[Bug middle-end/59399] New: ICE in expand_expr_real_1 with -m64 -fsanitize=signed-integer-overflow

[Bug middle-end/59399] New: ICE in expand_expr_real_1 with -m64 -fsanitize=signed-integer-overflow

[bergner at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59399

            Bug ID: 59399
           Summary: ICE in expand_expr_real_1 with -m64
                    -fsanitize=signed-integer-overflow
           Product: gcc
           Version: 4.9.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: middle-end
          Assignee: unassigned at gcc dot gnu.org
          Reporter: bergner at gcc dot gnu.org

On powerpc64-linux, I'm seeing a failure in the ubsan testsuite that causes an
ICE in expand_real_1, line 9484.  A simplified test case is:

[bergner@igoo BUGS]$ cat bug.ii 
void
foo (int i, int j)
{
  volatile int k = j + i;
}

[bergner@igoo BUGS]$ /home/bergner/gcc/build/gcc-fsf-mainline-debug/gcc/cc1plus
-fpreprocessed -quiet -m64 -fsanitize=signed-integer-overflow bug.ii 
bug.ii: In function ‘void foo(int, int)’:
bug.ii:4:22: internal compiler error: in expand_expr_real_1, at expr.c:9484
   volatile int k = j + i;
                      ^
0x107c1d2f expand_expr_real_1(tree_node*, rtx_def*, machine_mode,
expand_modifier, rtx_def**)
    /home/bergner/gcc/gcc-fsf-mainline-base/gcc/expr.c:9484
0x107b9d57 expand_expr_real(tree_node*, rtx_def*, machine_mode,
expand_modifier, rtx_def**)
    /home/bergner/gcc/gcc-fsf-mainline-base/gcc/expr.c:7927
0x109590af expand_expr
    /home/bergner/gcc/gcc-fsf-mainline-base/gcc/expr.h:453
0x1095a383 ubsan_expand_si_overflow_addsub_check(tree_code,
gimple_statement_base*)
    /home/bergner/gcc/gcc-fsf-mainline-base/gcc/internal-fn.c:182
0x1095b30f expand_UBSAN_CHECK_ADD
    /home/bergner/gcc/gcc-fsf-mainline-base/gcc/internal-fn.c:436
0x1095b467 expand_internal_call(gimple_statement_base*)
    /home/bergner/gcc/gcc-fsf-mainline-base/gcc/internal-fn.c:476
0x106071ab expand_call_stmt
    /home/bergner/gcc/gcc-fsf-mainline-base/gcc/cfgexpand.c:2185
0x1060b9d3 expand_gimple_stmt_1
    /home/bergner/gcc/gcc-fsf-mainline-base/gcc/cfgexpand.c:3154
0x1060c20f expand_gimple_stmt
    /home/bergner/gcc/gcc-fsf-mainline-base/gcc/cfgexpand.c:3306
0x106149eb expand_gimple_basic_block
    /home/bergner/gcc/gcc-fsf-mainline-base/gcc/cfgexpand.c:5146
0x106170db gimple_expand_cfg
    /home/bergner/gcc/gcc-fsf-mainline-base/gcc/cfgexpand.c:5712
0x10617aff execute
    /home/bergner/gcc/gcc-fsf-mainline-base/gcc/cfgexpand.c:5932

We're dying in the gcc_assert below:

          /* Get the signedness to be used for this variable.  Ensure we get
             the same mode we got when the variable was declared.  */
          if (code == SSA_NAME
              && (g = SSA_NAME_DEF_STMT (ssa_name))
              && gimple_code (g) == GIMPLE_CALL)
            {
              gcc_assert (!gimple_call_internal_p (g));
              pmode = promote_function_mode (type, mode, &unsignedp,
                                             gimple_call_fntype (g),
                                             2);
            }

The debugger shows g to be:

