public inbox for gcc-bugs@sourceware.org help / color / mirror / Atom feed
* [Bug sanitizer/60557] New: UBSAN: ICE after ubsan_expand_null_ifn
@ 2014-03-17 22:26 burnus at gcc dot gnu.org
2014-03-17 22:34 ` [Bug sanitizer/60557] " burnus at gcc dot gnu.org
` (6 more replies)
0 siblings, 7 replies; 8+ messages in thread
From: burnus at gcc dot gnu.org @ 2014-03-17 22:26 UTC (permalink / raw)
To: gcc-bugs
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60557
Bug ID: 60557
Summary: UBSAN: ICE after ubsan_expand_null_ifn
Product: gcc
Version: 4.9.0
Status: UNCONFIRMED
Keywords: ice-on-valid-code
Severity: normal
Priority: P3
Component: sanitizer
Assignee: unassigned at gcc dot gnu.org
Reporter: burnus at gcc dot gnu.org
CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
jakub at gcc dot gnu.org, kcc at gcc dot gnu.org,
mpolacek at gcc dot gnu.org
Compiling the following syntactically valid program ICEs with UBSAN:
$ gfortran -fsanitize=undefined bar.f90
bar.f90: In function 'ribm':
bar.f90:15:0: internal compiler error: Segmentation fault
subroutine ribm(rndm,ial)
^
0xa0d9af crash_signal
../../gcc/toplev.c:337
0x836ba4 gimple_build_call(tree_node*, unsigned int, ...)
../../gcc/gimple.c:249
0xa2a1b8 ubsan_expand_null_ifn(gimple_stmt_iterator)
../../gcc/ubsan.c:590
0xa1dc27 execute_sanopt
../../gcc/asan.c:2587
^ permalink raw reply [flat|nested] 8+ messages in thread* [Bug sanitizer/60557] UBSAN: ICE after ubsan_expand_null_ifn 2014-03-17 22:26 [Bug sanitizer/60557] New: UBSAN: ICE after ubsan_expand_null_ifn burnus at gcc dot gnu.org @ 2014-03-17 22:34 ` burnus at gcc dot gnu.org 2014-03-17 22:42 ` burnus at gcc dot gnu.org ` (5 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: burnus at gcc dot gnu.org @ 2014-03-17 22:34 UTC (permalink / raw) To: gcc-bugs http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60557 --- Comment #1 from Tobias Burnus <burnus at gcc dot gnu.org> --- Created attachment 32379 --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=32379&action=edit Testcase (test.f90) ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/60557] UBSAN: ICE after ubsan_expand_null_ifn 2014-03-17 22:26 [Bug sanitizer/60557] New: UBSAN: ICE after ubsan_expand_null_ifn burnus at gcc dot gnu.org 2014-03-17 22:34 ` [Bug sanitizer/60557] " burnus at gcc dot gnu.org @ 2014-03-17 22:42 ` burnus at gcc dot gnu.org 2014-03-17 22:50 ` dominiq at lps dot ens.fr ` (4 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: burnus at gcc dot gnu.org @ 2014-03-17 22:42 UTC (permalink / raw) To: gcc-bugs http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60557 --- Comment #2 from Tobias Burnus <burnus at gcc dot gnu.org> --- And compiling with just -fsanitize=signed-integer-overflow leads to another ICE: 0x6a0828 contains_struct_check ../../gcc/tree.h:2822 0x6a0828 build_call_expr_loc_array(unsigned int, tree_node*, int, tree_node**) ../../gcc/builtins.c:11259 0x6a1bf7 build_call_expr_loc(unsigned int, tree_node*, int, ...) ../../gcc/builtins.c:11292 0x889199 ubsan_expand_si_overflow_mul_check(gimple_statement_base*) ../../gcc/internal-fn.c:768 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/60557] UBSAN: ICE after ubsan_expand_null_ifn 2014-03-17 22:26 [Bug sanitizer/60557] New: UBSAN: ICE after ubsan_expand_null_ifn burnus at gcc dot gnu.org 2014-03-17 22:34 ` [Bug sanitizer/60557] " burnus at gcc dot gnu.org 2014-03-17 22:42 ` burnus at gcc dot gnu.org @ 2014-03-17 22:50 ` dominiq at lps dot ens.fr 2014-03-17 22:54 ` dominiq at lps dot ens.fr ` (3 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: dominiq at lps dot ens.fr @ 2014-03-17 22:50 UTC (permalink / raw) To: gcc-bugs http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60557 Dominique d'Humieres <dominiq at lps dot ens.fr> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|UNCONFIRMED |NEW Last reconfirmed| |2014-03-17 Ever confirmed|0 |1 --- Comment #3 from Dominique d'Humieres <dominiq at lps dot ens.fr> --- Confirmed. Debugging with lldb gives * thread #1: tid = 0x1c9cf56, 