[Bug c/96482] New: Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function

[Bug c/96482] New: Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function

[yevh.kolesnikov at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

            Bug ID: 96482
           Summary: Combination of -finline-small-functions and ipa-cp
                    optimisations causes incorrect values being passed to
                    a function
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: yevh.kolesnikov at gmail dot com
  Target Milestone: ---

The bug was originally reported in mesa:
https://gitlab.freedesktop.org/mesa/mesa/-/issues/3239

Combination of LTO and O3 caused a crash on replaying a video with mpv.
Backtrace showed pretty unrealistic values passed to a function. I reduced a
number of necessary optimisations to:

+ -O1
+ -finline-small-functions
+ -fipa-bit-cp
+ -fipa-cp
+ LTO

It happens with gcc 10.1.0, but not with gcc 9. I bisected the problem to
c7ac9a0c7e3916f192ad41227e16238fd1fa2fbf.

I wasn't able to produce a minimal reproducer, and even though a preprocessed
file doesn't trigger the bug for me (I assume, LTO is essential for this bug),
I'm attaching it anyway.

Looking at the produced assembler, though, shows that it goes wrong somewhere
around a call to addr_to_index at
https://gitlab.freedesktop.org/mesa/mesa/-/blob/7f25f1f106728f0046672adf9c9ed79185265ea5/src/compiler/nir/nir_lower_io.c#L870.
addr_to_index gets inlined and so is nir_channel, called from it.

Those two are pretty simple functions:

static nir_ssa_def *
addr_to_index(nir_builder *b, nir_ssa_def *addr,
              nir_address_format addr_format)
{
   if (addr_format == nir_address_format_32bit_index_offset) {
      assert(addr->num_components == 2);
      return nir_channel(b, addr, 0);
   } else if (addr_format == nir_address_format_vec2_index_32bit_offset) {
      assert(addr->num_components == 3);
      return nir_channels(b, addr, 0x3);
   } else {
      unreachable("bad address format for index");
   }
}

static inline nir_ssa_def *
nir_channel(nir_builder *b, nir_ssa_def *def, unsigned c)
{
   return nir_swizzle(b, def, &c, 1);
}

In the final assembly we end up with just a call to nir_swizzle:
mov    edx,r14d
mov    rsi,r15
mov    rdi,rbp
call   0x7fffd26e0ef9 <nir_swizzle(nir_builder*, nir_ssa_def*, unsigned int
const*, unsigned int)

However, edx, rsi, and rdi contain values, that clearly were ment to the
original addr_to_index function.

[Bug c/96482] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function

[yevh.kolesnikov at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #1 from Yevhenii Kolesnikov <yevh.kolesnikov at gmail dot com> ---
Created attachment 49003
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49003&action=edit
Preprocessed file (compressed)

Oh. Preprocessed file was actually too big. Attaching a compressed file.

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Combination of              |[10/11 Regression]
                   |-finline-small-functions    |Combination of
                   |and ipa-cp optimisations    |-finline-small-functions
                   |causes incorrect values     |and ipa-cp optimisations
                   |being passed to a function  |causes incorrect values
                   |                            |being passed to a function
           Keywords|                            |wrong-code
                 CC|                            |hubicka at gcc dot gnu.org,
                   |                            |marxin at gcc dot gnu.org
   Target Milestone|---                         |10.3
          Component|c                           |ipa

--- Comment #2 from Richard Biener <rguenth at gcc dot gnu.org> ---
Honza - you added bit-IPA-CP, please have a look.

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2020-08-10
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |WAITING

--- Comment #3 from Martin Liška <marxin at gcc dot gnu.org> ---
Thank you for the report, I can take a look.
Can you please provide steps how to build Mesa with -O3 and -flto?
About the addr_to_index function: am I right that unreachable is defined in
your configuration as __builtin_unreachable? Can you please replace it with
fprintf that prints the value?

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[hubicka at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #4 from Jan Hubicka <hubicka at gcc dot gnu.org> ---
that patch makes ccp to actually use the bit info ipa-cp determines. Before we
used it only to detect pointer alignments if I remember correctly. So it looks
like propagation bug uncovered by the change.  Smaller testcase or reproduction
steps would be indeed welcome.