(gdb) p *g
$1 = {code = GIMPLE_CALL, no_warning = 0, visited = 0, nontemporal_move = 0,
plf = 0, modified = 0, 
  has_volatile_ops = 0, subcode = 64, uid = 0, location = 2147483648, num_ops =
5, bb = 0xfffb0070208, 
  next = 0xfffb00a00a0, prev = 0xfffb00a00a0}
>From gcc-bugs-return-436757-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Thu Dec 05 18:31:00 2013
Return-Path: <gcc-bugs-return-436757-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 9358 invoked by alias); 5 Dec 2013 18:30:59 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 9318 invoked by uid 48); 5 Dec 2013 18:30:56 -0000
From: "olegendo at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug target/59343] miscompiled for loop in sh4 target (-Os)
Date: Thu, 05 Dec 2013 18:30:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: target
X-Bugzilla-Version: 4.8.1
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: olegendo at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields:
Message-ID: <bug-59343-4-TSVpQnLNYi@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-59343-4@http.gcc.gnu.org/bugzilla/>
References: <bug-59343-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2013-12/txt/msg00412.txt.bz2
Content-length: 439

http://gcc.gnu.org/bugzilla/show_bug.cgi?idY343

--- Comment #8 from Oleg Endo <olegendo at gcc dot gnu.org> ---
(In reply to gcc-bugzilla-f5d8 from comment #0)
> Created attachment 31327 [details]
> miscompilation testcase
>
> The attached testcase miscompiles on sh4 target if build with -Os
>

BTW thanks for the test case.  It's an interesting case for further
optimizations of the sh_treg_combine pass (see PR 51244 comment 72).

[Bug middle-end/59399] ICE in expand_expr_real_1 with -m64 -fsanitize=signed-integer-overflow

[bergner at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59399

--- Comment #1 from Peter Bergner <bergner at gcc dot gnu.org> ---
More hopefully useful gdb output:

(gdb) pr decl_rtl
(reg:DI 123 [ D.2805+-4 ])

(gdb) ptree exp
 <var_decl 0xfffafe31a20 D.2805
    type <integer_type 0xfffafec0690 int sizes-gimplified public SI
        size <integer_cst 0xfffafe027c0 constant 32>
        unit size <integer_cst 0xfffafe027e0 constant 4>
        align 32 symtab 0 alias set -1 canonical type 0xfffafec0690 precision
32 min <integer_cst 0xfffafe02760 -2147483648> max <integer_cst 0xfffafe02780
2147483647>
        pointer_to_this <pointer_type 0xfffafec16f8>>
    used ignored SI file bug.ii line 2 col 1 size <integer_cst 0xfffafe027c0
32> unit size <integer_cst 0xfffafe027e0 4>
    align 32 context <function_decl 0xfffb0068c00 foo>
    (reg:DI 123 [ D.2805+-4 ])>

(gdb) p DECL_MODE (exp)
$8 = SImode

(gdb) ptree ssa_name
 <ssa_name 0xfffafea0708
    type <integer_type 0xfffafec0690 int sizes-gimplified public SI
        size <integer_cst 0xfffafe027c0 constant 32>
        unit size <integer_cst 0xfffafe027e0 constant 4>
        align 32 symtab 0 alias set -1 canonical type 0xfffafec0690 precision
32 min <integer_cst 0xfffafe02760 -2147483648> max <integer_cst 0xfffafe02780
2147483647>
        pointer_to_this <pointer_type 0xfffafec16f8>>
    visited var <var_decl 0xfffafe31a20 D.2805>def_stmt _3 = UBSAN_CHECK_ADD
(j_1(D), i_2(D));

    version 3>

[Bug middle-end/59399] ICE in expand_expr_real_1 with -m64 -fsanitize=signed-integer-overflow

[mpolacek at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59399

Marek Polacek <mpolacek at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |ASSIGNED
   Last reconfirmed|                            |2013-12-05
                 CC|                            |mpolacek at gcc dot gnu.org
           Assignee|unassigned at gcc dot gnu.org      |mpolacek at gcc dot gnu.org
   Target Milestone|---                         |4.9.0
     Ever confirmed|0                           |1

--- Comment #2 from Marek Polacek <mpolacek at gcc dot gnu.org> ---
Ouch.  Reproduced on ppc64.

