[Bug tree-optimization/97379] New: [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140)

[Bug tree-optimization/97379] New: [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140)

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379

            Bug ID: 97379
           Summary: [11 Regression] Invalid read of size 8 at
                    outgoing_range::calc_switch_ranges(gswitch*)
                    (gimple-range-edge.cc:140)
           Product: gcc
           Version: 10.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: tree-optimization
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
                CC: aldyh at gcc dot gnu.org, amacleod at redhat dot com
            Blocks: 63426
  Target Milestone: ---

Created attachment 49349
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49349&action=edit
test-case

The following fails:

$ valgrind --trace-children=yes gcc -Os -c ice.i
==2675== Memcheck, a memory error detector
==2675== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2675== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==2675== Command: gcc -Os -c ice.i
==2675== 
==2676== Memcheck, a memory error detector
==2676== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==2676== Using Valgrind-3.16.1 and LibVEX; rerun with -h for copyright info
==2676== Command: /home/marxin/bin/gcc/lib/gcc/x86_64-pc-linux-gnu/11.0.0/cc1
-fpreprocessed ice.i -quiet -dumpbase ice.i -dumpbase-ext .i -mtune=generic
-march=x86-64 -Os -o /tmp/ccmBgOCr.s
==2676== 
==2676== Invalid read of size 8
==2676==    at 0x187853C: outgoing_range::calc_switch_ranges(gswitch*)
(gimple-range-edge.cc:140)
==2676==    by 0x1878A70: outgoing_range::get_edge_range(irange&, gimple*,
edge_def*) (gimple-range-edge.cc:91)
==2676==    by 0x1878DB0: outgoing_range::edge_range_p(irange&, edge_def*)
(gimple-range-edge.cc:193)
==2676==    by 0x1868C65: gori_compute::outgoing_edge_range_p(irange&,
edge_def*, tree_node*) (gimple-range-gori.cc:995)
==2676==    by 0x1864E4E: ranger_cache::iterative_cache_update(tree_node*)
(gimple-range-cache.cc:636)
==2676==    by 0x186533A: ranger_cache::fill_block_cache(tree_node*,
basic_block_def*, basic_block_def*) (gimple-range-cache.cc:808)
==2676==    by 0x1865ADD: ranger_cache::block_range(irange&, basic_block_def*,
tree_node*, bool) (gimple-range-cache.cc:589)
==2676==    by 0x185E941: gimple_ranger::range_on_entry(irange&,
basic_block_def*, tree_node*) (gimple-range.cc:909)
==2676==    by 0x185F057: gimple_ranger::range_of_expr(irange&, tree_node*,
gimple*) (gimple-range.cc:880)
==2676==    by 0x185FB2B:
gimple_ranger::range_of_non_trivial_assignment(irange&, gimple*) [clone
.part.0] (gimple-range.cc:448)
==2676==    by 0x186039D: range_of_non_trivial_assignment (gimple-range.cc:428)
==2676==    by 0x186039D: gimple_ranger::range_of_range_op(irange&, gimple*)
(gimple-range.cc:415)
==2676==    by 0x186253F: gimple_ranger::calc_stmt(irange&, gimple*,
tree_node*) (gimple-range.cc:369)
==2676==  Address 0x5ba5268 is 200 bytes inside a block of size 2,032 free'd
==2676==    at 0x483A9AB: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2676==    by 0x18791DA: hash_table<hash_map<edge_def*, irange*,
simple_hashmap_traits<default_hash_traits<edge_def*>, irange*> >::hash_entry,
false, xcallocator>::find_slot_with_hash(edge_def* const&, unsigned int,
insert_option) (hash-table.h:964)
==2676==    by 0x18785C6: get_or_insert (hash-map.h:195)
==2676==    by 0x18785C6: outgoing_range::calc_switch_ranges(gswitch*)
(gimple-range-edge.cc:145)
==2676==    by 0x1878A70: outgoing_range::get_edge_range(irange&, gimple*,