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[yevh.kolesnikov at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #5 from Yevhenii Kolesnikov <yevh.kolesnikov at gmail dot com> ---
(In reply to Martin Liška from comment #3)
> Thank you for the report, I can take a look.
> Can you please provide steps how to build Mesa with -O3 and -flto?

mesa is configured with meson. LTO can be enabled with builtin option
-b_lto=true. Options can be supplied to the compiler with -Dc_args and
-Dcpp_args. So, to enable O3 it's -Dc_args="-O3" -Dcpp_args="-O3". You'll also
need to set -Dbuildtype=plain, or otherwise these options will be overwritten. 

So, the full build process will look like this:

meson \
    -Dbuildtype=plain \
    -Dvalgrind=false \
    -Ddri-drivers=i965 \
    -Dgallium-drivers=iris,swrast \
    -Dvulkan-drivers= \
    -Dgallium-omx="disabled" \
    -Dplatforms=x11,drm,surfaceless \
    -Dllvm=false \
    -Db_lto=true \
    -Dc_args="-g \
              -O3 \
              " \
    -Dcpp_args="-g \
                -O3 \
                " \
    --prefix=~/builds/mesa-bug \
    ./mesa-bug

ninja -C ./mesa-bug install

The aforementioned functions and assembly code then will be in
~/builds/mesa-bug/lib/dri/iris_dri.so

> About the addr_to_index function: am I right that unreachable is defined in
> your configuration as __builtin_unreachable?

To be precise, unreachable is defined like this:

#define unreachable(str)    \
do {                        \
   assert(!str);            \
   __builtin_unreachable(); \
} while (0)

I'm not sure why this one-time loop is necessary, to be honest.

> Can you please replace it with fprintf that prints the value?

The value of addr_format? It doesn't print anything, since this branch is never
hit. Moreover, it prevents addr_to_index from being inlined, so the crash goes
away. The value of addr_format in my case is 3, which corresponds to the
nir_address_format_32bit_index_offset enum. So, in my case, the first branch is
always hit.

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[yevh.kolesnikov at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #6 from Yevhenii Kolesnikov <yevh.kolesnikov at gmail dot com> ---
(In reply to Jan Hubicka from comment #4)
> that patch makes ccp to actually use the bit info ipa-cp determines. Before
> we used it only to detect pointer alignments if I remember correctly. So it
> looks like propagation bug uncovered by the change.  Smaller testcase or
> reproduction steps would be indeed welcome.

Unfortunately, I wasn't able to create a standalone reproducer yet. Even in
mesa it's sometimes finicky to catch this bug. For example, simply adding an
fprintf to aforementioned function addr_to_index, prevents it from inlining.  

As for the reproduction steps with mesa:

1. Build mesa as described in comment #5
2. LD_LIBRARY_PATH=$LD_LIBRARY_PATH:~/builds/mesa-bug/lib/ mpv any_video.mp4
3. mesa crashes. Backtrace will slightly differ depending on the driver in use.
So far, I've been describing behavior on "iris" driver (default driver for
Intel GPUs). I assume, similar optimisation patterns occur in several places,
when building mesa.

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|WAITING                     |ASSIGNED

--- Comment #7 from Martin Liška <marxin at gcc dot gnu.org> ---
Fine, I can reproduce that locally, working on that!
Thanks for the instructions.

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #8 from Martin Liška <marxin at gcc dot gnu.org> ---
Using the current master, -fdbg-cnt=ipa_cp_bits:10461 is first bad debug
counter value where (for
./src/gallium/targets/dri/libgallium_dri.so.wpa.076i.cp):

diff -u /tmp/good.txt /tmp/bad.txt
--- /tmp/good.txt       2020-08-10 23:29:57.234088465 +0200
+++ /tmp/bad.txt        2020-08-10 23:29:08.770350453 +0200
@@ -1414132,9 +1414132,10 @@
  param 2: value = 0x0, mask = 0xffffffff
 Propagated bits info for function nir_build_alu/631438:
  param 1: value = 0x110, mask = 0x1ff
-***dbgcnt: upper limit 10460 reached for ipa_cp_bits.***
 Propagated bits info for function addr_to_offset/632014:
  param 0: value = 0x0, mask = 0xfffffffffffffff8
+***dbgcnt: upper limit 10461 reached for ipa_cp_bits.***
+ param 2: value = 0x5, mask = 0x6
 Not considering _mesa_create_marshal_table/305172 for ipa bitwise propagation
; -fipa-bit-cp: disabled.
 Not considering pipe_reference_described.constprop/1065632 for VR discovery
and propagate; -fipa-ipa-vrp: disabled.
 Not considering pipe_resource_reference.constprop/1065631 for VR discovery and
propagate; -fipa-ipa-vrp: disabled.

