public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug middle-end/56525] New: [4.8 Regression] Access to ggc_freed memory in flow_loops_find
@ 2013-03-04 17:51 jakub at gcc dot gnu.org
  2013-03-05 10:23 ` [Bug middle-end/56525] " rguenth at gcc dot gnu.org
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: jakub at gcc dot gnu.org @ 2013-03-04 17:51 UTC (permalink / raw)
  To: gcc-bugs


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56525

             Bug #: 56525
           Summary: [4.8 Regression] Access to ggc_freed memory in
                    flow_loops_find
    Classification: Unclassified
           Product: gcc
           Version: 4.8.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: middle-end
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: jakub@gcc.gnu.org


valgrind --track-origins=yes --leak-check=full --db-attach=yes ./cc1
/usr/src/gcc/gcc/testsuite/gcc.dg/torture/pr54458.c -O3 -fomit-frame-pointer -o
/tmp/x.s

fails with:
==2723== Invalid read of size 8
==2723==    at 0x670584: flow_loops_find(loops*) (cfgloop.c:445)
==2723==    by 0x8EC17E: fix_loop_structure(bitmap_head_def*) (loop-init.c:242)
==2723==    by 0xAA5F93: repair_loop_structures() (tree-cfgcleanup.c:716)
==2723==    by 0xAA602F: cleanup_tree_cfg() (tree-cfgcleanup.c:746)
==2723==    by 0x977221: execute_function_todo(void*) (passes.c:1921)
==2723==    by 0x97669A: do_per_function(void (*)(void*), void*)
(passes.c:1701)
==2723==    by 0x977476: execute_todo(unsigned int) (passes.c:1996)
==2723==    by 0x977E86: execute_one_pass(opt_pass*) (passes.c:2344)
==2723==    by 0x977FEB: execute_pass_list(opt_pass*) (passes.c:2378)
==2723==    by 0x97801C: execute_pass_list(opt_pass*) (passes.c:2379)
==2723==    by 0x97801C: execute_pass_list(opt_pass*) (passes.c:2379)
==2723==    by 0x696413: expand_function(cgraph_node*) (cgraphunit.c:1640)
==2723==  Address 0xb46b6f0 is not stack'd, malloc'd or (recently) free'd

This happens after unswitching pass, where a loop is first ggc_freed:
#1  0x00000000005fa4c8 in ggc_free (p=0x7ffff19896e8) at
../../gcc/ggc-page.c:1544
#2  0x000000000066fe08 in flow_loop_free (loop=0x7ffff19896e8) at
../../gcc/cfgloop.c:195
#3  0x00000000006721ca in delete_loop (loop=0x7ffff19896e8) at
../../gcc/cfgloop.c:1277
#4  0x00000000008ec13c in fix_loop_structure (changed_bbs=0x19162d0) at
../../gcc/loop-init.c:234
#5  0x0000000000aa5f94 in repair_loop_structures () at
../../gcc/tree-cfgcleanup.c:716
#6  0x0000000000aa6030 in cleanup_tree_cfg () at
../../gcc/tree-cfgcleanup.c:746

and then used in flow_loops_find:
443  /* The current active loop tree has valid loop-fathers for
444     header blocks.  */
445  if (!from_scratch
446      && header->loop_father->header == header)

When not under valgrind, header->loop_father->header will be typically
0xafafafafafafafaf, so won't match and show that it indeed does something
wrong.


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug middle-end/56525] [4.8 Regression] Access to ggc_freed memory in flow_loops_find
  2013-03-04 17:51 [Bug middle-end/56525] New: [4.8 Regression] Access to ggc_freed memory in flow_loops_find jakub at gcc dot gnu.org
@ 2013-03-05 10:23 ` rguenth at gcc dot gnu.org
  2013-03-05 12:52 ` rguenth at gcc dot gnu.org
  2013-03-05 12:53 ` rguenth at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: rguenth at gcc dot gnu.org @ 2013-03-05 10:23 UTC (permalink / raw)
  To: gcc-bugs


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56525

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |ASSIGNED
   Last reconfirmed|                            |2013-03-05
         AssignedTo|unassigned at gcc dot       |rguenth at gcc dot gnu.org
                   |gnu.org                     |
   Target Milestone|---                         |4.8.0
     Ever Confirmed|0                           |1

--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> 2013-03-05 10:23:38 UTC ---
Mine.


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug middle-end/56525] [4.8 Regression] Access to ggc_freed memory in flow_loops_find
  2013-03-04 17:51 [Bug middle-end/56525] New: [4.8 Regression] Access to ggc_freed memory in flow_loops_find jakub at gcc dot gnu.org
  2013-03-05 10:23 ` [Bug middle-end/56525] " rguenth at gcc dot gnu.org
@ 2013-03-05 12:52 ` rguenth at gcc dot gnu.org
  2013-03-05 12:53 ` rguenth at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: rguenth at gcc dot gnu.org @ 2013-03-05 12:52 UTC (permalink / raw)
  To: gcc-bugs


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56525

--- Comment #2 from Richard Biener <rguenth at gcc dot gnu.org> 2013-03-05 12:51:35 UTC ---
Author: rguenth
Date: Tue Mar  5 12:51:28 2013
New Revision: 196462

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=196462
Log:
2013-03-05  Richard Biener  <rguenther@suse.de>

    PR middle-end/56525
    * loop-init.c (fix_loop_structure): Remove loops in two stages,
    not freeing them until the end.

Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/loop-init.c


^ permalink raw reply	[flat|nested] 4+ messages in thread
* [Bug middle-end/56525] [4.8 Regression] Access to ggc_freed memory in flow_loops_find
  2013-03-04 17:51 [Bug middle-end/56525] New: [4.8 Regression] Access to ggc_freed memory in flow_loops_find jakub at gcc dot gnu.org
  2013-03-05 10:23 ` [Bug middle-end/56525] " rguenth at gcc dot gnu.org
  2013-03-05 12:52 ` rguenth at gcc dot gnu.org
@ 2013-03-05 12:53 ` rguenth at gcc dot gnu.org
  2 siblings, 0 replies; 4+ messages in thread
From: rguenth at gcc dot gnu.org @ 2013-03-05 12:53 UTC (permalink / raw)
  To: gcc-bugs


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56525

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|                            |FIXED

--- Comment #3 from Richard Biener <rguenth at gcc dot gnu.org> 2013-03-05 12:52:41 UTC ---
Fixed.


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-03-05 12:53 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-03-04 17:51 [Bug middle-end/56525] New: [4.8 Regression] Access to ggc_freed memory in flow_loops_find jakub at gcc dot gnu.org
2013-03-05 10:23 ` [Bug middle-end/56525] " rguenth at gcc dot gnu.org
2013-03-05 12:52 ` rguenth at gcc dot gnu.org
2013-03-05 12:53 ` rguenth at gcc dot gnu.org

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).