[Bug c++/59255] New: Segmentation fault with std::function and -fprofile-use

[Bug c++/59255] New: Segmentation fault with std::function and -fprofile-use

[stepik-777 at mail dot ru]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59255

            Bug ID: 59255
           Summary: Segmentation fault with std::function and
                    -fprofile-use
           Product: gcc
           Version: 4.8.2
            Status: UNCONFIRMED
          Severity: critical
          Priority: P3
         Component: c++
          Assignee: unassigned at gcc dot gnu.org
          Reporter: stepik-777 at mail dot ru

Consider the following simple program:
#include <functional>

int main(int argc, char *argv[])
{
    std::function<int ()> f = []{ return 0; };
    return 0;
}

I'm compiling it with these commands:
g++ -std=c++11 -fprofile-generate -c test.cpp -o test.o
g++ -std=c++11 -fprofile-generate -o test test.o
./test # execute to generate profiling data
g++ -std=c++11 -fprofile-use -c test.cpp -o test.o
#g++ -std=c++11 -fprofile-use -o test test.o

This causes segfault when compiling with -fprofile-use:
test.cpp: In destructor 'std::_Function_base::~_Function_base()':
test.cpp:7:1: internal compiler error: Segmentation fault
 }
 ^

Tested with these two gcc versions:
g++ (Ubuntu/Linaro 4.8.1-10ubuntu8) 4.8.1
g++.exe (rev0, Built by MinGW-W64 project) 4.8.2

[Bug c++/59255] [4.8/4.9 Regression] Segmentation fault with std::function and -fprofile-use

[rguenth at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59255

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2013-11-25
      Known to work|                            |4.7.3
   Target Milestone|---                         |4.8.3
            Summary|Segmentation fault with     |[4.8/4.9 Regression]
                   |std::function and           |Segmentation fault with
                   |-fprofile-use               |std::function and
                   |                            |-fprofile-use
     Ever confirmed|0                           |1

--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
Confirmed.

[Bug c++/59255] [4.8/4.9 Regression] Segmentation fault with std::function and -fprofile-use

[mark at jarv dot in]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59255

--- Comment #2 from mark at jarv dot in ---
This is my first time trying to debug GCC, so please forgive me if this is
obvious or unhelpful.

I traced this in GDB and it seems that the segfault is because the
FOR_EACH_EDGE loop at value-prof.c:1281 runs off the end of the icall_bb->succs
vector without identifying an edge with the EDGE_EH flag set.  I'm just
guessing, but I think this means the icall_bb basic block has no edge to an
exception handler.  The code is expecting such an edge to exist so that it can
be used by the direct call as well.

Any suggestions on how to determine why the icall_bb has no exception handler
successor?  It also could throw, so it seems reasonable to expect that it would
have an edge to an exception handler.


Breakpoint 5, gimple_ic (icall_stmt=0x2aaaaf56f7b8, direct_call=0x2aaaaf4bcb90,
prob=10000, count=1, all=1) at ../../gcc-4.8.2/gcc/value-prof.c:1280
1280          add_stmt_to_eh_lp (dcall_stmt, lp_nr);
(gdb) n
1281          FOR_EACH_EDGE (e_eh, ei, icall_bb->succs)
(gdb) call debug_gimple_stmt(dcall_stmt)
std::_Function_base::_Base_manager<main(int, char**)::__lambda0>::_M_manager
(_5, _4, 3);

(gdb) p *icall_bb->succs
$4 = {
  vecpfx_ = {
    alloc_ = 4,
    num_ = 1
  },
  vecdata_ = {0x2aaaaf588380}
}
(gdb) n
1282            if (e_eh->flags & EDGE_EH)
(gdb) p e_eh->flags
$5 = 1
(gdb) n
1281          FOR_EACH_EDGE (e_eh, ei, icall_bb->succs)
(gdb) n
1284          e = make_edge (dcall_bb, e_eh->dest, EDGE_EH);
(gdb) p e_eh
$6 = (edge) 0x0
(gdb) p stmt_could_throw_p(dcall_stmt)
$7 = true
(gdb) p stmt_could_throw_p(icall_stmt)
$8 = true
(gdb)

[Bug c++/59255] [4.8/4.9 Regression] Segmentation fault with std::function and -fprofile-use

[mark at jarv dot in]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59255

--- Comment #3 from mark at jarv dot in ---
I notice that lookup_stmt_eh_lp(icall_stmt) at value-prof.c:1272 returns -1.

Elsewhere in the code (tree-eh.c:2208), I see "lp_nr <= 0" as a guard against
further EH processing.

At gimple-pretty-print.c:1881, I see that a negative lp_nr is pretty-printed as
("[MNT %d]", -lp_nr).  Further searching around suggests that "MNT" might mean
"must not throw".

Notably, we're in a destructor in C++11 here, and I guess C++11 destructors are
more often noexcept than in C++98.  From
http://stackoverflow.com/q/15721544/228142:

'12.4/3: "A declaration of a destructor that does not have an
exception-specification is implicitly considered to have the same
exception-specification as an implicit declaration (15.4)." i.e. a destructor
is only noexcept(true) if all the members and bases have a noexcept
destructor.'