0x00000001005c3ba4 f951`gimple_build_call(fn=0x0000000000000000, nargs=2) + 36 at gimple.c:249, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) frame #0: 0x00000001005c3ba4 f951`gimple_build_call(fn=0x0000000000000000, nargs=2) + 36 at gimple.c:249 246 gimple call; 247 unsigned i; 248 -> 249 gcc_assert (TREE_CODE (fn) == FUNCTION_DECL || is_gimple_call_addr (fn)); 250 251 call = gimple_build_call_1 (fn, nargs); 252 (lldb) bt * thread #1: tid = 0x1c9cf56, 0x00000001005c3ba4 f951`gimple_build_call(fn=0x0000000000000000, nargs=2) + 36 at gimple.c:249, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001005c3ba4 f951`gimple_build_call(fn=0x0000000000000000, nargs=2) + 36 at gimple.c:249 frame #1: 0x0000000100888bdf f951`ubsan_expand_null_ifn(gsi=gimple_stmt_iterator at 0x00007fff5fbff280) + 447 at ubsan.c:590 frame #2: 0x000000010087b110 f951`execute(this=<unavailable>) + 304 at asan.c:2587 I get a similar ICE for this simpler test DO i=1,10 END DO END However the backtrace is different * thread #1: tid = 0x1c9cb1a, 0x00000001003c03e1 f951`build_call_expr_loc_array(unsigned int, tree_node*, int, tree_node**) [inlined] contains_struct_check(__g=<unavailable>, __l=0, __f=<unavailable>, __s=TS_BASE, __t=0x0000000000000000) at tree.h:2822, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) frame #0: 0x00000001003c03e1 f951`build_call_expr_loc_array(unsigned int, tree_node*, int, tree_node**) [inlined] contains_struct_check(__g=<unavailable>, __l=0, __f=<unavailable>, __s=TS_BASE, __t=0x0000000000000000) at tree.h:2822 2819 contains_struct_check (tree __t, const enum tree_node_structure_enum __s, 2820 const char *__f, int __l, const char *__g) 2821 { -> 2822 if (tree_contains_struct[TREE_CODE (__t)][__s] != 1) 2823 tree_contains_struct_check_failed (__t, __s, __f, __l, __g); 2824 return __t; 2825 } (lldb) bt * thread #1: tid = 0x1c9cb1a, 0x00000001003c03e1 f951`build_call_expr_loc_array(unsigned int, tree_node*, int, tree_node**) [inlined] contains_struct_check(__g=<unavailable>, __l=0, __f=<unavailable>, __s=TS_BASE, __t=0x0000000000000000) at tree.h:2822, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x00000001003c03e1 f951`build_call_expr_loc_array(unsigned int, tree_node*, int, tree_node**) [inlined] contains_struct_check(__g=<unavailable>, __l=0, __f=<unavailable>, __s=TS_BASE, __t=0x0000000000000000) at tree.h:2822 frame #1: 0x00000001003c03e1 f951`build_call_expr_loc_array(loc=2147483651, fndecl=0x0000000000000000, n=3, argarray=0x00007fff5fbfefc0) + 17 frame #2: 0x00000001003c199c f951`build_call_expr_loc(loc=<unavailable>, fndecl=<unavailable>, n=<unavailable>) + 172 at builtins.c:11292 frame #3: 0x0000000100676e5a f951`ubsan_expand_si_overflow_addsub_check(code=PLUS_EXPR, stmt=0x0000000142d49688) + 794 at internal-fn.c:297 frame #4: 0x00000001003fdc63 f951`expand_gimple_stmt(stmt=0x0000000142d49688) + 4083 at cfgexpand.c:2190 frame #5: 0x00000001003ff408 f951`expand_gimple_basic_block(bb=<unavailable>, disable_tail_calls=<unavailable>) + 2776 at cfgexpand.c:5152 frame #6: 0x0000000100400f37 f951`execute + 2345 at cfgexpand.c:5731 frame #7: 0x000000010040060e f951`execute(this=<unavailable>) + 14 frame #8: 0x000000010079a78a f951`execute_one_pass(pass=0x0000000141e127c0) + 986 at passes.c:2229 frame #9: 0x000000010079aa9e f951`execute_pass_list(pass=0x0000000141e127c0) + 30 at passes.c:2282 frame #10: 0x0000000100425f6b f951`expand_function(node=0x0000000142c09e18) + 235 at cgraphunit.c:1774 frame #11: 0x00000001004287ad f951`compile() + 3341 at cgraphunit.c:2006 frame #12: 0x0000000100428be6 f951`finalize_compilation_unit() + 102 at cgraphunit.c:2329 frame #13: 0x00000001006f5f0e f951`write_global_declarations() + 222 at langhooks.c:323 frame #14: 0x00000001008665a7 f951`compile_file + 167 at toplev.c:562 frame #15: 0x0000000100868a44 f951`toplev_main(argc=3, argv=0x00007fff5fbff4a0) + 3284 at toplev.c:1914 I have seen several ICEs with different fortran tests, but a few passed, e.g., [Book15] f90/bug% cat prec.f90 integer,parameter :: k = selected_real_kind (precision (0.0_8) + 1) real(kind=k) :: x x = cos (x) print *, precision(x) end [Book15] f90/bug% gfc prec.f90 -fsanitize=undefined [Book15] f90/bug% a.out 18 ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/60557] UBSAN: ICE after ubsan_expand_null_ifn 2014-03-17 22:26 [Bug sanitizer/60557] New: UBSAN: ICE after ubsan_expand_null_ifn burnus at gcc dot gnu.org ` (2 preceding siblings ...) 