[Bug other/56881] New: Miscompilation (optimisation failure?) causing NULL dereference and segfault at runtime

[Bug other/56881] New: Miscompilation (optimisation failure?) causing NULL dereference and segfault at runtime

[devspam at moreofthesa dot me.uk]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56881

             Bug #: 56881
           Summary: Miscompilation (optimisation failure?) causing NULL
                    dereference and segfault at runtime
    Classification: Unclassified
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: other
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: devspam@moreofthesa.me.uk


Created attachment 29828
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=29828
Source which triggers the problem at -O2

We (Unvanquished devs) have found what looks like an optimisation bug in gcc
4.8.0. The ‘offending’ code is this (lines 60 to 62 of
src/tools/lcc/cpp/hideset.c):

  hs1 = (Hideset)domalloc(len*sizeof(Hideset));
  memmove(hs1, nhs, len*sizeof(Hideset));
  hidesets[nhidesets] = hs1;

The allocation succeeds (domalloc is a malloc wrapper), the memmove is fine,
but hs1 somehow becomes NULL. So next time this function is called, there's a
NULL pointer which gets dereferenced a few lines above.

Putting a function call in between the first two lines above works around the
problem, as does swapping the latter two lines (as is done in
https://github.com/Unvanquished/Unvanquished/commit/9157ac0d3668fc059ce001620bbfa45ccf66c8df).

Pre-processed source is attached. I'm able to cause the problem with -Os, -O2
or -O3 but not -O0 or -O; I can try enabling or disabling specific
optimisations.

I'm using stock gcc-4.8 4.8.0-2 (Debian experimental), but another of us, an
Arch user, is using core/gcc 4.8.0-1 (base-devel) and is seeing the same
problem (which is why I'm reporting it here rather than in the Debian BTS).

Architecture is amd64 in both cases.
>From gcc-bugs-return-419515-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Mon Apr 08 16:51:10 2013
Return-Path: <gcc-bugs-return-419515-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 1172 invoked by alias); 8 Apr 2013 16:51:09 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 904 invoked by uid 48); 8 Apr 2013 16:51:07 -0000
From: "fredrickprashanth at gmail dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug c/56880] R_X86_64_COPY bug
Date: Mon, 08 Apr 2013 16:51:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: c
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: fredrickprashanth at gmail dot com
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Changed-Fields:
Message-ID: <bug-56880-4-G1nmzbZmPG@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-56880-4@http.gcc.gnu.org/bugzilla/>
References: <bug-56880-4@http.gcc.gnu.org/bugzilla/>
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
X-SW-Source: 2013-04/txt/msg00660.txt.bz2
Content-length: 409


http://gcc.gnu.org/bugzilla/show_bug.cgi?idV880

--- Comment #1 from Fredrick <fredrickprashanth at gmail dot com> 2013-04-08 16:51:06 UTC ---
Another related bug would be that, we tried to disable copy relocation
using -z nocopyreloc. The binary crashed with SEGV.


./test_misc.bin: Symbol `test_dynamic' causes overflow in R_X86_64_32
relocation
Segmentation fault (core dumped)

-Fredrick

[Bug other/56881] Miscompilation (optimisation failure?) causing NULL dereference and segfault at runtime

[devspam at moreofthesa dot me.uk]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56881

devspam at moreofthesa dot me.uk changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Target|                            |amd64
      Known to work|                            |4.7.2
               Host|                            |amd64
            Version|unknown                     |4.8.0
      Known to fail|                            |4.8.0

--- Comment #2 from devspam at moreofthesa dot me.uk 2013-04-09 13:57:08 UTC ---
(In reply to comment #1)
> IMHO, if domalloc() does return NULL for some cases,
> having NULL-checking statement before/inside memmove is required.

It doesn't return NULL – if malloc() returns null, domalloc() will report that
and exit. But even if it did, that doesn't explain the problem occurring only
at some optimisation levels.

Anyway. I've done some more testing. The problem is (or is related to)
-fcaller-saves: -O2 and -Os both trigger the problem, but add -fno-caller-saves
and all is well.
>From gcc-bugs-return-419606-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Tue Apr 09 14:22:32 2013
Return-Path: <gcc-bugs-return-419606-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 19799 invoked by alias); 9 Apr 2013 14:22:31 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 19744 invoked by uid 48); 9 Apr 2013 14:22:28 -0000
From: "ysrumyan at gmail dot com" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug rtl-optimization/56885] [4.8/4.9 Regression] ICE: in assign_by_spills, at lra-assigns.c:1268 with -O -fschedule-insns -fselective-scheduling
Date: Tue, 09 Apr 2013 14:22:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: rtl-optimization
X-Bugzilla-Keywords: ice-on-valid-code
X-Bugzilla-Severity: normal
X-Bugzilla-Who: ysrumyan at gmail dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 4.8.1
X-Bugzilla-Changed-Fields:
Message-ID: <bug-56885-4-pejG4oFTR1@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-56885-4@http.gcc.gnu.org/bugzilla/>
References: <bug-56885-4@http.gcc.gnu.org/bugzilla/>
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
X-SW-Source: 2013-04/txt/msg00751.txt.bz2
Content-length: 273


http://gcc.gnu.org/bugzilla/show_bug.cgi?idV885

--- Comment #6 from Yuri Rumyantsev <ysrumyan at gmail dot com> 2013-04-09 14:22:28 UTC ---
Forgot to mention that __builtin_memset and function argument are not
interchangeable since both use the same register di.

