[Bug sanitizer/59667] New: ubsan: ICE ubsan_type_descriptor

[Bug sanitizer/59667] New: ubsan: ICE ubsan_type_descriptor

[larsbj at gullik dot net]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59667

            Bug ID: 59667
           Summary: ubsan: ICE ubsan_type_descriptor
           Product: gcc
           Version: 4.9.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: larsbj at gullik dot net
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org

This is with gcc --version
gcc (GCC) 4.9.0 20140103 (experimental) as of r206313

This snippet:

void foo()                                                                      
{                                                                               
    unsigned int len = 1;                                                       
    float (*P)[len][len];                                                       
    (*P)[0][0] = 1;                                                             
}

compiled with gcc -c -fsanitize=undefined snippet.c

Gives:

snippet.c: In function ‘foo’:
snippet.c:1:6: internal compiler error: Segmentation fault
 void foo()
      ^
0x87abff crash_signal
        ../../gcc/gcc/toplev.c:336
0x890f2d ubsan_type_descriptor(tree_node*, bool)
        ../../gcc/gcc/ubsan.c:319
0x891b44 ubsan_expand_null_ifn(gimple_stmt_iterator)
        ../../gcc/gcc/ubsan.c:584
0x888de1 execute_sanopt
        ../../gcc/gcc/asan.c:2574
0x888de1 execute
        ../../gcc/gcc/asan.c:2624
>From gcc-bugs-return-439003-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Fri Jan 03 18:56:34 2014
Return-Path: <gcc-bugs-return-439003-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 20692 invoked by alias); 3 Jan 2014 18:56:33 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 20657 invoked by uid 48); 3 Jan 2014 18:56:28 -0000
From: "danglin at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug rtl-optimization/59652] [4.8 Regression] ICE: in reload_cse_simplify_operands, at postreload.c:411
Date: Fri, 03 Jan 2014 18:56:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: rtl-optimization
X-Bugzilla-Version: 4.8.2
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: danglin at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields:
Message-ID: <bug-59652-4-A6ERTYWDKS@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-59652-4@http.gcc.gnu.org/bugzilla/>
References: <bug-59652-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-01/txt/msg00145.txt.bz2
Content-length: 3940

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59652

--- Comment #3 from John David Anglin <danglin at gcc dot gnu.org> ---
With

dave@mx3210:~/gnu/gcc/objdir/prev-gcc$ ./xgcc -B./ -v
Reading specs from ./specs
COLLECT_GCC=./xgcc
COLLECT_LTO_WRAPPER=./lto-wrapper
Target: hppa-linux-gnu
Configured with: ../gcc/configure --with-gnu-as --with-gnu-ld --enable-shared
--enable-multiarch --enable-linker-build-id --build=hppa-linux-gnu
--host=hppa-linux-gnu --target=hppa-linux-gnu
--prefix=/home/dave/opt/gnu/gcc/gcc-4.9 --with-local-prefix=/home/dave/opt/gnu
--enable-threads=posix --enable-__cxa_atexit --build=hppa-linux-gnu
--enable-clocale=gnu --enable-java-gc=boehm
--enable-languages=c,c++,objc,fortran,obj-c++,java,ada,lto
Thread model: posix
gcc version 4.8.3 20140103 (prerelease) [gcc-4_8-branch revision 206321] (GCC) 

I see the following backtrace when the insn was emitted:

Breakpoint 1, pa_emit_move_sequence (operands=0xfaf02e8c, mode=SImode, 
    scratch_reg=0x0) at ../../gcc/gcc/config/pa/pa.c:1583
1583      register rtx operand0 = operands[0];
(gdb) p debug_rtx(operands[0])(reg:SI 28 %r28)
$5 = void
(gdb) p debug_rtx(operands[1])
(reg/f:SI 2442)
$6 = void
(gdb) bt
#0  pa_emit_move_sequence (operands=0xfaf02e8c, mode=SImode, scratch_reg=0x0)
    at ../../gcc/gcc/config/pa/pa.c:1583
#1  0x00bf77bc in gen_movsi (operand0=0xfaf02e8c, operand1=0x7)
    at ../../gcc/gcc/config/pa/pa.md:2157
#2  0x00bf77bc in gen_movsi (operand0=0x4022c030, operand1=0x40a0d040)
    at ../../gcc/gcc/config/pa/pa.md:2157
#3  0x00446334 in insn_gen_fn::operator() (this=0xf9e720 <insn_data+8336>, 
    a0=0x4022c030, a1=0x40a0d040) at ../../gcc/gcc/recog.h:284
#4  0x00424864 in emit_move_insn_1 (x=0x4022c030, y=0x40a0d040)
    at ../../gcc/gcc/expr.c:3441
#5  0x006e6278 in gen_move_insn (x=0x4022c030, y=0x40a0d040)
    at ../../gcc/gcc/optabs.c:4812
#6  0x006e6278 in gen_move_insn (x=0x4022c030, y=0x40a0d040)
    at ../../gcc/gcc/optabs.c:4812
#7  0x007a5794 in gen_reload (out=0x4022c030, in=0x40a0d040, opnum=1, 
    type=RELOAD_FOR_INPUT_ADDRESS) at ../../gcc/gcc/reload1.c:8708
(gdb) c
Continuing.

Breakpoint 1, pa_emit_move_sequence (operands=0xfaf02e8c, mode=SImode, 
    scratch_reg=0x0) at ../../gcc/gcc/config/pa/pa.c:1583
1583      register rtx operand0 = operands[0];
(gdb) p debug_rtx(operands[0])
(reg:SI 19 %r19)
$7 = void
(gdb) c
Continuing.

