:2165
---Type <return> to continue, or q <return> to quit---
#11 0x00000000007d5d85 in execute_pass_list (pass=0x108a600)
    at ../../gcc/passes.c:2220
#12 0x00000000007d5d97 in execute_pass_list (pass=0x1089aa0)
    at ../../gcc/passes.c:2221
#13 0x00000000007d5d97 in execute_pass_list (pass=0x1089a40)
    at ../../gcc/passes.c:2221
#14 0x00000000005af9ac in expand_function (node=0x7ffff7043000)
    at ../../gcc/cgraphunit.c:1615
#15 0x00000000005b13ea in expand_all_functions ()
    at ../../gcc/cgraphunit.c:1720
#16 compile () at ../../gcc/cgraphunit.c:2018
#17 0x00000000005b1d65 in finalize_compilation_unit ()
    at ../../gcc/cgraphunit.c:2095
#18 0x000000000049fbe8 in c_write_global_declarations ()
    at ../../gcc/c/c-decl.c:10116
#19 0x000000000088158d in compile_file () at ../../gcc/toplev.c:564
#20 0x0000000000883134 in do_compile () at ../../gcc/toplev.c:1867
#21 toplev_main (argc=10, argv=0x7fffffffe118) at ../../gcc/toplev.c:1943
#22 0x00007ffff715c76d in __libc_start_main ()
   from /lib/x86_64-linux-gnu/libc.so.6
#23 0x0000000000483011 in _start ()

[Bug target/53886] Seg fault in sh_insn_length_adjustment

[olegendo at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53886

Oleg Endo <olegendo at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |olegendo at gcc dot gnu.org

--- Comment #1 from Oleg Endo <olegendo at gcc dot gnu.org> 2012-07-08 11:33:19 UTC ---
Ryan, could you please provide the (reduced) source file in question so that we
could add this as a test case to the test suite?

[Bug target/53886] Seg fault in sh_insn_length_adjustment

[olegendo at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53886

Oleg Endo <olegendo at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kkojima at gcc dot gnu.org

--- Comment #2 from Oleg Endo <olegendo at gcc dot gnu.org> 2012-07-08 11:40:56 UTC ---
I'm just guessing here, but this line

&& GET_CODE (PATTERN (NEXT_INSN (PREV_INSN (insn)))) != SEQUENCE

looks suspicious.  Most likely it's a nullptr access.
In sparc.c something similar is being done by the function
'int empty_delay_slot (rtx insn)'

Maybe the patch below could be a fix for the problem?
There are actually more places in sh.c where the usage of NEXT_INSN (PREV_INSN
(insn)) goes unchecked...

Kaz, what do you think?  Does this make any sense?


Index: gcc/config/sh/sh.c
===================================================================
--- gcc/config/sh/sh.c    (revision 189339)
+++ gcc/config/sh/sh.c    (working copy)
@@ -9652,6 +9652,15 @@
 #define IS_ASM_LOGICAL_LINE_SEPARATOR(C, STR) ((C) == ';')
 #endif

+static bool
+sequence_insn_p (rtx insn)
+{
+  if (PREV_INSN (insn) == NULL)
+    return false;
+
+  return GET_CODE (PATTERN (NEXT_INSN (PREV_INSN (insn)))) == SEQUENCE;
+}
+
 int
 sh_insn_length_adjustment (rtx insn)
 {
@@ -9662,7 +9671,7 @@
     && GET_CODE (PATTERN (insn)) != CLOBBER)
        || CALL_P (insn)
        || (JUMP_P (insn) && !JUMP_TABLE_DATA_P (insn)))
-      && GET_CODE (PATTERN (NEXT_INSN (PREV_INSN (insn)))) != SEQUENCE
+      && ! sequence_insn_p (insn)
       && get_attr_needs_delay_slot (insn) == NEEDS_DELAY_SLOT_YES)
     return 2;

@@ -9671,7 +9680,7 @@
   if (sh_cpu_attr == CPU_SH2E
       && JUMP_P (insn) && !JUMP_TABLE_DATA_P (insn)
       && get_attr_type (insn) == TYPE_CBRANCH
-      && GET_CODE (PATTERN (NEXT_INSN (PREV_INSN (insn)))) != SEQUENCE)
+      && ! sequence_insn_p (insn))
     return 2;

   /* sh-dsp parallel processing insn take four bytes instead of two.  */

[Bug target/53886] Seg fault in sh_insn_length_adjustment

[rmansfield at qnx dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53886

--- Comment #3 from Ryan Mansfield <rmansfield at qnx dot com> 2012-07-08 11:52:21 UTC ---
Created attachment 27763
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=27763
preprocessed src

Sorry, I had tried to attach it during the bug creation but I didn't notice it
didn't take.

[Bug target/53886] Seg fault in sh_insn_length_adjustment

[olegendo at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53886

--- Comment #4 from Oleg Endo <olegendo at gcc dot gnu.org> 2012-07-08 12:19:09 UTC ---
(In reply to comment #3)
> Created attachment 27763 [details]
> preprocessed src
> 
> Sorry, I had tried to attach it during the bug creation but I didn't notice it
> didn't take.

Thanks.  I could reproduce the problem here.  It seems to happen for
-Os and-m{2a|4*}.

