public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug tree-optimization/97379] New: [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140)
@ 2020-10-12 8:40 marxin at gcc dot gnu.org
2020-10-12 8:40 ` [Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33 marxin at gcc dot gnu.org
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: marxin at gcc dot gnu.org @ 2020-10-12 8:40 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379
Bug ID: 97379
Summary: [11 Regression] Invalid read of size 8 at
outgoing_range::calc_switch_ranges(gswitch*)
(gimple-range-edge.cc:140)
Product: gcc
Version: 10.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: marxin at gcc dot gnu.org
CC: aldyh at gcc dot gnu.org, amacleod at redhat dot com
Blocks: 63426
Target Milestone: ---
Created attachment 49349
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49349&action=edit
test-case
The following fails:
$ valgrind --trace-children=yes gcc -Os -c ice.i
==2675== Memcheck, a memory error detector
==2675== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2675== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==2675== Command: gcc -Os -c ice.i
==2675==
==2676== Memcheck, a memory error detector
==2676== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2676== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==2676== Command: /home/marxin/bin/gcc/lib/gcc/x86_64-pc-linux-gnu/11.0.0/cc1
-fpreprocessed ice.i -quiet -dumpbase ice.i -dumpbase-ext .i -mtune=generic
-march=x86-64 -Os -o /tmp/ccmBgOCr.s
==2676==
==2676== Invalid read of size 8
==2676== at 0x187853C: outgoing_range::calc_switch_ranges(gswitch*)
(gimple-range-edge.cc:140)
==2676== by 0x1878A70: outgoing_range::get_edge_range(irange&, gimple*,
edge_def*) (gimple-range-edge.cc:91)
==2676== by 0x1878DB0: outgoing_range::edge_range_p(irange&, edge_def*)
(gimple-range-edge.cc:193)
==2676== by 0x1868C65: gori_compute::outgoing_edge_range_p(irange&,
edge_def*, tree_node*) (gimple-range-gori.cc:995)
==2676== by 0x1864E4E: ranger_cache::iterative_cache_update(tree_node*)
(gimple-range-cache.cc:636)
==2676== by 0x186533A: ranger_cache::fill_block_cache(tree_node*,
basic_block_def*, basic_block_def*) (gimple-range-cache.cc:808)
==2676== by 0x1865ADD: ranger_cache::block_range(irange&, basic_block_def*,
tree_node*, bool) (gimple-range-cache.cc:589)
==2676== by 0x185E941: gimple_ranger::range_on_entry(irange&,
basic_block_def*, tree_node*) (gimple-range.cc:909)
==2676== by 0x185F057: gimple_ranger::range_of_expr(irange&, tree_node*,
gimple*) (gimple-range.cc:880)
==2676== by 0x185FB2B:
gimple_ranger::range_of_non_trivial_assignment(irange&, gimple*) [clone
.part.0] (gimple-range.cc:448)
==2676== by 0x186039D: range_of_non_trivial_assignment (gimple-range.cc:428)
==2676== by 0x186039D: gimple_ranger::range_of_range_op(irange&, gimple*)
(gimple-range.cc:415)
==2676== by 0x186253F: gimple_ranger::calc_stmt(irange&, gimple*,
tree_node*) (gimple-range.cc:369)
==2676== Address 0x5ba5268 is 200 bytes inside a block of size 2,032 free'd
==2676== at 0x483A9AB: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2676== by 0x18791DA: hash_table<hash_map<edge_def*, irange*,
simple_hashmap_traits<default_hash_traits<edge_def*>, irange*> >::hash_entry,
false, xcallocator>::find_slot_with_hash(edge_def* const&, unsigned int,
insert_option) (hash-table.h:964)
==2676== by 0x18785C6: get_or_insert (hash-map.h:195)
==2676== by 0x18785C6: outgoing_range::calc_switch_ranges(gswitch*)
(gimple-range-edge.cc:145)
==2676== by 0x1878A70: outgoing_range::get_edge_range(irange&, gimple*,
edge_def*) (gimple-range-edge.cc:91)
==2676== by 0x1878DB0: outgoing_range::edge_range_p(irange&, edge_def*)
(gimple-range-edge.cc:193)
==2676== by 0x1868C65: gori_compute::outgoing_edge_range_p(irange&,
edge_def*, tree_node*) (gimple-range-gori.cc:995)
==2676== by 0x1864E4E: ranger_cache::iterative_cache_update(tree_node*)
(gimple-range-cache.cc:636)
==2676== by 0x186533A: ranger_cache::fill_block_cache(tree_node*,
basic_block_def*, basic_block_def*) (gimple-range-cache.cc:808)
==2676== by 0x1865ADD: ranger_cache::block_range(irange&, basic_block_def*,
tree_node*, bool) (gimple-range-cache.cc:589)
