[Bug target/97054] New: [r10-3559 Regression] Runtime segfault with attached test code

[Bug target/97054] New: [r10-3559 Regression] Runtime segfault with attached test code

[skpgkp2 at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97054

            Bug ID: 97054
           Summary: [r10-3559 Regression] Runtime segfault with attached
                    test code
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: target
          Assignee: unassigned at gcc dot gnu.org
          Reporter: skpgkp2 at gmail dot com
                CC: crazylht at gmail dot com, hjl.tools at gmail dot com
  Target Milestone: ---

Created attachment 49218
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49218&action=edit
reproducer test case.

Test case attached.

How to reproduce:

$g++ -fno-strict-aliasing -msse4.2 -mfpmath=sse  -gdwarf-2 -Wall
-Wwrite-strings -fPIC -Wformat-security -fstack-protector-strong -O2
-Wfatal-errors  -Wformat -Werror -Wundef  repro.cc && ./a.out
Segmentation fault (core dumped)

(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /local/skpandey/gccwork/toolwork/a.out 

Program received signal SIGSEGV, Segmentation fault.
0x00000000004011b0 in p2_ep_REBIND_IPC () at repro.cc:55
55              cur_pro->pc_RIP.i64 = code_lin_to_log(cur_pro,
int2linaddr(cur_pro, ipc));
(gdb) disass
Dump of assembler code for function p2_ep_REBIND_IPC():
   0x0000000000401180 <+0>:     push   %r15
   0x0000000000401182 <+2>:     push   %r12
   0x0000000000401184 <+4>:     mov    %rbp,%r12
   0x0000000000401187 <+7>:     mov    %r12,%rdi
   0x000000000040118a <+10>:    sub    $0x18,%rsp
   0x000000000040118e <+14>:    mov    $0x4040a0,%r15
   0x0000000000401195 <+21>:    mov    0x10(%rbp),%rbp
   0x0000000000401199 <+25>:    mov    (%r15),%rsi
   0x000000000040119c <+28>:    mov    %rbp,0x8(%rsp)
   0x00000000004011a1 <+33>:    mov    %rsi,0x30(%r12)
   0x00000000004011a6 <+38>:    mov    %rsi,0x8(%r12)
   0x00000000004011ab <+43>:    callq  0x401150 <int2linaddr(processor_t*,
p2_icode_t const*)>
=> 0x00000000004011b0 <+48>:    movq   $0x0,0x10(%rbp)
   0x00000000004011b8 <+56>:    mov    %rbp,%rdi
   0x00000000004011bb <+59>:    callq  0x401160 <turbo_clear(processor*)>
   0x00000000004011c0 <+64>:    mov    %rbp,%rdi
   0x00000000004011c3 <+67>:    mov    0x8(%rsp),%rbp
   0x00000000004011c8 <+72>:    mov    %rbp,%rsi
   0x00000000004011cb <+75>:    callq  0x401170
<x86_log_to_icode_exec(processor_t*, la_t)>
   0x00000000004011d0 <+80>:    addq   $0x4,(%r15)
   0x00000000004011d4 <+84>:    xor    %edx,%edx
   0x00000000004011d6 <+86>:    mov    %rax,0x30(%r12)
   0x00000000004011db <+91>:    subl   $0x1,0x4(%rbp)
   0x00000000004011df <+95>:    mov    0x4(%rbp),%eax
   0x00000000004011e2 <+98>:    test   %eax,%eax
   0x00000000004011e4 <+100>:   movsbl 0x0(%rbp),%eax
   0x00000000004011e8 <+104>:   setle  %dl
   0x00000000004011eb <+107>:   or     %eax,%edx
   0x00000000004011ed <+109>:   jne    0x4011f5 <p2_ep_REBIND_IPC()+117>
   0x00000000004011ef <+111>:   mov    (%r15),%rax
   0x00000000004011f2 <+114>:   mov    (%rax),%r13d
   0x00000000004011f5 <+117>:   add    $0x18,%rsp
   0x00000000004011f9 <+121>:   xor    %eax,%eax
   0x00000000004011fb <+123>:   pop    %r12
   0x00000000004011fd <+125>:   pop    %r15
   0x00000000004011ff <+127>:   retq   
End of assembler dump.



