[Bug c/59362] New: Abort in fini_object_sizes

[Bug c/59362] New: Abort in fini_object_sizes

[dcb314 at hotmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59362

            Bug ID: 59362
           Summary: Abort in fini_object_sizes
           Product: gcc
           Version: 4.9.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: dcb314 at hotmail dot com

Created attachment 31344
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=31344&action=edit
C source code

I just tried to compile the attached source code
with trunk of 20131130 and it said

lens.c:1063:7: internal compiler error: Aborted
0xa8ed5f crash_signal
    ../../src/trunk/gcc/toplev.c:336
0xb18fe4 fini_object_sizes
    ../../src/trunk/gcc/tree-object-size.c:1200
0xb18fe4 compute_object_sizes
    ../../src/trunk/gcc/tree-object-size.c:1279
0xb18fe4 execute
    ../../src/trunk/gcc/tree-object-size.c:1309
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <http://gcc.gnu.org/bugs.html> for instructions.

Preprocessed source code attached. Flags -O2 -std=gnu99 required.
~

[Bug c/59362] Abort in fini_object_sizes

[octoploid at yandex dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59362

--- Comment #2 from Markus Trippelsdorf <octoploid at yandex dot com> ---
Reduced:

markus@x4 tmp % cat test.i
char *a;
long int b;
void enc_format() {
  b = __builtin_object_size(0, 0);
  a = __builtin___stpcpy_chk(0, "", b);
  b = __builtin_object_size(a, 0);
}

markus@x4 tmp % gcc -c -O2 test.i
*** Error in `/usr/libexec/gcc/x86_64-pc-linux-gnu/4.9.0/cc1': free(): invalid
next size (fast): 0x00000000029aaab0 ***
======= Backtrace: =========
...

[Bug tree-optimization/59362] [4.9 Regression] Abort in fini_object_sizes

[hjl.tools at gmail dot com]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59362

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2013-12-01
                 CC|                            |rguenther at suse dot de
   Target Milestone|---                         |4.9.0
            Summary|Abort in fini_object_sizes  |[4.9 Regression] Abort in
                   |                            |fini_object_sizes
     Ever confirmed|0                           |1

--- Comment #3 from H.J. Lu <hjl.tools at gmail dot com> ---
It is caused by r204966.

[Bug tree-optimization/59362] [4.9 Regression] Abort in fini_object_sizes

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59362

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at gcc dot gnu.org      |jakub at gcc dot gnu.org

--- Comment #4 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Created attachment 31345
  --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=31345&action=edit
gcc49-pr59362.patch

The problem is that the new stmt folding in the objsz pass can create new
SSA_NAMEs and the code wasn't prepared for that.

[Bug tree-optimization/59362] [4.9 Regression] Abort in fini_object_sizes

[rguenth at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59362

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P3                          |P1
             Blocks|                            |59125, 54570

[Bug tree-optimization/59362] [4.9 Regression] Abort in fini_object_sizes

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59362

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #6 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Fixed.

[Bug tree-optimization/59362] [4.9 Regression] Abort in fini_object_sizes

[jakub at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59362

--- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Author: jakub
Date: Tue Dec  3 07:48:58 2013
New Revision: 205623

URL: http://gcc.gnu.org/viewcvs?rev=205623&root=gcc&view=rev
Log:
    PR tree-optimization/59362
    * tree-object-size.c (object_sizes): Change into array of
    vec<unsigned HOST_WIDE_INT>.
    (compute_builtin_object_size): Check computed bitmap for
    non-NULL instead of object_sizes.  Call safe_grow on object_sizes
    vector if new SSA_NAMEs appeared.
    (init_object_sizes): Check computed bitmap for non-NULL.
    Call safe_grow on object_sizes elements instead of initializing
    it with XNEWVEC.
    (fini_object_sizes): Call release on object_sizes elements, don't
    set it to NULL.

    * gcc.c-torture/compile/pr59362.c: New test.

Added:
    trunk/gcc/testsuite/gcc.c-torture/compile/pr59362.c
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/testsuite/ChangeLog
    trunk/gcc/tree-object-size.c

[Bug tree-optimization/59362] [4.9 Regression] Abort in fini_object_sizes

[rguenth at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59362

--- Comment #7 from Richard Biener <rguenth at gcc dot gnu.org> ---
Author: rguenth
Date: Thu Jan  9 15:25:34 2014
New Revision: 206467

URL: http://gcc.gnu.org/viewcvs?rev=206467&root=gcc&view=rev
Log:
2014-01-09  Richard Biener  <rguenther@suse.de>

    Backport from mainline
    2013-11-18  Richard Biener  <rguenther@suse.de>

    PR tree-optimization/59125
    PR tree-optimization/54570
    * tree-ssa-sccvn.c (copy_reference_ops_from_ref): When inlining
    is not complete do not treat component-references with offset zero
    but different fields as equal.
    * tree-object-size.c: Include tree-phinodes.h and ssa-iterators.h.
    (compute_object_sizes): Apply TLC.  Propagate the constant
    results into all uses and fold their stmts.
    * passes.def (pass_all_optimizations): Move pass_object_sizes
    after the first pass_forwprop and before pass_fre.

    * gcc.dg/builtin-object-size-8.c: Un-xfail.
    * gcc.dg/builtin-object-size-14.c: New testcase.
    * gcc.dg/strlenopt-14gf.c: Adjust.
    * gcc.dg/strlenopt-1f.c: Likewise.
    * gcc.dg/strlenopt-4gf.c: Likewise.

    2013-12-03  Jakub Jelinek  <jakub@redhat.com>

    PR tree-optimization/59362
    * tree-object-size.c (object_sizes): Change into array of
    vec<unsigned HOST_WIDE_INT>.
    (compute_builtin_object_size): Check computed bitmap for
    non-NULL instead of object_sizes.  Call safe_grow on object_sizes
    vector if new SSA_NAMEs appeared.
    (init_object_sizes): Check computed bitmap for non-NULL.
    Call safe_grow on object_sizes elements instead of initializing
    it with XNEWVEC.
    (fini_object_sizes): Call release on object_sizes elements, don't
    set it to NULL.

    * gcc.c-torture/compile/pr59362.c: New test.

Added:
    branches/gcc-4_8-branch/gcc/testsuite/gcc.c-torture/compile/pr59362.c
    branches/gcc-4_8-branch/gcc/testsuite/gcc.dg/builtin-object-size-14.c
Modified:
    branches/gcc-4_8-branch/gcc/ChangeLog
    branches/gcc-4_8-branch/gcc/passes.c
    branches/gcc-4_8-branch/gcc/testsuite/ChangeLog
    branches/gcc-4_8-branch/gcc/testsuite/gcc.dg/builtin-object-size-8.c
    branches/gcc-4_8-branch/gcc/testsuite/gcc.dg/strlenopt-14gf.c
    branches/gcc-4_8-branch/gcc/testsuite/gcc.dg/strlenopt-1f.c
    branches/gcc-4_8-branch/gcc/testsuite/gcc.dg/strlenopt-4gf.c
    branches/gcc-4_8-branch/gcc/tree-object-size.c
    branches/gcc-4_8-branch/gcc/tree-ssa-sccvn.c