==2676== by 0x185E941: gimple_ranger::range_on_entry(irange&,
basic_block_def*, tree_node*) (gimple-range.cc:909)
==2676== by 0x185F057: gimple_ranger::range_of_expr(irange&, tree_node*,
gimple*) (gimple-range.cc:880)
==2676== by 0x185FB2B:
gimple_ranger::range_of_non_trivial_assignment(irange&, gimple*) [clone
.part.0] (gimple-range.cc:448)
==2676== Block was alloc'd at
==2676== at 0x483BB65: calloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2676== by 0x1918134: xcalloc (xmalloc.c:162)
==2676== by 0x1878CE0: data_alloc (hash-table.h:275)
==2676== by 0x1878CE0: alloc_entries (hash-table.h:711)
==2676== by 0x1878CE0: hash_table (hash-table.h:628)
==2676== by 0x1878CE0: hash_map (hash-map.h:139)
==2676== by 0x1878CE0: outgoing_range::get_edge_range(irange&, gimple*,
edge_def*) (gimple-range-edge.cc:86)
==2676== by 0x1878DB0: outgoing_range::edge_range_p(irange&, edge_def*)
(gimple-range-edge.cc:193)
==2676== by 0x1868C65: gori_compute::outgoing_edge_range_p(irange&,
edge_def*, tree_node*) (gimple-range-gori.cc:995)
==2676== by 0x1864E4E: ranger_cache::iterative_cache_update(tree_node*)
(gimple-range-cache.cc:636)
==2676== by 0x186533A: ranger_cache::fill_block_cache(tree_node*,
basic_block_def*, basic_block_def*) (gimple-range-cache.cc:808)
==2676== by 0x1865ADD: ranger_cache::block_range(irange&, basic_block_def*,
tree_node*, bool) (gimple-range-cache.cc:589)
==2676== by 0x185E941: gimple_ranger::range_on_entry(irange&,
basic_block_def*, tree_node*) (gimple-range.cc:909)
==2676== by 0x185F057: gimple_ranger::range_of_expr(irange&, tree_node*,
gimple*) (gimple-range.cc:880)
==2676== by 0x185FB2B:
gimple_ranger::range_of_non_trivial_assignment(irange&, gimple*) [clone
.part.0] (gimple-range.cc:448)
==2676== by 0x186039D: range_of_non_trivial_assignment (gimple-range.cc:428)
==2676== by 0x186039D: gimple_ranger::range_of_range_op(irange&, gimple*)
(gimple-range.cc:415)
Referenced Bugs:
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63426
[Bug 63426] [meta-bug] Issues found with -fsanitize=undefined
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33
2020-10-12 8:40 [Bug tree-optimization/97379] New: [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) marxin at gcc dot gnu.org
@ 2020-10-12 8:40 ` marxin at gcc dot gnu.org
2020-10-12 11:42 ` rguenth at gcc dot gnu.org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: marxin at gcc dot gnu.org @ 2020-10-12 8:40 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Last reconfirmed| |2020-10-12
Summary|[11 Regression] Invalid |[11 Regression] Invalid
|read of size 8 at |read of size 8 at
|outgoing_range::calc_switch |outgoing_range::calc_switch
|_ranges(gswitch*) |_ranges(gswitch*)
|(gimple-range-edge.cc:140) |(gimple-range-edge.cc:140)
| |since
| |r11-3685-gfcae5121154d1c33
Target Milestone|--- |11.0
Ever confirmed|0 |1
Status|UNCONFIRMED |NEW
--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
Started with r11-3685-gfcae5121154d1c33.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33
2020-10-12 8:40 [Bug tree-optimization/97379] New: [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) marxin at gcc dot gnu.org
2020-10-12 8:40 ` [Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33 marxin at gcc dot gnu.org
@ 2020-10-12 11:42 ` rguenth at gcc dot gnu.org
2020-10-13 9:00 ` aldyh at gcc dot gnu.org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: rguenth at gcc dot gnu.org @ 2020-10-12 11:42 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P3 |P1
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33
2020-10-12 8:40 [Bug tree-optimization/97379] New: [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) marxin at gcc dot gnu.org
2020-10-12 8:40 ` [Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33 marxin at gcc dot gnu.org
2020-10-12 11:42 ` rguenth at gcc dot gnu.org
@ 2020-10-13 9:00 ` aldyh at gcc dot gnu.org
2020-10-13 9:00 ` aldyh at gcc dot gnu.org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: aldyh at gcc dot gnu.org @ 2020-10-13 9:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379
--- Comment #2 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
There's a read of a freed block while accessing the default_slot in
calc_switch_ranges.