2014-03-17 22:50 ` dominiq at lps dot ens.fr @ 2014-03-17 22:54 ` dominiq at lps dot ens.fr 2014-03-18 6:18 ` jakub at gcc dot gnu.org ` (2 subsequent siblings) 6 siblings, 0 replies; 8+ messages in thread From: dominiq at lps dot ens.fr @ 2014-03-17 22:54 UTC (permalink / raw) To: gcc-bugs http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60557 --- Comment #4 from Dominique d'Humieres <dominiq at lps dot ens.fr> --- The backtrace for the test in comment 0 with -fsanitize=signed-integer-overflow is the similar to the one I get for the DO loop. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/60557] UBSAN: ICE after ubsan_expand_null_ifn 2014-03-17 22:26 [Bug sanitizer/60557] New: UBSAN: ICE after ubsan_expand_null_ifn burnus at gcc dot gnu.org ` (3 preceding siblings ...) 2014-03-17 22:54 ` dominiq at lps dot ens.fr @ 2014-03-18 6:18 ` jakub at gcc dot gnu.org 2014-03-18 15:06 ` jakub at gcc dot gnu.org 2014-03-18 15:08 ` jakub at gcc dot gnu.org 6 siblings, 0 replies; 8+ messages in thread From: jakub at gcc dot gnu.org @ 2014-03-18 6:18 UTC (permalink / raw) To: gcc-bugs http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60557 --- Comment #5 from Jakub Jelinek <jakub at gcc dot gnu.org> --- Created attachment 32380 --> http://gcc.gnu.org/bugzilla/attachment.cgi?id=32380&action=edit gcc49-pr60557.patch This should hopefully fix it. ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/60557] UBSAN: ICE after ubsan_expand_null_ifn 2014-03-17 22:26 [Bug sanitizer/60557] New: UBSAN: ICE after ubsan_expand_null_ifn burnus at gcc dot gnu.org ` (4 preceding siblings ...) 2014-03-18 6:18 ` jakub at gcc dot gnu.org @ 2014-03-18 15:06 ` jakub at gcc dot gnu.org 2014-03-18 15:08 ` jakub at gcc dot gnu.org 6 siblings, 0 replies; 8+ messages in thread From: jakub at gcc dot gnu.org @ 2014-03-18 15:06 UTC (permalink / raw) To: gcc-bugs http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60557 --- Comment #7 from Jakub Jelinek <jakub at gcc dot gnu.org> --- Author: jakub Date: Tue Mar 18 15:05:30 2014 New Revision: 208652 URL: http://gcc.gnu.org/viewcvs?rev=208652&root=gcc&view=rev Log: PR sanitizer/60557 * ubsan.c (ubsan_instrument_unreachable): Call initialize_sanitizer_builtins. (ubsan_pass): Likewise. Modified: trunk/gcc/ChangeLog trunk/gcc/ubsan.c ^ permalink raw reply [flat|nested] 8+ messages in thread
* [Bug sanitizer/60557] UBSAN: ICE after ubsan_expand_null_ifn 2014-03-17 22:26 [Bug sanitizer/60557] New: UBSAN: ICE after ubsan_expand_null_ifn burnus at gcc dot gnu.org ` (5 preceding siblings ...) 2014-03-18 15:06 ` jakub at gcc dot gnu.org @ 2014-03-18 15:08 ` jakub at gcc dot gnu.org 6 siblings, 0 replies; 8+ messages in thread From: jakub at gcc dot gnu.org @ 2014-03-18 15:08 UTC (permalink / raw) To: gcc-bugs http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60557 Jakub Jelinek <jakub at gcc dot gnu.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #8 from Jakub Jelinek <jakub at gcc dot gnu.org> --- Fixed. ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2014-03-18 15:08 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2014-03-17 22:26 [Bug sanitizer/60557] New: UBSAN: ICE after ubsan_expand_null_ifn burnus at gcc dot gnu.org 2014-03-17 22:34 ` [Bug sanitizer/60557] " burnus at gcc dot gnu.org 2014-03-17 22:42 ` burnus at gcc dot gnu.org 2014-03-17 22:50 ` dominiq at lps dot ens.fr 2014-03-17 22:54 ` dominiq at lps dot ens.fr 2014-03-18 6:18 ` jakub at gcc dot gnu.org 2014-03-18 15:06 ` jakub at gcc dot gnu.org 2014-03-18 15:08 ` jakub at gcc dot gnu.org
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).