[Bug rtl-optimization/67037] New: [4.9 Regression] Wrong code at -O1 and above on ARM

[Bug rtl-optimization/67037] New: [4.9 Regression] Wrong code at -O1 and above on ARM

[notasas at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67037

            Bug ID: 67037
           Summary: [4.9 Regression] Wrong code at -O1 and above on ARM
           Product: gcc
           Version: 4.9.3
            Status: UNCONFIRMED
          Keywords: wrong-code
          Severity: normal
          Priority: P3
         Component: rtl-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: notasas at gmail dot com
  Target Milestone: ---
            Target: arm-unknown-linux-gnueabi, arm-linux-gnueabihf

Created attachment 36076
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=36076&action=edit
testcase

The reduced testcase (based on "real" code from wine sources) crashes:

notaz@evm:/tmp/t$ cc -Wall -O0 testcase.c && ./a.out
notaz@evm:/tmp/t$ cc -Wall -O1 testcase.c && ./a.out
Segmentation fault
notaz@evm:/tmp/t$ cc -Wall -O2 testcase.c && ./a.out
Segmentation fault
notaz@evm:/tmp/t$ cc -Wall -Os testcase.c && ./a.out
notaz@evm:/tmp/t$ cc -Wall -O1 testcase.c -mcpu=arm920t -marm && ./a.out
Segmentation fault
notaz@evm:/tmp/t$ cc -Wall -O1 testcase.c -mcpu=cortex-a15 && ./a.out
Segmentation fault

gcc 4.7.2 and 4.8.2 seem to be ok.

It looks like this chunk

    while ((count > 1) && *s)
    {
        count--;
        *d++ = *s++;
    }

is compiled to

        add     r3, sp, #5312
        add     r3, r3, #52
        ldr     r3, [r3]        @ count
        cmp     r3, #1
        bls     .L6
        movw    r2, #:lower16:.LANCHOR0
        mov     r3, #78
        movt    r2, #:upper16:.LANCHOR0
        b       .L8
.L18:
        ldrh    r3, [r2, #2]!
        cmp     r3, #0
        beq     .L9
.L8:
        add     r1, sp, #5312
        add     r1, r1, #52
        ldr     r0, [r1]
        sub     r0, r0, #1
        str     r0, [r1]
        ldr     r1, [r3]        @ <-- crash
        cmp     r0, #1
        strh    r3, [r1], #2    @ movhi
        add     r3, sp, #5312
        add     r3, r3, #48
        str     r1, [r3]
        bne     .L18
.L9:

so it thinks r3 contains pointer to count, even though it loaded *s there?
The conditions for this bug seem to be large stack frame that load/store
offsets can't reach and enough register pressure.

[Bug target/67037] [4.9 Regression] Wrong code at -O1 and above on ARM

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67037

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |4.9.4

[Bug target/67037] [4.9 Regression] Wrong code at -O1 and above on ARM

[mikpelinux at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67037

Mikael Pettersson <mikpelinux at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mikpelinux at gmail dot com

--- Comment #1 from Mikael Pettersson <mikpelinux at gmail dot com> ---
gcc-5.2 and current trunk also generate code that segfaults (on cortex-a9).

[Bug target/67037] [4.9 Regression] Wrong code at -O1 and above on ARM

[ktkachov at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67037

ktkachov at gcc dot gnu.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
   Last reconfirmed|                            |2015-07-28
                 CC|                            |ktkachov at gcc dot gnu.org
     Ever confirmed|0                           |1
      Known to fail|                            |6.0

--- Comment #2 from ktkachov at gcc dot gnu.org ---
Confirmed on arm-none-linux-gnueabihf

[Bug target/67037] [4.9/5/6 Regression] Wrong code at -O1 and above on ARM

[bernd.edlinger at hotmail dot de]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67037

--- Comment #4 from Bernd Edlinger <bernd.edlinger at hotmail dot de> ---
I believe that when we see this in testcase.c.232r.reload

   73: [r166:SI++]=r142:SI#0
      REG_DEAD r142:SI
      REG_INC r149:SI
    Inserting insn reload before:
  153: r166:SI=[afp:SI+0x14f8]
    Inserting insn reload after:
  154: [afp:SI+0x14f8]=r166:SI

the insns before and after have the same address rtx
and while the insn 154 is transformed to:

  155: r3:SI=sp:SI+0x14f8
  154: [r3:SI]=r1:SI

insn 153's address suddenly becomes [r3:SI] too.

The following patch seems to fix it:

--- lra-constraints.c.jj        2015-09-25 23:06:08.000000000 +0200
+++ lra-constraints.c   2015-09-29 13:29:01.695783261 +0200
@@ -1339,7 +1339,7 @@ process_addr_reg (rtx *loc, bool check_o
   if (after != NULL)
     {
       start_sequence ();
-      lra_emit_move (reg, new_reg);
+      lra_emit_move (before_p ? copy_rtx (reg) : reg, new_reg);
       emit_insn (*after);
       *after = get_insns ();
       end_sequence ();

[Bug rtl-optimization/67037] [4.9/5/6 Regression] Wrong code at -O1 and above on ARM

[edlinger at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67037

Bernd Edlinger <edlinger at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
          Component|target                      |rtl-optimization
           Assignee|unassigned at gcc dot gnu.org      |bernd.edlinger at hotmail dot de

--- Comment #5 from Bernd Edlinger <edlinger at gcc dot gnu.org> ---
change component to "rtl-optimization", as it is certainly not the target's
fault.

[Bug rtl-optimization/67037] [4.9/5/6 Regression] Wrong code at -O1 and above on ARM

[edlinger at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67037

--- Comment #6 from Bernd Edlinger <edlinger at gcc dot gnu.org> ---
Author: edlinger
Date: Wed Sep 30 18:51:31 2015
New Revision: 228303

URL: https://gcc.gnu.org/viewcvs?rev=228303&root=gcc&view=rev
Log:
2015-09-30  Bernd Edlinger  <bernd.edlinger@hotmail.de>

        PR rtl-optimization/67037
        * lra-constraints.c (process_addr_reg): Use copy_rtx when necessary.

testsuite:
2015-09-30  Bernd Edlinger  <bernd.edlinger@hotmail.de>

        PR rtl-optimization/67037
        * gcc.c-torture/execute/pr67037.c: New test.

Added:
    trunk/gcc/testsuite/gcc.c-torture/execute/pr67037.c
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/lra-constraints.c
    trunk/gcc/testsuite/ChangeLog

[Bug rtl-optimization/67037] [4.9/5 Regression] Wrong code at -O1 and above on ARM

[notasas at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67037

--- Comment #7 from notasas at gmail dot com ---
Anyone's up for the backports? The patch applies cleanly on both gcc-4_9 and
gcc-5 branches.
I've tested patched 4.9.3 and wine no longer crashes when built with it.