From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugs-return-411626-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Received: (qmail 29390 invoked by alias); 9 Jan 2013 09:32:28 -0000
Received: (qmail 29171 invoked by uid 48); 9 Jan 2013 09:31:46 -0000
From: "rguenth at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug bootstrap/55792] [4.8 Regression] Bad memory access with profiledbootstrap and LTO
Date: Wed, 09 Jan 2013 09:32:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: bootstrap
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: rguenth at gcc dot gnu.org
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P1
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 4.8.0
X-Bugzilla-Changed-Fields:
Message-ID: <bug-55792-4-0ASxe8vJPF@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-55792-4@http.gcc.gnu.org/bugzilla/>
References: <bug-55792-4@http.gcc.gnu.org/bugzilla/>
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
X-SW-Source: 2013-01/txt/msg00745.txt.bz2


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55792

--- Comment #18 from Richard Biener <rguenth at gcc dot gnu.org> 2013-01-09 09:31:45 UTC ---
(In reply to comment #17)
> gimple_location is duplicated by:
> 
> #1  0x0000000000751f32 in gimple_copy (stmt=0x7fffe8d75a00)
>     at /export/gnu/import/git/gcc/gcc/gimple.c:2205
> #2  0x00000000009c960d in gimple_duplicate_bb (bb=0x7fffe8d768f0)
>     at /export/gnu/import/git/gcc/gcc/tree-cfg.c:5397
> #3  0x00000000005b27a5 in duplicate_block (bb=0x7fffe8d768f0, 
>     e=0x7fffe8d793f0, after=0x7fffe8d76888)
>     at /export/gnu/import/git/gcc/gcc/cfghooks.c:1012
> #4  0x000000000099c511 in tail_duplicate ()
>     at /export/gnu/import/git/gcc/gcc/tracer.c:323
> #5  0x000000000099c765 in tracer ()
>     at /export/gnu/import/git/gcc/gcc/tracer.c:380
> #6  0x00000000008ae0e6 in execute_one_pass (pass=0x16d18a0 <pass_tracer>)
>     at /export/gnu/import/git/gcc/gcc/passes.c:2335
> #7  0x00000000008ae2da in execute_pass_list (pass=0x16d18a0 <pass_tracer>)
>     at /export/gnu/import/git/gcc/gcc/passes.c:2383
> #8  0x00000000008ae30b in execute_pass_list (
>     pass=0x16d07e0 <pass_all_optimizations>)
>     at /export/gnu/import/git/gcc/gcc/passes.c:2384
> #9  0x00000000005da366 in expand_function (node=0x7ffff17536f0)
>     at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1641
> #10 0x00000000005da821 in expand_all_functions ()
>     at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1745
> (gdb) p copy
> $176 = (gimple) 0x7fffe8e0a320
> (gdb) 

The BLOCK of the location is kept live by being referenced by the stmt
copy (what kind is the stmt?  the only stmt not well handled seems to
be CLOBBERs)

> Later, the original location is removed:
> 
> #0  remove_unused_locals ()
>     at /export/gnu/import/git/gcc/gcc/tree-ssa-live.c:793
> #1  0x00000000008ad5cb in execute_function_todo (data=0x8800)
>     at /export/gnu/import/git/gcc/gcc/passes.c:1952
> #2  0x00000000008ac965 in do_per_function (
>     callback=0x8ad4ae <execute_function_todo(void*)>, data=0x8800)
>     at /export/gnu/import/git/gcc/gcc/passes.c:1703
> #3  0x00000000008ad765 in execute_todo (flags=34816)
>     at /export/gnu/import/git/gcc/gcc/passes.c:2001
> #4  0x00000000008ae175 in execute_one_pass (
>     pass=0x16d3220 <pass_cleanup_cfg_post_optimizing>)
>     at /export/gnu/import/git/gcc/gcc/passes.c:2349
> #5  0x00000000008ae2da in execute_pass_list (
>     pass=0x16d3220 <pass_cleanup_cfg_post_optimizing>)
>     at /export/gnu/import/git/gcc/gcc/passes.c:2383
> #6  0x00000000005da366 in expand_function (node=0x7ffff17536f0)
>     at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1641
> #7  0x00000000005da821 in expand_all_functions ()
>     at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1745
> 
> and freed.

You probably mean BLOCK - it should be still live as referenced from
the stmt, or cleaned from the stmt if it was a debug stmt.

>  Then we copy the freed gimple_location:
> 
> #0  expand_gimple_stmt_1 (stmt=0x7fffe8e0a320)
>     at /export/gnu/import/git/gcc/gcc/cfgexpand.c:2202
> #1  0x00000000005a7786 in expand_gimple_stmt (stmt=0x7fffe8e0a320)
>     at /export/gnu/import/git/gcc/gcc/cfgexpand.c:2305
> #2  0x00000000005ad975 in expand_gimple_basic_block (bb=0x7fffe8d76888, 
>     disable_tail_calls=false)
>     at /export/gnu/import/git/gcc/gcc/cfgexpand.c:4084
> #3  0x00000000005af426 in gimple_expand_cfg ()
>     at /export/gnu/import/git/gcc/gcc/cfgexpand.c:4603
> #4  0x00000000008ae0e6 in execute_one_pass (pass=0x16ce300 <pass_expand>)
>     at /export/gnu/import/git/gcc/gcc/passes.c:2335
> #5  0x00000000008ae2da in execute_pass_list (pass=0x16ce300 <pass_expand>)
>     at /export/gnu/import/git/gcc/gcc/passes.c:2383
> #6  0x00000000005da366 in expand_function (node=0x7ffff17536f0)
>     at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1641
> #7  0x00000000005da821 in expand_all_functions ()
>     at /export/gnu/import/git/gcc/gcc/cgraphunit.c:1745
> #8  0x00000000005db2ab in compile ()
>     at /export/gnu/import/git/gcc/gcc/cgraphunit.c:2043
> #9  0x000000000053c60a in lto_main ()
>     at /export/gnu/import/git/gcc/gcc/lto/lto.c:3390
> #10 0x0000000000999401 in compile_file ()
>     at /export/gnu/import/git/gcc/gcc/toplev.c:545