[Bug middle-end/59399] ICE in expand_expr_real_1 with -m64 -fsanitize=signed-integer-overflow

[mpolacek at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59399

--- Comment #3 from Marek Polacek <mpolacek at gcc dot gnu.org> ---
On both x86_64 and ppc64, we have this identical SSA_NAME:

<ssa_name 0x7fb5a659ccf0
    type <integer_type 0x7fb5a65a4690 int sizes-gimplified public SI
        size <integer_cst 0x7fb5a65a6440 constant 32>
        unit size <integer_cst 0x7fb5a65a6460 constant 4>
        align 32 symtab 0 alias set -1 canonical type 0x7fb5a65a4690 precision
32 min <integer_cst 0x7fb5a65a63e0 -2147483648> max <integer_cst 0x7fb5a65a6400
2147483647>
        pointer_to_this <pointer_type 0x7fb5a65b7738>>
    visited var <var_decl 0x7fb5a6722428 D.2423>def_stmt _3 = UBSAN_CHECK_ADD
(j_1(D), i_2(D));

    version 3>

Now in expr.c we call get_rtx_for_ssa_name on it.  On x86_64 the RTX is then
(reg:SI 83 [ D.2423 ]) while on ppc64 the RTX is (reg:DI 123 [ D.2759+-4 ]), so
we have a discrepancy here.  And then the following is true on ppc64
      if (REG_P (decl_rtl)
          && DECL_MODE (exp) != BLKmode
          && GET_MODE (decl_rtl) != DECL_MODE (exp))
because DECL_MODE (exp) is SImode, not DImode.  And then we make our way to the
block of code where we fail.

Why get_rtx_for_ssa_name returns different rtx for the same SSA_NAME?

[Bug middle-end/59399] ICE in expand_expr_real_1 with -m64 -fsanitize=signed-integer-overflow

[pinskia at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59399

--- Comment #4 from Andrew Pinski <pinskia at gcc dot gnu.org> ---
(In reply to Marek Polacek from comment #3)
> Why get_rtx_for_ssa_name returns different rtx for the same SSA_NAME?

Because of the PROMOTE_MODE macro.  From docs:
/* Define this macro if it is advisable to hold scalars in registers
   in a wider mode than that declared by the program.  In such cases,
   the value is constrained to be within the bounds of the declared
   type, but kept valid in the wider mode.  The signedness of the
   extension may differ from that of the type.  */

[Bug middle-end/59399] ICE in expand_expr_real_1 with -m64 -fsanitize=signed-integer-overflow

[mpolacek at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59399

--- Comment #5 from Marek Polacek <mpolacek at gcc dot gnu.org> ---
Ah, I knew it was promotion.  Perhaps we don't want to enable that for
integer-overflow instrumentation...

[Bug middle-end/59399] ICE in expand_expr_real_1 with -m64 -fsanitize=signed-integer-overflow

[mpolacek at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59399

Marek Polacek <mpolacek at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #7 from Marek Polacek <mpolacek at gcc dot gnu.org> ---
Fixed.

[Bug middle-end/59399] ICE in expand_expr_real_1 with -m64 -fsanitize=signed-integer-overflow

[mpolacek at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59399

--- Comment #6 from Marek Polacek <mpolacek at gcc dot gnu.org> ---
Author: mpolacek
Date: Wed Dec 11 12:25:05 2013
New Revision: 205888

URL: http://gcc.gnu.org/viewcvs?rev=205888&root=gcc&view=rev
Log:
    PR sanitizer/59399
    * expr.c (expand_expr_real_1): Remove assert dealing with
    internal calls and turn that into a condition instead.

Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/expr.c