Could the correct fix be as simple as:

--- value-prof.c.orig    2013-12-12 10:09:23.148929000 -0500
+++ value-prof.c    2013-12-12 10:57:33.329980000 -0500
@@ -1270,7 +1270,7 @@ gimple_ic (gimple icall_stmt, struct cgr

   /* Build an EH edge for the direct call if necessary.  */
   lp_nr = lookup_stmt_eh_lp (icall_stmt);
-  if (lp_nr != 0
+  if (lp_nr > 0
       && stmt_could_throw_p (dcall_stmt))
     {
       edge e_eh, e;

This certainly removes the ICE, but I don't know that I can vouch for its
safety from the perspective of preserving correctness.

[Bug c++/59255] [4.8/4.9 Regression] Segmentation fault with std::function and -fprofile-use

[mark at jarv dot in]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59255

--- Comment #4 from Mark Jarvin <mark at jarv dot in> ---
I think the other relevant text from the C++11 standard is available here:
http://stackoverflow.com/q/13041715/228142

"An implicitly declared special member function (Clause 12) shall have an
exception-specification. If f is an implicitly declared default constructor,
copy constructor, move constructor, destructor, copy assignment operator, or
move assignment operator, its implicit exception-specification specifies the
type-id T if and only if T is allowed by the exception-specification of a
function directly invoked by f’s implicit definition; f shall allow all
exceptions if any function it directly invokes allows all exceptions, and f
shall allow no exceptions if every function it directly invokes allows no
exceptions."

I guess I'm trying to build the case that it makes sense that icall_bb has no
EH successor because it's a must-not-throw block, and it's a must-not-throw
block in this specific case because it's a destructor with -std=c++11 and its
members are (I'm guessing) all must-not-throw.

The bug amounts to the code not correctly handling must-not-throw statements.

If you buy that argument, I think there might be other places in GCC that
aren't handling it either.  For example, cfgexpand.c:2313 simply checks that
lp_nr != 0.  Likewise cgraph.c:1084, tree-cfg.c:4709, tree-eh.c:3029, maybe
others.
>From gcc-bugs-return-437419-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Thu Dec 12 16:49:59 2013
Return-Path: <gcc-bugs-return-437419-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 15288 invoked by alias); 12 Dec 2013 16:49:59 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 15227 invoked by uid 48); 12 Dec 2013 16:49:55 -0000
From: "mark at jarv dot in" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug c++/59255] [4.8/4.9 Regression] Segmentation fault with std::function and -fprofile-use
Date: Thu, 12 Dec 2013 16:49:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: c++
X-Bugzilla-Version: 4.8.2
X-Bugzilla-Keywords:
X-Bugzilla-Severity: critical
X-Bugzilla-Who: mark at jarv dot in
X-Bugzilla-Status: NEW
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 4.8.3
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields:
Message-ID: <bug-59255-4-eJ8dN3ivxm@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-59255-4@http.gcc.gnu.org/bugzilla/>
References: <bug-59255-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2013-12/txt/msg01074.txt.bz2
Content-length: 348

http://gcc.gnu.org/bugzilla/show_bug.cgi?idY255

--- Comment #5 from Mark Jarvin <mark at jarv dot in> ---
Hmm... seems like it's already fixed in the trunk:
http://gcc.gnu.org/viewcvs/gcc?view=revision&revision 1859

It doesn't seem to have been ported to 4.8.
http://gcc.gnu.org/viewcvs/gcc/branches/gcc-4_8-branch/gcc/value-prof.c?view=log

[Bug c++/59255] [4.8/4.9 Regression] Segmentation fault with std::function and -fprofile-use

[rguenth at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59255

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P3                          |P2

[Bug c++/59255] [4.8/4.9 Regression] Segmentation fault with std::function and -fprofile-use

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59255

--- Comment #6 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Author: jakub
Date: Fri Dec 20 16:32:21 2013
New Revision: 206152

URL: http://gcc.gnu.org/viewcvs?rev=206152&root=gcc&view=rev
Log:
    PR c++/59255
    * g++.dg/tree-prof/pr59255.C: New test.

Added:
    trunk/gcc/testsuite/g++.dg/tree-prof/pr59255.C
Modified:
    trunk/gcc/testsuite/ChangeLog

[Bug c++/59255] [4.8/4.9 Regression] Segmentation fault with std::function and -fprofile-use

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59255

--- Comment #7 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Author: jakub
Date: Fri Dec 20 16:34:21 2013
New Revision: 206153

URL: http://gcc.gnu.org/viewcvs?rev=206153&root=gcc&view=rev
Log:
    PR c++/59255
    Backported from mainline
    2013-08-19  Dehao Chen  <dehao@google.com>

    * value-prof.c (gimple_ic): Fix the bug of adding EH edge.

    * g++.dg/tree-prof/pr59255.C: New test.

Added:
    branches/gcc-4_8-branch/gcc/testsuite/g++.dg/tree-prof/pr59255.C
Modified:
    branches/gcc-4_8-branch/gcc/ChangeLog
    branches/gcc-4_8-branch/gcc/testsuite/ChangeLog
    branches/gcc-4_8-branch/gcc/value-prof.c

[Bug c++/59255] [4.8/4.9 Regression] Segmentation fault with std::function and -fprofile-use

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59255

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |jakub at gcc dot gnu.org
         Resolution|---                         |FIXED

--- Comment #8 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Fixed.