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #9 from Martin Liška <marxin at gcc dot gnu.org> ---
Also this one shows the problem: -fdbg-cnt=ipa_cp_bits:10460-10461.

If I see correctly the function body:
lto-dump -dump-body=addr_to_index nir_lower_io.c.o
Gimple Body of Function: addr_to_index
addr_to_index (struct nir_builder * b, struct nir_ssa_def * addr,
nir_address_format addr_format)
{
  unsigned int c;

  <bb 2> [local count: 1073741824]:
  if (addr_format_3(D) == 3)
    goto <bb 3>; [20.24%]
  else
    goto <bb 4>; [79.76%]

  <bb 3> [local count: 217325344]:
  c = 0;
  _9 = nir_swizzle (b_5(D), addr_6(D), &c, 1);
  c ={v} {CLOBBER};
  goto <bb 7>; [100.00%]

  <bb 4> [local count: 856416481]:
  if (addr_format_3(D) == 4)
    goto <bb 5>; [100.00%]
  else
    goto <bb 6>; [0.00%]

  <bb 5> [local count: 856416481]:
  _8 = nir_channels (b_5(D), addr_6(D), 3);
  goto <bb 7>; [100.00%]

  <bb 6> [count: 0]:
  __builtin_unreachable ();

  <bb 7> [local count: 1073741824]:
  # _1 = PHI <_9(3), _8(5)>
  return _1;

}

addr_format (aka param 2) is either 3 or 4.
3 = 0x011
4 = 0x100

so mask 6 = 0x110 is wrong as first bit is not constant.
@Martin: Am I right?

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #10 from Martin Liška <marxin at gcc dot gnu.org> ---
(In reply to Martin Liška from comment #9)
> Also this one shows the problem: -fdbg-cnt=ipa_cp_bits:10460-10461.
> 
> If I see correctly the function body:
> lto-dump -dump-body=addr_to_index nir_lower_io.c.o
> Gimple Body of Function: addr_to_index
> addr_to_index (struct nir_builder * b, struct nir_ssa_def * addr,
> nir_address_format addr_format)
> {
>   unsigned int c;
> 
>   <bb 2> [local count: 1073741824]:
>   if (addr_format_3(D) == 3)
>     goto <bb 3>; [20.24%]
>   else
>     goto <bb 4>; [79.76%]
> 
>   <bb 3> [local count: 217325344]:
>   c = 0;
>   _9 = nir_swizzle (b_5(D), addr_6(D), &c, 1);
>   c ={v} {CLOBBER};
>   goto <bb 7>; [100.00%]
> 
>   <bb 4> [local count: 856416481]:
>   if (addr_format_3(D) == 4)
>     goto <bb 5>; [100.00%]
>   else
>     goto <bb 6>; [0.00%]
> 
>   <bb 5> [local count: 856416481]:
>   _8 = nir_channels (b_5(D), addr_6(D), 3);
>   goto <bb 7>; [100.00%]
> 
>   <bb 6> [count: 0]:
>   __builtin_unreachable ();
> 
>   <bb 7> [local count: 1073741824]:
>   # _1 = PHI <_9(3), _8(5)>
>   return _1;
> 
> }
> 
> addr_format (aka param 2) is either 3 or 4.
> 3 = 0x011
> 4 = 0x100
> 
> so mask 6 = 0x110 is wrong as first bit is not constant.
> @Martin: Am I right?

^^^
@Martin ?

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #11 from Martin Liška <marxin at gcc dot gnu.org> ---
But streamed IPA CP info tells that:

  Node: addr_to_offset/632014:
    param [0]: VARIABLE
         ctxs: VARIABLE
         Bits: value = 0x0, mask = 0xfffffffffffffff8
         int VARYING
        AGGS VARIABLE
    param [1]: VARIABLE
         ctxs: VARIABLE
         Bits unusable (BOTTOM)
         int VARYING
        AGGS VARIABLE
    param [2]: 5 [loc_time: 4, loc_size: 2, prop_time: 0, prop_size: 0]
               3 [loc_time: 3, loc_size: 10, prop_time: 0, prop_size: 0]
         ctxs: VARIABLE
         Bits: value = 0x5, mask = 0x6
         int VARYING
        AGGS VARIABLE

So param[2] is either 5 or 3. Interesting..