[Bug other/56881] Miscompilation (optimisation failure?) causing NULL dereference and segfault at runtime

[mikpe at it dot uu.se]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56881

--- Comment #3 from Mikael Pettersson <mikpe at it dot uu.se> 2013-04-09 14:45:33 UTC ---
The test case is incomplete, as it lacks both main() and domalloc().  Please
add those (in a separate file if you like) so that the test case can be
compiled to an executable, and the presence or absence of a runtime failure can
be observed.

[Bug other/56881] Miscompilation (optimisation failure?) causing NULL dereference and segfault at runtime

[devspam at moreofthesa dot me.uk]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56881

--- Comment #4 from devspam at moreofthesa dot me.uk 2013-04-10 14:49:24 UTC ---
Created attachment 29850
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=29850
Full source of the problem program, both in original form and fully
pre-processed

[Bug other/56881] Miscompilation (optimisation failure?) causing NULL dereference and segfault at runtime

[devspam at moreofthesa dot me.uk]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56881

--- Comment #5 from devspam at moreofthesa dot me.uk 2013-04-10 15:02:54 UTC ---
The tarball which I've attached also provides its own test case – compile it
then pass it one of its own source files. It'll either segfault or not
depending on compile-time optimisation settings.
>From gcc-bugs-return-419712-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Wed Apr 10 15:03:28 2013
Return-Path: <gcc-bugs-return-419712-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 17410 invoked by alias); 10 Apr 2013 15:03:27 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 17382 invoked by uid 48); 10 Apr 2013 15:03:25 -0000
From: "dominiq at lps dot ens.fr" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug testsuite/56906] New: FAIL: g++.dg/opt/vt4.C -std=gnu++*  scan-assembler-not _ZTV.A
Date: Wed, 10 Apr 2013 15:03:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: testsuite
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: dominiq at lps dot ens.fr
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Changed-Fields:
Message-ID: <bug-56906-4@http.gcc.gnu.org/bugzilla/>
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
Content-Type: text/plain; charset="UTF-8"
MIME-Version: 1.0
X-SW-Source: 2013-04/txt/msg00857.txt.bz2
Content-length: 806


http://gcc.gnu.org/bugzilla/show_bug.cgi?idV906

             Bug #: 56906
           Summary: FAIL: g++.dg/opt/vt4.C -std=gnu++*  scan-assembler-not
                    _ZTV.A
    Classification: Unclassified
           Product: gcc
           Version: 4.9.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: testsuite
        AssignedTo: unassigned@gcc.gnu.org
        ReportedBy: dominiq@lps.ens.fr
                CC: jakub@gcc.gnu.org
              Host: x86_64-apple-darwin10
            Target: x86_64-apple-darwin10
             Build: x86_64-apple-darwin10


The test g++.dg/opt/vt4.C fails on x86_64-apple-darwin10:

[macbook] f90/bug% egrep "_ZTV.A" vt4.s
    .globl __ZTV1A
    .weak_definition __ZTV1A
__ZTV1A:

[Bug other/56881] Miscompilation (optimisation failure?) causing NULL dereference and segfault at runtime

[mikpe at it dot uu.se]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56881

Mikael Pettersson <mikpe at it dot uu.se> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mikpe at it dot uu.se

--- Comment #6 from Mikael Pettersson <mikpe at it dot uu.se> 2013-04-13 17:53:30 UTC ---
Thanks for the complete test case.  I can reproduce the apparent wrong-code
(runtime SEGV) on x86_64-linux w/ glibc-2.15 with gcc 4.9-20130407 and
4.8-20130411, but not with 4.7-20130406 or 4.6-20130405.

[Bug other/56881] Miscompilation (optimisation failure?) causing NULL dereference and segfault at runtime

[mikpe at it dot uu.se]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56881

--- Comment #7 from Mikael Pettersson <mikpe at it dot uu.se> 2013-04-13 20:39:03 UTC ---
Started with Bernd Schmidt's "Optimize calls to functions that return one of
their arguments" patch in http://gcc.gnu.org/r187459, originally proposed in
<http://gcc.gnu.org/ml/gcc-patches/2012-04/msg01817.html>.

[Bug other/56881] Miscompilation (optimisation failure?) causing NULL dereference and segfault at runtime

[mikpe at it dot uu.se]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56881

Mikael Pettersson <mikpe at it dot uu.se> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|mikpe at it dot uu.se       |

--- Comment #8 from Mikael Pettersson <mikpe at it dot uu.se> 2013-04-14 08:56:47 UTC ---
The error is in the test case.  It overrides the libc memmove() with its own
implementation, but that implementation fails to follow the specification.  In
particular, it returns NULL rather than memmove()'s first parameter.

GCC now optimizes based on this aspect of the specification, so things go wrong
at runtime.

Correcting the test case as follows allows it to work with gcc 4.8 and 4.9:

--- unix.c.~1~  2013-03-06 23:17:26.000000000 +0100
+++ unix.c      2013-04-14 10:45:24.651407693 +0200
@@ -110,7 +110,7 @@ memmove(void *dp, const void *sp, size_t
        unsigned char *cdp, *csp;

        if (n<=0)
-               return 0;
+               return dp;
        cdp = dp;
        csp = (unsigned char *)sp;
        if (cdp < csp) {
@@ -124,6 +124,6 @@ memmove(void *dp, const void *sp, size_t
                        *--cdp = *--csp;
                } while (--n);
        }
-       return 0;
+       return dp;
 }
 #endif

Not a bug in GCC.  Please close as INVALID.

[Bug other/56881] Miscompilation (optimisation failure?) causing NULL dereference and segfault at runtime

[steven at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=56881

Steven Bosscher <steven at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|                            |INVALID

--- Comment #10 from Steven Bosscher <steven at gcc dot gnu.org> 2013-04-14 15:24:28 UTC ---
Not a gcc bug.