Configured with: ../../gcc/configure
--prefix=/local/skpandey/gccwork/toolwork/gcc-bisect-master/master/r10-3559/usr
--enable-clocale=gnu --with-system-zlib --with-demangler-in-ld
--with-fpmath=sse --disable-libsanitizer --enable-languages=c,c++,fortran
--enable-cet --without-isl --enable-libmpx --disable-bootstrap

1bcb4c4faa4bd6b1c917c75b100d618faf9e628c is the first bad commit
commit 1bcb4c4faa4bd6b1c917c75b100d618faf9e628c
Author: Richard Sandiford <richard.sandiford@arm.com>
Date:   Wed Oct 2 07:37:10 2019 +0000

    [LRA] Don't make eliminable registers live (PR91957)

    One effect of https://gcc.gnu.org/ml/gcc-patches/2019-09/msg00802.html
    was to strengthen the sanity check in lra_assigns so that it checks
    whether reg_renumber is consistent with the whole conflict set.
    This duly tripped on csky for a pseudo that had been allocated
    to the eliminated frame pointer.  (csky doesn't have a separate
    hard frame pointer.)

    lra-lives uses:

    /* Set of hard regs (except eliminable ones) currently live.  */
    static HARD_REG_SET hard_regs_live;

    to track the set of live directly-referenced hard registers, and it
    correctly implements the exclusion when setting up the initial set:

      hard_regs_live &= ~eliminable_regset;

    But later calls to make_hard_regno_live and make_hard_regno_dead
    would process eliminable registers like other registers, recording
    conflicts for them and potentially making them live.  (Note that
    after r266086, make_hard_regno_dead adds conflicts for registers
    that are already marked dead.)  I think this would have had the
    effect of pessimising targets without a separate hard frame pointer.

    2019-10-02  Richard Sandiford  <richard.sandiford@arm.com>

    gcc/
            PR middle-end/91957
            * lra-lives.c (make_hard_regno_dead): Don't record conflicts for
            eliminable registers.
            (make_hard_regno_live): Likewise, and don't make them live.

    From-SVN: r276440

 gcc/ChangeLog   | 7 +++++++
 gcc/lra-lives.c | 6 +++++-
 2 files changed, 12 insertions(+), 1 deletion(-)

[Bug target/97054] [r10-3559 Regression] Runtime segfault with attached test code

[hjl.tools at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97054

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |NEW
                 CC|                            |richard.sandiford at arm dot com
     Ever confirmed|0                           |1
            Version|11.0                        |10.2.0
   Last reconfirmed|                            |2020-09-15
   Target Milestone|---                         |10.3

[Bug middle-end/97054] [10/11 Regression] Runtime segfault with attached test code since r10-3559

[hjl.tools at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97054

--- Comment #1 from H.J. Lu <hjl.tools at gmail dot com> ---
Created attachment 49220
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49220&action=edit
A patch

I am testing this.

[Bug middle-end/97054] [10/11 Regression] Runtime segfault with attached test code since r10-3559

[hjl.tools at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97054

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vmakarov at redhat dot com
           Keywords|                            |patch

--- Comment #2 from H.J. Lu <hjl.tools at gmail dot com> ---
A patch is posted at

https://gcc.gnu.org/pipermail/gcc-patches/2020-September/553968.html

[Bug middle-end/97054] [10/11 Regression] Runtime segfault with attached test code since r10-3559

[hjl.tools at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97054

--- Comment #3 from H.J. Lu <hjl.tools at gmail dot com> ---
Fixed in GCC 11 by

commit 3c7c5f1d4a4b8328fb4c07483cdbfe4ea7762155
Author: Richard Sandiford <richard.sandiford@arm.com>
Date:   Fri Sep 18 16:55:45 2020 +0100

    ira: Fix elimination for global hard FPs [PR91957]

[Bug middle-end/97054] [10/11 Regression] Runtime segfault with attached test code since r10-3559

[hjl.tools at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97054

H.J. Lu <hjl.tools at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #4 from H.J. Lu <hjl.tools at gmail dot com> ---
Fixed for GCC 10.3 by

commit 6959f60cb276ad530917c2d039d9edc19fefa216
Author: Richard Sandiford <richard.sandiford@arm.com>
Date:   Fri Sep 18 16:55:45 2020 +0100

    ira: Fix elimination for global hard FPs [PR97054]

    If the hard frame pointer is being used as a global register,
    we should skip the usual handling for eliminations.  As the
    comment says, the register cannot in that case be eliminated
    (or eliminated to) and is already marked live where appropriate.

    Doing this removes the duplicate error for gcc.target/i386/pr82673.c.
    The “cannot be used in 'asm' here” message is meant to be for asm
    statements rather than register asms, and the function that the
    error is reported against doesn't use asm.

    gcc/
    2020-09-18  Richard Sandiford  <richard.sandiford@arm.com>

            PR middle-end/97054
            * ira.c (ira_setup_eliminable_regset): Skip the special elimination
            handling of the hard frame pointer if the hard frame pointer is
fixed.

    gcc/testsuite/
    2020-09-18  H.J. Lu  <hjl.tools@gmail.com>
                Richard Sandiford  <richard.sandiford@arm.com>

            PR middle-end/97054
            * g++.target/i386/pr97054.C: New test.
            * gcc.target/i386/pr82673.c: Remove redundant extra message.

    (cherry picked from commit 3c7c5f1d4a4b8328fb4c07483cdbfe4ea7762155)