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #12 from Martin Liška <marxin at gcc dot gnu.org> ---
It's likely correctly propagated, right now it looks the source code is
invalid.

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #13 from Martin Liška <marxin at gcc dot gnu.org> ---
(In reply to Martin Liška from comment #11)
> But streamed IPA CP info tells that:
> 
>   Node: addr_to_offset/632014:
>     param [0]: VARIABLE
>          ctxs: VARIABLE
>          Bits: value = 0x0, mask = 0xfffffffffffffff8
>          int VARYING
>         AGGS VARIABLE
>     param [1]: VARIABLE
>          ctxs: VARIABLE
>          Bits unusable (BOTTOM)
>          int VARYING
>         AGGS VARIABLE
>     param [2]: 5 [loc_time: 4, loc_size: 2, prop_time: 0, prop_size: 0]
>                3 [loc_time: 3, loc_size: 10, prop_time: 0, prop_size: 0]
>          ctxs: VARIABLE
>          Bits: value = 0x5, mask = 0x6
>          int VARYING
>         AGGS VARIABLE
> 
> So param[2] is either 5 or 3. Interesting..

That's correct as there's really one call chain that eventually calls
addr_to_offset with value equal to 5. That's UBSAN and this does not happen
during run-time. I'm debugging deeper..

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #14 from Martin Liška <marxin at gcc dot gnu.org> ---
So in ltrans we end up with:

addr_to_index (struct nir_builder * b, struct nir_ssa_def * addr,
nir_address_format addr_format)
{
  unsigned int num_channels;
  unsigned int swizzle[16];
  unsigned int i;
  struct nir_ssa_def * D.7072;
  unsigned int c;
  struct nir_ssa_def * _9;

  <bb 2> [local count: 1073741824]:
  if (addr_format_3(D) == 3)
    goto <bb 3>; [20.24%]
  else
    goto <bb 4>; [79.76%]

  <bb 3> [local count: 1073741824]:
  c = 0;
  _9 = nir_swizzle (b_5(D), addr_6(D), &c, 1);
  c ={v} {CLOBBER};
  return _9;

  <bb 4> [count: 0]:
  __builtin_unreachable ();
}

that's fine, in WPA we identified that possible values are 3 and 5.
However ./src/gallium/targets/dri/libgallium_dri.so.ltrans65.ltrans.129t.ccp3
optimizes that to:

Folding statement: if (addr_format_3(D) == 3)
which is likely CONSTANT
Folding predicate addr_format_3(D) == 3 to 0
Folded into: if (0 != 0)

which is wrong.

The following code is executed:

          if (flag_tree_bit_ccp)
            {
              wide_int nonzero_bits = get_nonzero_bits (var);
              tree value;
              widest_int mask;

              if (SSA_NAME_VAR (var)
                  && TREE_CODE (SSA_NAME_VAR (var)) == PARM_DECL
                  && ipcp_get_parm_bits (SSA_NAME_VAR (var), &value, &mask))
                {
                  val.lattice_val = CONSTANT;
                  val.value = value;
                  val.mask = mask;
                  if (nonzero_bits != -1)
                    val.mask &= extend_mask (nonzero_bits,
                                             TYPE_SIGN (TREE_TYPE (var)));
                }

where range info for var is:

(gdb) p *ri
$2 = {
  ints = {
    m_precision = 32,
    m_max_len = 1 '\001',
    m_len = "\001\001\001",
    m_val = {3}
  }
}

(gdb) p nonzero_bits.dump()
[0x3], precision = 32

(gdb) p mask.dump()
[...,0x6], precision = 192

(gdb) p debug_tree(value)
 <integer_cst 0x7ffff7268e10 type <enumeral_type 0x7ffff720e738
nir_address_format> constant 5>

So that's we saw in WPA. So far so good, but now these 2 pieces of information
are combined:
                    val.mask &= extend_mask (nonzero_bits,
                                             TYPE_SIGN (TREE_TYPE (var)));

(gdb) p val.mask.dump()
[...,0x2], precision = 192

and folding happens :/

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P3                          |P1

--- Comment #15 from Martin Liška <marxin at gcc dot gnu.org> ---
Ok, I've got a reduced test-case:

$ cat bit-cp-crash.c
int
__attribute__((noinline))
foo(int arg)
{
  if (arg == 3)
    return 1;
  if (arg == 4)
    return 123;

