[Bug gcov-profile/97461] New: allocate_gcov_kvp() deadlocks in firefox LTO+PGO build (overridden malloc() recursion)

public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed

From: "slyfox at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug gcov-profile/97461] New: allocate_gcov_kvp() deadlocks in firefox LTO+PGO build (overridden malloc() recursion)
Date: Fri, 16 Oct 2020 15:03:23 +0000	[thread overview]
Message-ID: <bug-97461-4@http.gcc.gnu.org/bugzilla/> (raw)

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=97461

            Bug ID: 97461
           Summary: allocate_gcov_kvp() deadlocks in firefox LTO+PGO build
                    (overridden malloc() recursion)
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: gcov-profile
          Assignee: unassigned at gcc dot gnu.org
          Reporter: slyfox at gcc dot gnu.org
                CC: marxin at gcc dot gnu.org
  Target Milestone: ---

Single-file example is extracted from firefox-81 build hangup (LTO+PGO
flavour).

Here is the single-file reproducer that converts hangup to a crash:

// gcc-11.0.0 a.c -o a -fprofile-generate -ggdb3 && ./a

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

static int malloc_depth = 0;

static char memory[128* 1024];
static size_t memory_p = 0;

void f1(void) {}
void f2(void) {}

typedef void (*fun_t)(void);
static const fun_t funs[2] = { f1, f2, };

static void * malloc_impl(size_t size) {
    void * r = &memory[memory_p];
    memory_p += size;

    // force TOPN profile
    funs[size % 2]();
    return r;
}

// Override default malloc, check it it get s called recursively
void * malloc(size_t size) {
    // Must not be called recursively. Malloc implementation does not support
it.
    if (malloc_depth != 0) __builtin_trap();

    ++malloc_depth;
      void * r = malloc_impl(size);
    --malloc_depth;
    return r;
}

// Called from gcov
void *calloc(size_t nmemb, size_t size) {
    // Must not be called recursively.  Malloc implementation does not support
it.
    if (malloc_depth != 0) __builtin_trap();

    ++malloc_depth;
      void * r = malloc_impl(size * nmemb);
      memset(r, 0, size * nmemb);
    --malloc_depth;
    return r;
}

void free(void *ptr){}

int main() {
    void * p = malloc(8);
    return p != 0;
}

How to crash:

$ gcc-11.0.0 a.c -o a -ggdb3 && ./a
$ gcc-11.0.0 a.c -o a -fprofile-generate -ggdb3 && ./a
Illegal instruction (core dumped)

Here we have a malloc recursion of
    malloc()->malloc_internals()->gcov->calloc()->malloc_internals().

malloc() is re-entered twice:

Program received signal SIGILL, Illegal instruction.
0x00005555555565e7 in calloc (nmemb=1, size=24) at a.c:103
103         if (malloc_depth != 0) __builtin_trap();
(gdb) bt
#0  0x00005555555565e7 in calloc (nmemb=1, size=24) at a.c:103
#1  0x0000555555556cf3 in allocate_gcov_kvp () at
/var/tmp/portage/sys-devel/gcc-11.0.0_pre9999/work/gcc-11.0.0_pre9999/libgcc/libgcov.h:441
#2  gcov_topn_add_value (count=1, increment_total=1, use_atomic=0,
value=721827547, counters=0x55555557b660 <__gcov4.malloc_impl>) at
/var/tmp/portage/sys-devel/gcc-11.0.0_pre9999/work/gcc-11.0.0_pre9999/libgcc/libgcov.h:489
#3  __gcov_topn_values_profiler_body (use_atomic=0, value=721827547,
counters=0x55555557b660 <__gcov4.malloc_impl>) at
/var/tmp/portage/sys-devel/gcc-11.0.0_pre9999/work/gcc-11.0.0_pre9999/libgcc/libgcov-profiler.c:103
#4  __gcov_indirect_call_profiler_body (use_atomic=0, cur_func=<optimized out>,
value=721827547) at
/var/tmp/portage/sys-devel/gcc-11.0.0_pre9999/work/gcc-11.0.0_pre9999/libgcc/libgcov-profiler.c:163
#5  __gcov_indirect_call_profiler_v4 (value=721827547, cur_func=<optimized
out>) at
/var/tmp/portage/sys-devel/gcc-11.0.0_pre9999/work/gcc-11.0.0_pre9999/libgcc/libgcov-profiler.c:172
#6  0x000055555555631e in f1 () at a.c:74
#7  0x0000555555556482 in malloc_impl (size=8) at a.c:85
#8  0x0000555555556537 in malloc (size=8) at a.c:95
#9  0x0000555555556760 in main () at a.c:115

next             reply	other threads:[~2020-10-16 15:03 UTC|newest]

Thread overview: 37+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-10-16 15:03 slyfox at gcc dot gnu.org [this message]
2020-10-16 15:05 ` [Bug gcov-profile/97461] " slyfox at gcc dot gnu.org
2020-10-16 15:09 ` slyfox at gcc dot gnu.org
2020-10-16 15:16 ` slyfox at gcc dot gnu.org
2020-10-19  7:12 ` [Bug gcov-profile/97461] [11 Regression] " marxin at gcc dot gnu.org
2020-10-19  7:15 ` rguenth at gcc dot gnu.org
2020-10-19 13:42 ` marxin at gcc dot gnu.org
2020-10-19 13:46   ` Jan Hubicka
2020-10-19 13:46 ` hubicka at ucw dot cz
2020-10-19 14:15 ` marxin at gcc dot gnu.org
2020-10-19 14:51   ` Jan Hubicka
2020-10-19 14:52 ` hubicka at ucw dot cz
2020-10-19 14:58 ` marxin at gcc dot gnu.org
2020-10-27 10:50 ` cvs-commit at gcc dot gnu.org
2020-10-27 10:50 ` marxin at gcc dot gnu.org
2020-10-27 22:18 ` slyfox at gcc dot gnu.org
2020-10-29 10:19 ` marxin at gcc dot gnu.org
2020-10-29 14:53 ` slyfox at gcc dot gnu.org
2020-10-29 15:00 ` marxin at gcc dot gnu.org
2020-10-29 15:05 ` marxin at gcc dot gnu.org
2020-10-29 18:54 ` marxin at gcc dot gnu.org
2020-10-29 19:11 ` jakub at gcc dot gnu.org
2020-10-30  8:45 ` slyfox at gcc dot gnu.org
2020-10-30 23:37 ` slyfox at gcc dot gnu.org
2020-11-06 13:47 ` cvs-commit at gcc dot gnu.org
2020-11-06 13:49 ` marxin at gcc dot gnu.org
2020-11-09  9:57 ` marxin at gcc dot gnu.org
2020-12-04  7:01 ` marxin at gcc dot gnu.org
2021-01-21  9:26 ` rguenth at gcc dot gnu.org
2021-01-26 11:51 ` marxin at gcc dot gnu.org
2021-03-03 13:22 ` cvs-commit at gcc dot gnu.org
2021-03-03 13:27 ` marxin at gcc dot gnu.org
2021-03-03 13:31 ` jakub at gcc dot gnu.org
2021-03-03 14:49 ` marxin at gcc dot gnu.org
2021-03-03 15:14 ` lh_mouse at 126 dot com
2021-03-05 18:11 ` slyfox at gcc dot gnu.org
2021-03-06  8:19 ` marxin at gcc dot gnu.org

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=bug-97461-4@http.gcc.gnu.org/bugzilla/ \
    --to=gcc-bugzilla@gcc.gnu.org \
    --cc=gcc-bugs@gcc.gnu.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).