From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gcc-bugzilla@gcc.gnu.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 1B356386100B; Fri, 16 Oct 2020 15:03:24 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 1B356386100B
From: "slyfox at gcc dot gnu.org" <gcc-bugzilla@gcc.gnu.org>
To: gcc-bugs@gcc.gnu.org
Subject: [Bug gcov-profile/97461] New: allocate_gcov_kvp() deadlocks in
 firefox LTO+PGO build (overridden malloc() recursion)
Date: Fri, 16 Oct 2020 15:03:23 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: gcc
X-Bugzilla-Component: gcov-profile
X-Bugzilla-Version: 11.0
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: normal
X-Bugzilla-Who: slyfox at gcc dot gnu.org
X-Bugzilla-Status: UNCONFIRMED
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P3
X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter cc target_milestone
Message-ID: <bug-97461-4@http.gcc.gnu.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: gcc-bugs@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-bugs mailing list <gcc-bugs.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-bugs/>
List-Post: <mailto:gcc-bugs@gcc.gnu.org>
List-Help: <mailto:gcc-bugs-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-bugs>,
 <mailto:gcc-bugs-request@gcc.gnu.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Oct 2020 15:03:24 -0000

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D97461

            Bug ID: 97461
           Summary: allocate_gcov_kvp() deadlocks in firefox LTO+PGO build
                    (overridden malloc() recursion)
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: gcov-profile
          Assignee: unassigned at gcc dot gnu.org
          Reporter: slyfox at gcc dot gnu.org
                CC: marxin at gcc dot gnu.org
  Target Milestone: ---

Single-file example is extracted from firefox-81 build hangup (LTO+PGO
flavour).

Here is the single-file reproducer that converts hangup to a crash:

// gcc-11.0.0 a.c -o a -fprofile-generate -ggdb3 && ./a

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

static int malloc_depth =3D 0;

static char memory[128* 1024];
static size_t memory_p =3D 0;

void f1(void) {}
void f2(void) {}

typedef void (*fun_t)(void);
static const fun_t funs[2] =3D { f1, f2, };

static void * malloc_impl(size_t size) {
    void * r =3D &memory[memory_p];
    memory_p +=3D size;

    // force TOPN profile
    funs[size % 2]();
    return r;
}

// Override default malloc, check it it get s called recursively
void * malloc(size_t size) {
    // Must not be called recursively. Malloc implementation does not suppo=
rt
it.
    if (malloc_depth !=3D 0) __builtin_trap();

    ++malloc_depth;
      void * r =3D malloc_impl(size);
    --malloc_depth;
    return r;
}

// Called from gcov
void *calloc(size_t nmemb, size_t size) {
    // Must not be called recursively.  Malloc implementation does not supp=
ort
it.
    if (malloc_depth !=3D 0) __builtin_trap();

    ++malloc_depth;
      void * r =3D malloc_impl(size * nmemb);
      memset(r, 0, size * nmemb);
    --malloc_depth;
    return r;
}

void free(void *ptr){}

int main() {
    void * p =3D malloc(8);
    return p !=3D 0;
}

How to crash:

$ gcc-11.0.0 a.c -o a -ggdb3 && ./a
$ gcc-11.0.0 a.c -o a -fprofile-generate -ggdb3 && ./a
Illegal instruction (core dumped)

Here we have a malloc recursion of
    malloc()->malloc_internals()->gcov->calloc()->malloc_internals().

malloc() is re-entered twice:

Program received signal SIGILL, Illegal instruction.
0x00005555555565e7 in calloc (nmemb=3D1, size=3D24) at a.c:103
103         if (malloc_depth !=3D 0) __builtin_trap();
(gdb) bt
#0  0x00005555555565e7 in calloc (nmemb=3D1, size=3D24) at a.c:103
#1  0x0000555555556cf3 in allocate_gcov_kvp () at
/var/tmp/portage/sys-devel/gcc-11.0.0_pre9999/work/gcc-11.0.0_pre9999/libgc=
c/libgcov.h:441
#2  gcov_topn_add_value (count=3D1, increment_total=3D1, use_atomic=3D0,
value=3D721827547, counters=3D0x55555557b660 <__gcov4.malloc_impl>) at
/var/tmp/portage/sys-devel/gcc-11.0.0_pre9999/work/gcc-11.0.0_pre9999/libgc=
c/libgcov.h:489
#3  __gcov_topn_values_profiler_body (use_atomic=3D0, value=3D721827547,
counters=3D0x55555557b660 <__gcov4.malloc_impl>) at
/var/tmp/portage/sys-devel/gcc-11.0.0_pre9999/work/gcc-11.0.0_pre9999/libgc=
c/libgcov-profiler.c:103
#4  __gcov_indirect_call_profiler_body (use_atomic=3D0, cur_func=3D<optimiz=
ed out>,
value=3D721827547) at
/var/tmp/portage/sys-devel/gcc-11.0.0_pre9999/work/gcc-11.0.0_pre9999/libgc=
c/libgcov-profiler.c:163
#5  __gcov_indirect_call_profiler_v4 (value=3D721827547, cur_func=3D<optimi=
zed
out>) at
/var/tmp/portage/sys-devel/gcc-11.0.0_pre9999/work/gcc-11.0.0_pre9999/libgc=
c/libgcov-profiler.c:172
#6  0x000055555555631e in f1 () at a.c:74
#7  0x0000555555556482 in malloc_impl (size=3D8) at a.c:85
#8  0x0000555555556537 in malloc (size=3D8) at a.c:95
#9  0x0000555555556760 in main () at a.c:115=