Breakpoint 1, pa_emit_move_sequence (operands=0xfaf02e8c, mode=SImode, 
    scratch_reg=0x0) at ../../gcc/gcc/config/pa/pa.c:1583
1583      register rtx operand0 = operands[0];
(gdb) p debug_rtx(operands[0])
(reg:SI 19 %r19)
$8 = void
(gdb) c
Continuing.
../../../texk/xdvik/xdvi.c: In function ‘run_dvi_file’:
../../../texk/xdvik/xdvi.c:3398:1: error: insn does not satisfy its
constraints:
(insn 5859 3068 5860 249 (set (reg:SI 28 %r28)
        (reg/f:SI 2442)) ../../../texk/xdvik/xdvi.c:2722 40 {*pa.md:2211}
     (nil))
../../../texk/xdvik/xdvi.c:3398:1: internal compiler error: in
reload_cse_simplify_operands, at postreload.c:411
0x7b8797 _fatal_insn(char const*, rtx_def const*, char const*, int, char
const*)
    ../../gcc/gcc/rtl-error.c:109
0x7b880f _fatal_insn_not_found(rtx_def const*, char const*, int, char const*)
    ../../gcc/gcc/rtl-error.c:120
0x70d52b reload_cse_simplify_operands
    ../../gcc/gcc/postreload.c:411
0x70c753 reload_cse_simplify
    ../../gcc/gcc/postreload.c:123
0x70cb7b reload_cse_regs_1
    ../../gcc/gcc/postreload.c:220
0x70c4f3 reload_cse_regs
    ../../gcc/gcc/postreload.c:68
0x71484f rest_of_handle_postreload
    ../../gcc/gcc/postreload.c:2287
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <http://gcc.gnu.org/bugs.html> for instructions.
[Inferior 1 (process 6751) exited with code 04]
>From gcc-bugs-return-439004-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org Fri Jan 03 19:34:13 2014
Return-Path: <gcc-bugs-return-439004-listarch-gcc-bugs=gcc.gnu.org@gcc.gnu.org>
Delivered-To: listarch-gcc-bugs@gcc.gnu.org
Received: (qmail 9266 invoked by alias); 3 Jan 2014 19:34:12 -0000
Mailing-List: contact gcc-bugs-help@gcc.gnu.org; run by ezmlm
Precedence: bulk
List-Id: <gcc-bugs.gcc.gnu.org>
List-Archive: <http://gcc.gnu.org/ml/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-help@gcc.gnu.org>
Sender: gcc-bugs-owner@gcc.gnu.org
Delivered-To: mailing list gcc-bugs@gcc.gnu.org
Received: (qmail 9215 invoked by uid 48); 3 Jan 2014 19:34:06 -0000
From: "jakub at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug target/59664] avx512f-ceil-sfix-vec-2.c and avx512f-floor-sfix-vec-2.c FAIL on Solaris9/x86
Date: Fri, 03 Jan 2014 19:34:00 -0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: target
X-Bugzilla-Version: 4.9.0
X-Bugzilla-Keywords:
X-Bugzilla-Severity: normal
X-Bugzilla-Who: jakub at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: 4.9.0
X-Bugzilla-Flags:
X-Bugzilla-Changed-Fields: cc
Message-ID: <bug-59664-4-cO5ZnmCy6O@http.gcc.gnu.org/bugzilla/>
In-Reply-To: <bug-59664-4@http.gcc.gnu.org/bugzilla/>
References: <bug-59664-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-SW-Source: 2014-01/txt/msg00146.txt.bz2
Content-length: 678

http://gcc.gnu.org/bugzilla/show_bug.cgi?idY664

Jakub Jelinek <jakub at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jakub at gcc dot gnu.org

--- Comment #2 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
I guess it is problematic to include <math.h> in the test, because then you
rely on whatever the vendor math.h does.

Does it still FAIL if you remove the #include <math.h>
and instead add say
#define floor(x) __builtin_floor (x)
#define ceil(x) __builtin_ceil (x)
#define M_PI __builtin_acos (-1.0)

?

[Bug sanitizer/59667] ubsan: ICE ubsan_type_descriptor

[mpolacek at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59667

Marek Polacek <mpolacek at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |ASSIGNED
   Last reconfirmed|                            |2014-01-05
                 CC|                            |mpolacek at gcc dot gnu.org
           Assignee|unassigned at gcc dot gnu.org      |mpolacek at gcc dot gnu.org
   Target Milestone|---                         |4.9.0
     Ever confirmed|0                           |1

--- Comment #1 from Marek Polacek <mpolacek at gcc dot gnu.org> ---
Mine.  Another instance of segv in getting the type name.

[Bug sanitizer/59667] ubsan: ICE ubsan_type_descriptor

[mpolacek at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59667

--- Comment #2 from Marek Polacek <mpolacek at gcc dot gnu.org> ---
Author: mpolacek
Date: Wed Jan  8 10:06:09 2014
New Revision: 206423

URL: http://gcc.gnu.org/viewcvs?rev=206423&root=gcc&view=rev
Log:
    PR sanitizer/59667
    * ubsan.c (ubsan_type_descriptor): Call strip_array_types on type2.
testsuite/
    * c-c++-common/ubsan/pr59667.c: New test.

Added:
    trunk/gcc/testsuite/c-c++-common/ubsan/pr59667.c
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/testsuite/ChangeLog
    trunk/gcc/ubsan.c

[Bug sanitizer/59667] ubsan: ICE ubsan_type_descriptor

[mpolacek at gcc dot gnu.org]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=59667

Marek Polacek <mpolacek at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Marek Polacek <mpolacek at gcc dot gnu.org> ---
Fixed.