default_slot->intersect (def_range);
It seems the default_slot got swiped from under us, and the valgrind
dump indicates the free came from the get_or_insert in the same
function:
irange *&slot = m_edge_table->get_or_insert (e, &existed);
So it looks like the get_or_insert is actually freeing the value of
the previously allocated default_slot. Looking down the chain
from get_or_insert, we see it calls hash_table<>::expand, which
actually does a free while doing a resize of sorts:
if (!m_ggc)
Allocator <value_type> ::data_free (oentries);
else
ggc_free (oentries);
Not keeping a pointer to the default slot across multiple calls to
get_or_insert fixes the problem, though I do see other seemingly unrelated
valgrind errors:
==967361== Conditional jump or move depends on uninitialised value(s)
==967361== at 0x22BAB24: sparseset_bit_p(sparseset_def*, unsigned long)
(sparseset.h:147)
==967361== by 0x22BABB7: sparseset_set_bit(sparseset_def*, unsigned long)
(sparseset.h:166)
==967361== by 0x22BCCCA: register_active_defs(df_ref_d*) (fwprop.c:943)
==967361== by 0x22BCD88: update_df_init(rtx_insn*, rtx_insn*) (fwprop.c:961)
==967361== by 0x22BCFF5: try_fwprop_subst(df_ref_d*, rtx_def**, rtx_def*,
rtx_insn*, bool) (fwprop.c:1028)
==967361== by 0x22BE0DE: forward_propagate_and_simplify(df_ref_d*,
rtx_insn*, rtx_def*) (fwprop.c:1427)
==967361== by 0x22BE349: forward_propagate_into(df_ref_d*, bool)
(fwprop.c:1490)
==967361== by 0x22BE65E: fwprop(bool) (fwprop.c:1580)
==967361== by 0x22BE6F3: (anonymous
namespace)::pass_rtl_fwprop::execute(function*) (fwprop.c:1615)
==967361== by 0x11A304E: execute_one_pass(opt_pass*) (passes.c:2509)
==967361== by 0x11A3373: execute_pass_list_1(opt_pass*) (passes.c:2597)
==967361== by 0x11A33A4: execute_pass_list_1(opt_pass*) (passes.c:2598)
==967361==
==967361== Use of uninitialised value of size 8
==967361== at 0x22BAB38: sparseset_bit_p(sparseset_def*, unsigned long)
(sparseset.h:147)
==967361== by 0x22BABB7: sparseset_set_bit(sparseset_def*, unsigned long)
(sparseset.h:166)
==967361== by 0x22BCCCA: register_active_defs(df_ref_d*) (fwprop.c:943)
==967361== by 0x22BCD88: update_df_init(rtx_insn*, rtx_insn*) (fwprop.c:961)
==967361== by 0x22BCFF5: try_fwprop_subst(df_ref_d*, rtx_def**, rtx_def*,
rtx_insn*, bool) (fwprop.c:1028)
==967361== by 0x22BE0DE: forward_propagate_and_simplify(df_ref_d*,
rtx_insn*, rtx_def*) (fwprop.c:1427)
==967361== by 0x22BE349: forward_propagate_into(df_ref_d*, bool)
(fwprop.c:1490)
==967361== by 0x22BE65E: fwprop(bool) (fwprop.c:1580)
==967361== by 0x22BE6F3: (anonymous
namespace)::pass_rtl_fwprop::execute(function*) (fwprop.c:1615)
==967361== by 0x11A304E: execute_one_pass(opt_pass*) (passes.c:2509)
==967361== by 0x11A3373: execute_pass_list_1(opt_pass*) (passes.c:2597)
==967361== by 0x11A33A4: execute_pass_list_1(opt_pass*) (passes.c:2598)
==967361==
==967361== Conditional jump or move depends on uninitialised value(s)
==967361== at 0x101A415: sparseset_bit_p(sparseset_def*, unsigned long)
(sparseset.h:147)
==967361== by 0x101AEE9: mark_pseudo_regno_live(int) (ira-lives.c:326)
==967361== by 0x101B187: mark_pseudo_reg_live(rtx_def*, unsigned int)
(ira-lives.c:410)
==967361== by 0x101B1F5: mark_ref_live(df_ref_d*) (ira-lives.c:424)
==967361== by 0x101DCB6: process_bb_node_lives(ira_loop_tree_node*)
(ira-lives.c:1425)
==967361== by 0xFE97D9: ira_traverse_loop_tree(bool, ira_loop_tree_node*,
void (*)(ira_loop_tree_node*), void (*)(ira_loop_tree_node*))
(ira-build.c:1801)
==967361== by 0x101E9E4: ira_create_allocno_live_ranges() (ira-lives.c:1725)
==967361== by 0xFEDC33: ira_build() (ira-build.c:3428)
==967361== by 0xFE229F: ira(_IO_FILE*) (ira.c:5359)
==967361== by 0xFE2B20: (anonymous namespace)::pass_ira::execute(function*)
(ira.c:5672)
==967361== by 0x11A304E: execute_one_pass(opt_pass*) (passes.c:2509)
==967361== by 0x11A3373: execute_pass_list_1(opt_pass*) (passes.c:2597)
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33
2020-10-12 8:40 [Bug tree-optimization/97379] New: [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) marxin at gcc dot gnu.org
` (2 preceding siblings ...)