  __builtin_unreachable ();
}

int
__attribute__((noinline))
baz(int x)
{
  if (x != 0)
    return foo(3); /* called */

  return 1;
}

int
__attribute__((noinline))
bar(int x)
{
  if (x == 0)
    return foo(5); /* not executed */

  return 1;
}

int main(int argc, char **argv)
{
  int a = bar(argc);
  int b = baz(argc);

  __builtin_printf ("a: %d\n", a);
  __builtin_printf ("b: %d\n", b);
  if (a != b)
    __builtin_abort ();

  return 0;
}

$ gcc bit-cp-crash.c -O2 -flto && ./a.out 
Segmentation fault (core dumped)

It's a recursive call in:
==14411== Process terminating with default action of signal 11 (SIGSEGV):
dumping core
==14411==  Access not within mapped region at address 0x1FFE801FF8
==14411== Stack overflow in thread #1: can't grow stack to 0x1ffe801000
==14411==    at 0x40118F: baz (in /tmp/a.out)
==14411==  If you believe this happened as a result of a stack
==14411==  overflow in your program's main thread (unlikely but
==14411==  possible), you can try to increase the size of the
==14411==  main thread stack using the --main-stacksize= flag.
==14411==  The main thread stack size used in this run was 8388608.
==14411== Stack overflow in thread #1: can't grow stack to 0x1ffe801000

because:

__attribute__((noinline))
foo (int arg)
{
  <bb 2> [count: 0]:
  __builtin_unreachable ();

}

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #16 from Martin Liška <marxin at gcc dot gnu.org> ---
Honza, can you please take a look? There's a bug in how get_default_value how
nonzero bits are combined with ipcp_get_parm_bits. I can work on that
tomorrow..

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #17 from Martin Liška <marxin at gcc dot gnu.org> ---
I've got a patch candidate, let's see if it's a correct one.

[Bug ipa/96482] [10/11 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #18 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Martin Liska <marxin@gcc.gnu.org>:

https://gcc.gnu.org/g:d58f078ce2d53e5dab6b3d0d5f960504268e1894

commit r11-2675-gd58f078ce2d53e5dab6b3d0d5f960504268e1894
Author: Martin Liska <mliska@suse.cz>
Date:   Wed Aug 12 09:21:51 2020 +0200

    ipa: fix bit CPP when combined with IPA bit CP

    As mentioned in the PR, let's consider the following example:

    int
    __attribute__((noinline))
    foo(int arg)
    {
      if (arg == 3)
        return 1;
      if (arg == 4)
        return 123;

      __builtin_unreachable ();
    }

    during WPA we find all calls of the function
    (yes the call with value 5 is UBSAN):

      Node: foo/0:
        param [0]: 5 [loc_time: 4, loc_size: 2, prop_time: 0, prop_size: 0]
                   3 [loc_time: 3, loc_size: 3, prop_time: 0, prop_size: 0]
             ctxs: VARIABLE
             Bits: value = 0x5, mask = 0x6

    in LTRANS we have the following VRP info:

      # RANGE [3, 3] NONZERO 3

    when we AND masks in get_default_value we end up with 6 & 3 = 2 (0x010).
    That means the only second (least significant bit) is unknown and
    value (5 = 0x101) & ~mask gives us either 7 (0x111) or 5 (0x101).

    That's why if (arg_2(D) == 3) gets optimized to false.

    gcc/ChangeLog:

            PR ipa/96482
            * ipa-cp.c (ipcp_bits_lattice::meet_with_1): Drop value bits
            for bits that are unknown.
            (ipcp_bits_lattice::set_to_constant): Likewise.
            * tree-ssa-ccp.c (get_default_value): Add sanity check that
            IPA CP bit info has all bits set to zero in bits that
            are unknown.

    gcc/testsuite/ChangeLog:

            PR ipa/96482
            * gcc.dg/ipa/pr96482.c: New test.

[Bug ipa/96482] [10 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
      Known to fail|                            |10.2.1
      Known to work|                            |11.0
            Summary|[10/11 Regression]          |[10 Regression] Combination
                   |Combination of              |of -finline-small-functions
                   |-finline-small-functions    |and ipa-cp optimisations
                   |and ipa-cp optimisations    |causes incorrect values
                   |causes incorrect values     |being passed to a function
                   |being passed to a function  |since r279523
                   |since r279523               |

--- Comment #19 from Martin Liška <marxin at gcc dot gnu.org> ---
Fixed on master so far.

