From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 8142C3850411; Tue, 13 Oct 2020 09:00:02 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 8142C3850411 From: "aldyh at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33 Date: Tue, 13 Oct 2020 09:00:02 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: tree-optimization X-Bugzilla-Version: 10.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: aldyh at gcc dot gnu.org X-Bugzilla-Status: NEW X-Bugzilla-Resolution: X-Bugzilla-Priority: P1 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: 11.0 X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Oct 2020 09:00:02 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D97379 --- Comment #2 from Aldy Hernandez --- There's a read of a freed block while accessing the default_slot in calc_switch_ranges. default_slot->intersect (def_range); It seems the default_slot got swiped from under us, and the valgrind dump indicates the free came from the get_or_insert in the same function: irange *&slot =3D m_edge_table->get_or_insert (e, &existed); So it looks like the get_or_insert is actually freeing the value of the previously allocated default_slot. Looking down the chain from get_or_insert, we see it calls hash_table<>::expand, which actually does a free while doing a resize of sorts: if (!m_ggc) Allocator ::data_free (oentries); else ggc_free (oentries); Not keeping a pointer to the default slot across multiple calls to get_or_insert fixes the problem, though I do see other seemingly unrelated valgrind errors: =3D=3D967361=3D=3D Conditional jump or move depends on uninitialised value(= s) =3D=3D967361=3D=3D at 0x22BAB24: sparseset_bit_p(sparseset_def*, unsigne= d long) (sparseset.h:147) =3D=3D967361=3D=3D by 0x22BABB7: sparseset_set_bit(sparseset_def*, unsig= ned long) (sparseset.h:166) =3D=3D967361=3D=3D by 0x22BCCCA: register_active_defs(df_ref_d*) (fwprop= .c:943) =3D=3D967361=3D=3D by 0x22BCD88: update_df_init(rtx_insn*, rtx_insn*) (f= wprop.c:961) =3D=3D967361=3D=3D by 0x22BCFF5: try_fwprop_subst(df_ref_d*, rtx_def**, = rtx_def*, rtx_insn*, bool) (fwprop.c:1028) =3D=3D967361=3D=3D by 0x22BE0DE: forward_propagate_and_simplify(df_ref_d= *, rtx_insn*, rtx_def*) (fwprop.c:1427) =3D=3D967361=3D=3D by 0x22BE349: forward_propagate_into(df_ref_d*, bool) (fwprop.c:1490) =3D=3D967361=3D=3D by 0x22BE65E: fwprop(bool) (fwprop.c:1580) =3D=3D967361=3D=3D by 0x22BE6F3: (anonymous namespace)::pass_rtl_fwprop::execute(function*) (fwprop.c:1615) =3D=3D967361=3D=3D by 0x11A304E: execute_one_pass(opt_pass*) (passes.c:2= 509) =3D=3D967361=3D=3D by 0x11A3373: execute_pass_list_1(opt_pass*) (passes.= c:2597) =3D=3D967361=3D=3D by 0x11A33A4: execute_pass_list_1(opt_pass*) (passes.= c:2598) =3D=3D967361=3D=3D =3D=3D967361=3D=3D Use of uninitialised value of size 8 =3D=3D967361=3D=3D at 0x22BAB38: sparseset_bit_p(sparseset_def*, unsigne= d long) (sparseset.h:147) =3D=3D967361=3D=3D by 0x22BABB7: sparseset_set_bit(sparseset_def*, unsig= ned long) (sparseset.h:166) =3D=3D967361=3D=3D by 0x22BCCCA: register_active_defs(df_ref_d*) (fwprop= .c:943) =3D=3D967361=3D=3D by 0x22BCD88: update_df_init(rtx_insn*, rtx_insn*) (f= wprop.c:961) =3D=3D967361=3D=3D by 0x22BCFF5: try_fwprop_subst(df_ref_d*, rtx_def**, = rtx_def*, rtx_insn*, bool) (fwprop.c:1028) =3D=3D967361=3D=3D by 0x22BE0DE: forward_propagate_and_simplify(df_ref_d= *, rtx_insn*, rtx_def*) (fwprop.c:1427) =3D=3D967361=3D=3D by 0x22BE349: forward_propagate_into(df_ref_d*, bool) (fwprop.c:1490) =3D=3D967361=3D=3D by 0x22BE65E: fwprop(bool) (fwprop.c:1580) =3D=3D967361=3D=3D by 0x22BE6F3: (anonymous namespace)::pass_rtl_fwprop::execute(function*) (fwprop.c:1615) =3D=3D967361=3D=3D by 0x11A304E: execute_one_pass(opt_pass*) (passes.c:2= 509) =3D=3D967361=3D=3D by 0x11A3373: execute_pass_list_1(opt_pass*) (passes.= c:2597) =3D=3D967361=3D=3D by 0x11A33A4: execute_pass_list_1(opt_pass*) (passes.= c:2598) =3D=3D967361=3D=3D =3D=3D967361=3D=3D Conditional jump or move depends on uninitialised value(= s) =3D=3D967361=3D=3D at 0x101A415: sparseset_bit_p(sparseset_def*, unsigne= d long) (sparseset.h:147) =3D=3D967361=3D=3D by 0x101AEE9: mark_pseudo_regno_live(int) (ira-lives.= c:326) =3D=3D967361=3D=3D by 0x101B187: mark_pseudo_reg_live(rtx_def*, unsigned= int) (ira-lives.c:410) =3D=3D967361=3D=3D by 0x101B1F5: mark_ref_live(df_ref_d*) (ira-lives.c:4= 24) =3D=3D967361=3D=3D by 0x101DCB6: process_bb_node_lives(ira_loop_tree_nod= e*) (ira-lives.c:1425) =3D=3D967361=3D=3D by 0xFE97D9: ira_traverse_loop_tree(bool, ira_loop_tr= ee_node*, void (*)(ira_loop_tree_node*), void (*)(ira_loop_tree_node*)) (ira-build.c:1801) =3D=3D967361=3D=3D by 0x101E9E4: ira_create_allocno_live_ranges() (ira-l= ives.c:1725) =3D=3D967361=3D=3D by 0xFEDC33: ira_build() (ira-build.c:3428) =3D=3D967361=3D=3D by 0xFE229F: ira(_IO_FILE*) (ira.c:5359) =3D=3D967361=3D=3D by 0xFE2B20: (anonymous namespace)::pass_ira::execute= (function*) (ira.c:5672) =3D=3D967361=3D=3D by 0x11A304E: execute_one_pass(opt_pass*) (passes.c:2= 509) =3D=3D967361=3D=3D by 0x11A3373: execute_pass_list_1(opt_pass*) (passes.= c:2597)=