2020-10-13 9:00 ` aldyh at gcc dot gnu.org
@ 2020-10-13 9:00 ` aldyh at gcc dot gnu.org
2020-10-13 15:03 ` cvs-commit at gcc dot gnu.org
2020-10-13 15:08 ` aldyh at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: aldyh at gcc dot gnu.org @ 2020-10-13 9:00 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379
--- Comment #3 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
Created attachment 49361
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49361&action=edit
proposed patch in testing
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33
2020-10-12 8:40 [Bug tree-optimization/97379] New: [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) marxin at gcc dot gnu.org
` (3 preceding siblings ...)
2020-10-13 9:00 ` aldyh at gcc dot gnu.org
@ 2020-10-13 15:03 ` cvs-commit at gcc dot gnu.org
2020-10-13 15:08 ` aldyh at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-10-13 15:03 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379
--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Aldy Hernandez <aldyh@gcc.gnu.org>:
https://gcc.gnu.org/g:739526a19deaeac19c2429cc7567052834d3098e
commit r11-3852-g739526a19deaeac19c2429cc7567052834d3098e
Author: Aldy Hernandez <aldyh@redhat.com>
Date: Tue Oct 13 04:40:20 2020 -0400
Do not save hash slots across calls to hash_table::get_or_insert.
There's a read of a freed block while accessing the default_slot in
calc_switch_ranges.
default_slot->intersect (def_range);
It seems the default_slot got swiped from under us, and the valgrind
dump indicates the free came from the get_or_insert in the same
function:
irange *&slot = m_edge_table->get_or_insert (e, &existed);
So it looks like the get_or_insert is actually freeing the value of
the previously allocated default_slot. Looking down the chain
from get_or_insert, we see it calls hash_table<>::expand, which
actually does a free while doing a resize of sorts:
if (!m_ggc)
Allocator <value_type> ::data_free (oentries);
else
ggc_free (oentries);
This patch avoids keeping a pointer to the default_slot across multiple
calls to get_or_insert in the loop.
gcc/ChangeLog:
PR tree-optimization/97379
* gimple-range-edge.cc (outgoing_range::calc_switch_ranges): Do
not save hash slot across calls to hash_table<>::get_or_insert.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33
2020-10-12 8:40 [Bug tree-optimization/97379] New: [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) marxin at gcc dot gnu.org
` (4 preceding siblings ...)
2020-10-13 15:03 ` cvs-commit at gcc dot gnu.org
@ 2020-10-13 15:08 ` aldyh at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: aldyh at gcc dot gnu.org @ 2020-10-13 15:08 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379
Aldy Hernandez <aldyh at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #5 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
fixed
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-10-13 15:08 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-12 8:40 [Bug tree-optimization/97379] New: [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) marxin at gcc dot gnu.org
2020-10-12 8:40 ` [Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33 marxin at gcc dot gnu.org
2020-10-12 11:42 ` rguenth at gcc dot gnu.org
2020-10-13 9:00 ` aldyh at gcc dot gnu.org
2020-10-13 9:00 ` aldyh at gcc dot gnu.org
2020-10-13 15:03 ` cvs-commit at gcc dot gnu.org
2020-10-13 15:08 ` aldyh at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).