[Bug ipa/96482] [10 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #20 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-10 branch has been updated by Martin Liska
<marxin@gcc.gnu.org>:

https://gcc.gnu.org/g:66780083a0e79e5cb7c3acc8665aa47be4084a67

commit r10-8614-g66780083a0e79e5cb7c3acc8665aa47be4084a67
Author: Martin Liska <mliska@suse.cz>
Date:   Wed Aug 12 09:21:51 2020 +0200

    ipa: fix bit CPP when combined with IPA bit CP

    As mentioned in the PR, let's consider the following example:

    int
    __attribute__((noinline))
    foo(int arg)
    {
      if (arg == 3)
        return 1;
      if (arg == 4)
        return 123;

      __builtin_unreachable ();
    }

    during WPA we find all calls of the function
    (yes the call with value 5 is UBSAN):

      Node: foo/0:
        param [0]: 5 [loc_time: 4, loc_size: 2, prop_time: 0, prop_size: 0]
                   3 [loc_time: 3, loc_size: 3, prop_time: 0, prop_size: 0]
             ctxs: VARIABLE
             Bits: value = 0x5, mask = 0x6

    in LTRANS we have the following VRP info:

      # RANGE [3, 3] NONZERO 3

    when we AND masks in get_default_value we end up with 6 & 3 = 2 (0x010).
    That means the only second (least significant bit) is unknown and
    value (5 = 0x101) & ~mask gives us either 7 (0x111) or 5 (0x101).

    That's why if (arg_2(D) == 3) gets optimized to false.

    gcc/ChangeLog:

            PR ipa/96482
            * ipa-cp.c (ipcp_bits_lattice::meet_with_1): Drop value bits
            for bits that are unknown.
            (ipcp_bits_lattice::set_to_constant): Likewise.
            * tree-ssa-ccp.c (get_default_value): Add sanity check that
            IPA CP bit info has all bits set to zero in bits that
            are unknown.

    gcc/testsuite/ChangeLog:

            PR ipa/96482
            * gcc.dg/ipa/pr96482.c: New test.

    (cherry picked from commit d58f078ce2d53e5dab6b3d0d5f960504268e1894)

[Bug ipa/96482] [10 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #21 from Martin Liška <marxin at gcc dot gnu.org> ---
Fixed on all branches.

[Bug ipa/96482] [10 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #22 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Martin Liska <marxin@gcc.gnu.org>:

https://gcc.gnu.org/g:f91770216eade83f068528c1e4f00e2ac3b23044

commit r11-2686-gf91770216eade83f068528c1e4f00e2ac3b23044
Author: Martin Liska <mliska@suse.cz>
Date:   Thu Aug 13 09:38:41 2020 +0200

    ipa: fix ICE in get_default_value

    The patch aligns code with ipcp_bits_lattice::set_to_constant
    where we properly mask m_value with m_mask. The same should
    be done here.

    gcc/ChangeLog:

            PR ipa/96482
            * ipa-cp.c (ipcp_bits_lattice::meet_with_1): Mask m_value
            with m_mask.

    gcc/testsuite/ChangeLog:

            PR ipa/96482
            * gcc.dg/ipa/pr96482-2.c: New test.

[Bug ipa/96482] [10 Regression] Combination of -finline-small-functions and ipa-cp optimisations causes incorrect values being passed to a function since r279523

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=96482

--- Comment #23 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-10 branch has been updated by Martin Liska
<marxin@gcc.gnu.org>:

https://gcc.gnu.org/g:4a2371497e9bed64aa4f46169127f3ea8e32e726

commit r10-8618-g4a2371497e9bed64aa4f46169127f3ea8e32e726
Author: Martin Liska <mliska@suse.cz>
Date:   Thu Aug 13 09:38:41 2020 +0200

    ipa: fix ICE in get_default_value

    The patch aligns code with ipcp_bits_lattice::set_to_constant
    where we properly mask m_value with m_mask. The same should
    be done here.

    gcc/ChangeLog:

            PR ipa/96482
            * ipa-cp.c (ipcp_bits_lattice::meet_with_1): Mask m_value
            with m_mask.

    gcc/testsuite/ChangeLog:

            PR ipa/96482
            * gcc.dg/ipa/pr96482-2.c: New test.

    (cherry picked from commit f91770216eade83f068528c1e4f00e2ac3b23044)