edge_def*) (gimple-range-edge.cc:91)
==2676==    by 0x1878DB0: outgoing_range::edge_range_p(irange&, edge_def*)
(gimple-range-edge.cc:193)
==2676==    by 0x1868C65: gori_compute::outgoing_edge_range_p(irange&,
edge_def*, tree_node*) (gimple-range-gori.cc:995)
==2676==    by 0x1864E4E: ranger_cache::iterative_cache_update(tree_node*)
(gimple-range-cache.cc:636)
==2676==    by 0x186533A: ranger_cache::fill_block_cache(tree_node*,
basic_block_def*, basic_block_def*) (gimple-range-cache.cc:808)
==2676==    by 0x1865ADD: ranger_cache::block_range(irange&, basic_block_def*,
tree_node*, bool) (gimple-range-cache.cc:589)
==2676==    by 0x185E941: gimple_ranger::range_on_entry(irange&,
basic_block_def*, tree_node*) (gimple-range.cc:909)
==2676==    by 0x185F057: gimple_ranger::range_of_expr(irange&, tree_node*,
gimple*) (gimple-range.cc:880)
==2676==    by 0x185FB2B:
gimple_ranger::range_of_non_trivial_assignment(irange&, gimple*) [clone
.part.0] (gimple-range.cc:448)
==2676==  Block was alloc'd at
==2676==    at 0x483BB65: calloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==2676==    by 0x1918134: xcalloc (xmalloc.c:162)
==2676==    by 0x1878CE0: data_alloc (hash-table.h:275)
==2676==    by 0x1878CE0: alloc_entries (hash-table.h:711)
==2676==    by 0x1878CE0: hash_table (hash-table.h:628)
==2676==    by 0x1878CE0: hash_map (hash-map.h:139)
==2676==    by 0x1878CE0: outgoing_range::get_edge_range(irange&, gimple*,
edge_def*) (gimple-range-edge.cc:86)
==2676==    by 0x1878DB0: outgoing_range::edge_range_p(irange&, edge_def*)
(gimple-range-edge.cc:193)
==2676==    by 0x1868C65: gori_compute::outgoing_edge_range_p(irange&,
edge_def*, tree_node*) (gimple-range-gori.cc:995)
==2676==    by 0x1864E4E: ranger_cache::iterative_cache_update(tree_node*)
(gimple-range-cache.cc:636)
==2676==    by 0x186533A: ranger_cache::fill_block_cache(tree_node*,
basic_block_def*, basic_block_def*) (gimple-range-cache.cc:808)
==2676==    by 0x1865ADD: ranger_cache::block_range(irange&, basic_block_def*,
tree_node*, bool) (gimple-range-cache.cc:589)
==2676==    by 0x185E941: gimple_ranger::range_on_entry(irange&,
basic_block_def*, tree_node*) (gimple-range.cc:909)
==2676==    by 0x185F057: gimple_ranger::range_of_expr(irange&, tree_node*,
gimple*) (gimple-range.cc:880)
==2676==    by 0x185FB2B:
gimple_ranger::range_of_non_trivial_assignment(irange&, gimple*) [clone
.part.0] (gimple-range.cc:448)
==2676==    by 0x186039D: range_of_non_trivial_assignment (gimple-range.cc:428)
==2676==    by 0x186039D: gimple_ranger::range_of_range_op(irange&, gimple*)
(gimple-range.cc:415)


Referenced Bugs:

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=63426
[Bug 63426] [meta-bug] Issues found with -fsanitize=undefined

[Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Last reconfirmed|                            |2020-10-12
            Summary|[11 Regression] Invalid     |[11 Regression] Invalid
                   |read of size 8 at           |read of size 8 at
                   |outgoing_range::calc_switch |outgoing_range::calc_switch
                   |_ranges(gswitch*)           |_ranges(gswitch*)
                   |(gimple-range-edge.cc:140)  |(gimple-range-edge.cc:140)
                   |                            |since
                   |                            |r11-3685-gfcae5121154d1c33
   Target Milestone|---                         |11.0
     Ever confirmed|0                           |1
             Status|UNCONFIRMED                 |NEW

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
Started with r11-3685-gfcae5121154d1c33.

[Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33

[rguenth at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P3                          |P1

[Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33

[aldyh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379

--- Comment #2 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
There's a read of a freed block while accessing the default_slot in
calc_switch_ranges.

      default_slot->intersect (def_range);

It seems the default_slot got swiped from under us, and the valgrind
dump indicates the free came from the get_or_insert in the same
function:

      irange *&slot = m_edge_table->get_or_insert (e, &existed);

So it looks like the get_or_insert is actually freeing the value of
the previously allocated default_slot.  Looking down the chain
from get_or_insert, we see it calls hash_table<>::expand, which
actually does a free while doing a resize of sorts:

  if (!m_ggc)
    Allocator <value_type> ::data_free (oentries);
  else
    ggc_free (oentries);

Not keeping a pointer to the default slot across multiple calls to
get_or_insert fixes the problem, though I do see other seemingly unrelated
valgrind errors:

==967361== Conditional jump or move depends on uninitialised value(s)
==967361==    at 0x22BAB24: sparseset_bit_p(sparseset_def*, unsigned long)
(sparseset.h:147)
==967361==    by 0x22BABB7: sparseset_set_bit(sparseset_def*, unsigned long)
(sparseset.h:166)
==967361==    by 0x22BCCCA: register_active_defs(df_ref_d*) (fwprop.c:943)
==967361==    by 0x22BCD88: update_df_init(rtx_insn*, rtx_insn*) (fwprop.c:961)
==967361==    by 0x22BCFF5: try_fwprop_subst(df_ref_d*, rtx_def**, rtx_def*,
rtx_insn*, bool) (fwprop.c:1028)
==967361==    by 0x22BE0DE: forward_propagate_and_simplify(df_ref_d*,
rtx_insn*, rtx_def*) (fwprop.c:1427)
==967361==    by 0x22BE349: forward_propagate_into(df_ref_d*, bool)
(fwprop.c:1490)
==967361==    by 0x22BE65E: fwprop(bool) (fwprop.c:1580)
==967361==    by 0x22BE6F3: (anonymous
namespace)::pass_rtl_fwprop::execute(function*) (fwprop.c:1615)
==967361==    by 0x11A304E: execute_one_pass(opt_pass*) (passes.c:2509)
==967361==    by 0x11A3373: execute_pass_list_1(opt_pass*) (passes.c:2597)
==967361==    by 0x11A33A4: execute_pass_list_1(opt_pass*) (passes.c:2598)
==967361==
==967361== Use of uninitialised value of size 8
==967361==    at 0x22BAB38: sparseset_bit_p(sparseset_def*, unsigned long)
(sparseset.h:147)
==967361==    by 0x22BABB7: sparseset_set_bit(sparseset_def*, unsigned long)
(sparseset.h:166)
==967361==    by 0x22BCCCA: register_active_defs(df_ref_d*) (fwprop.c:943)
==967361==    by 0x22BCD88: update_df_init(rtx_insn*, rtx_insn*) (fwprop.c:961)
==967361==    by 0x22BCFF5: try_fwprop_subst(df_ref_d*, rtx_def**, rtx_def*,
rtx_insn*, bool) (fwprop.c:1028)
==967361==    by 0x22BE0DE: forward_propagate_and_simplify(df_ref_d*,
rtx_insn*, rtx_def*) (fwprop.c:1427)
==967361==    by 0x22BE349: forward_propagate_into(df_ref_d*, bool)
(fwprop.c:1490)
==967361==    by 0x22BE65E: fwprop(bool) (fwprop.c:1580)
==967361==    by 0x22BE6F3: (anonymous
namespace)::pass_rtl_fwprop::execute(function*) (fwprop.c:1615)
==967361==    by 0x11A304E: execute_one_pass(opt_pass*) (passes.c:2509)
==967361==    by 0x11A3373: execute_pass_list_1(opt_pass*) (passes.c:2597)
==967361==    by 0x11A33A4: execute_pass_list_1(opt_pass*) (passes.c:2598)
==967361==
==967361== Conditional jump or move depends on uninitialised value(s)
==967361==    at 0x101A415: sparseset_bit_p(sparseset_def*, unsigned long)
(sparseset.h:147)
==967361==    by 0x101AEE9: mark_pseudo_regno_live(int) (ira-lives.c:326)
==967361==    by 0x101B187: mark_pseudo_reg_live(rtx_def*, unsigned int)
(ira-lives.c:410)
==967361==    by 0x101B1F5: mark_ref_live(df_ref_d*) (ira-lives.c:424)
==967361==    by 0x101DCB6: process_bb_node_lives(ira_loop_tree_node*)
(ira-lives.c:1425)
==967361==    by 0xFE97D9: ira_traverse_loop_tree(bool, ira_loop_tree_node*,
void (*)(ira_loop_tree_node*), void (*)(ira_loop_tree_node*))
(ira-build.c:1801)
==967361==    by 0x101E9E4: ira_create_allocno_live_ranges() (ira-lives.c:1725)
==967361==    by 0xFEDC33: ira_build() (ira-build.c:3428)
==967361==    by 0xFE229F: ira(_IO_FILE*) (ira.c:5359)
==967361==    by 0xFE2B20: (anonymous namespace)::pass_ira::execute(function*)
(ira.c:5672)
==967361==    by 0x11A304E: execute_one_pass(opt_pass*) (passes.c:2509)
==967361==    by 0x11A3373: execute_pass_list_1(opt_pass*) (passes.c:2597)

[Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33

[aldyh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379

--- Comment #3 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
Created attachment 49361
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49361&action=edit
proposed patch in testing

[Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379

--- Comment #4 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Aldy Hernandez <aldyh@gcc.gnu.org>:

https://gcc.gnu.org/g:739526a19deaeac19c2429cc7567052834d3098e

commit r11-3852-g739526a19deaeac19c2429cc7567052834d3098e
Author: Aldy Hernandez <aldyh@redhat.com>
Date:   Tue Oct 13 04:40:20 2020 -0400

    Do not save hash slots across calls to hash_table::get_or_insert.

    There's a read of a freed block while accessing the default_slot in
    calc_switch_ranges.

          default_slot->intersect (def_range);

    It seems the default_slot got swiped from under us, and the valgrind
    dump indicates the free came from the get_or_insert in the same
    function:

          irange *&slot = m_edge_table->get_or_insert (e, &existed);

    So it looks like the get_or_insert is actually freeing the value of
    the previously allocated default_slot.  Looking down the chain
    from get_or_insert, we see it calls hash_table<>::expand, which
    actually does a free while doing a resize of sorts:

      if (!m_ggc)
        Allocator <value_type> ::data_free (oentries);
      else
        ggc_free (oentries);

    This patch avoids keeping a pointer to the default_slot across multiple
    calls to get_or_insert in the loop.

    gcc/ChangeLog:

            PR tree-optimization/97379
            * gimple-range-edge.cc (outgoing_range::calc_switch_ranges): Do
            not save hash slot across calls to hash_table<>::get_or_insert.

[Bug tree-optimization/97379] [11 Regression] Invalid read of size 8 at outgoing_range::calc_switch_ranges(gswitch*) (gimple-range-edge.cc:140) since r11-3685-gfcae5121154d1c33

[aldyh at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97379

Aldy Hernandez <aldyh at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #5 from Aldy Hernandez <aldyh at gcc dot gnu.org> ---
fixed