The reason is the subexpression

  PATTERN (NEXT_INSN (PREV_INSN (insn)))

can return nullptr in some cases like this.

The patch below fixes this particular crash, but I'm not sure whether it is
the right thing to do in this case.


Index: gcc/config/sh/sh.c
===================================================================
--- gcc/config/sh/sh.c    (revision 189339)
+++ gcc/config/sh/sh.c    (working copy)
@@ -9652,6 +9652,26 @@
 #define IS_ASM_LOGICAL_LINE_SEPARATOR(C, STR) ((C) == ';')
 #endif

+static bool
+sequence_insn_p (rtx insn)
+{
+  rtx prev,next,pat;
+
+  prev = PREV_INSN (insn);
+  if (prev == NULL)
+    return false;
+
+  next = NEXT_INSN (prev);
+  if (next == NULL)
+    return false;
+
+  pat = PATTERN (next);
+  if (pat == NULL)
+    return false;
+
+  return GET_CODE (pat) == SEQUENCE;
+}
+
 int
 sh_insn_length_adjustment (rtx insn)
 {
@@ -9662,7 +9682,7 @@
     && GET_CODE (PATTERN (insn)) != CLOBBER)
        || CALL_P (insn)
        || (JUMP_P (insn) && !JUMP_TABLE_DATA_P (insn)))
-      && GET_CODE (PATTERN (NEXT_INSN (PREV_INSN (insn)))) != SEQUENCE
+      && ! sequence_insn_p (insn)
       && get_attr_needs_delay_slot (insn) == NEEDS_DELAY_SLOT_YES)
     return 2;

@@ -9671,7 +9691,7 @@
   if (sh_cpu_attr == CPU_SH2E
       && JUMP_P (insn) && !JUMP_TABLE_DATA_P (insn)
       && get_attr_type (insn) == TYPE_CBRANCH
-      && GET_CODE (PATTERN (NEXT_INSN (PREV_INSN (insn)))) != SEQUENCE)
+      && ! sequence_insn_p (insn))
     return 2;

   /* sh-dsp parallel processing insn take four bytes instead of two.  */

[Bug target/53886] Seg fault in sh_insn_length_adjustment

[olegendo at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53886

Oleg Endo <olegendo at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Target|sh4-unknown-linux-gnu       |sh*-*-*
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2012-07-08
     Ever Confirmed|0                           |1

[Bug target/53886] Seg fault in sh_insn_length_adjustment

[kkojima at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53886

--- Comment #5 from Kazumoto Kojima <kkojima at gcc dot gnu.org> 2012-07-08 13:41:09 UTC ---
(In reply to comment #4)
> The patch below fixes this particular crash, but I'm not sure whether it is
> the right thing to do in this case.

Looks fine to me except that the line

>+  rtx prev,next,pat;

requires space after comma.

[Bug target/53886] Seg fault in sh_insn_length_adjustment

[olegendo at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53886

--- Comment #6 from Oleg Endo <olegendo at gcc dot gnu.org> 2012-07-08 13:45:28 UTC ---
(In reply to comment #5)
> (In reply to comment #4)
> > The patch below fixes this particular crash, but I'm not sure whether it is
> > the right thing to do in this case.
> 
> Looks fine to me except that the line
> 
> >+  rtx prev,next,pat;
> 
> requires space after comma.

Ah yeah, sure.  Thanks.
I'll submit the patch after testing then.
Maybe backport it to 4.7, too?

[Bug target/53886] Seg fault in sh_insn_length_adjustment

[kkojima at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53886

--- Comment #7 from Kazumoto Kojima <kkojima at gcc dot gnu.org> 2012-07-08 13:59:00 UTC ---
(In reply to comment #6)
> Maybe backport it to 4.7, too?

If it's a regression also on 4.7.  The test case doesn't fail with 4.7.1
on my environment, though.

[Bug target/53886] Seg fault in sh_insn_length_adjustment

[olegendo at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53886

--- Comment #8 from Oleg Endo <olegendo at gcc dot gnu.org> 2012-07-09 22:39:29 UTC ---
Author: olegendo
Date: Mon Jul  9 22:39:25 2012
New Revision: 189394

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=189394
Log:
    PR target/53886
    * config/sh/sh.c (sequence_insn_p): New function.
    (find_barrier, sh_insn_length_adjustment): Use it.


Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/config/sh/sh.c

[Bug target/53886] Seg fault in sh_insn_length_adjustment

[olegendo at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53886

--- Comment #9 from Oleg Endo <olegendo at gcc dot gnu.org> 2012-07-10 22:07:36 UTC ---
Author: olegendo
Date: Tue Jul 10 22:07:29 2012
New Revision: 189417

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=189417
Log:
    PR target/53886
    * gcc.c-torture/compile/pr53886.c: New.


Added:
    trunk/gcc/testsuite/gcc.c-torture/compile/pr53886.c
Modified:
    trunk/gcc/testsuite/ChangeLog

[Bug target/53886] Seg fault in sh_insn_length_adjustment

[olegendo at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=53886

Oleg Endo <olegendo at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #10 from Oleg Endo <olegendo at gcc dot gnu.org> 2012-07-10 22:12:08 UTC ---
Should be OK now.