[Bug ipa/98078] New: ICE in cgraph_add_edge_to_call_site_hash, at cgraph.c:698 since r6-1705-gd88511aec7338a93

[Bug ipa/98078] New: ICE in cgraph_add_edge_to_call_site_hash, at cgraph.c:698 since r6-1705-gd88511aec7338a93

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98078

            Bug ID: 98078
           Summary: ICE in cgraph_add_edge_to_call_site_hash, at
                    cgraph.c:698 since r6-1705-gd88511aec7338a93
           Product: gcc
           Version: 11.0
            Status: UNCONFIRMED
          Keywords: ice-on-valid-code
          Severity: normal
          Priority: P3
         Component: ipa
          Assignee: unassigned at gcc dot gnu.org
          Reporter: marxin at gcc dot gnu.org
                CC: jason at redhat dot com, marxin at gcc dot gnu.org
  Target Milestone: ---

Created attachment 49657
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49657&action=edit
test-case

Reduced from dhewm3 package:

$ g++ [12].ii -O2 -flto
1.ii:71:8: warning: ‘void<unnamed class>::FindModel(char*)’ used but never
defined
   71 |   void FindModel(char *);
      |        ^~~~~~~~~
2.ii:10:7: warning: type ‘struct idDeclFX’ violates the C++ One Definition Rule
[-Wodr]
   10 | class idDeclFX : idDecl {
      |       ^
1.ii:78:7: note: a type with the same name but different number of polymorphic
bases is defined in another translation unit
   78 | class idDeclFX {
      |       ^
2.ii:2:7: note: the extra base is defined here
    2 | class idDecl {
      |       ^
during IPA pass: inline
1.ii: In member function ‘ParseSingleFXAction.constprop’:
1.ii:165:24: internal compiler error: in cgraph_add_edge_to_call_site_hash, at
cgraph.c:724
  165 |     ParseSingleFXAction(src, action);
      |                        ^
0x6099ff cgraph_add_edge_to_call_site_hash
        /home/marxin/Programming/gcc/gcc/cgraph.c:724
0x60a7c9 cgraph_add_edge_to_call_site_hash
        /home/marxin/Programming/gcc/gcc/tree.h:3331
0x60a7c9 cgraph_edge::set_call_stmt(cgraph_edge*, gcall*, bool)
        /home/marxin/Programming/gcc/gcc/cgraph.c:855
0x87c0af cgraph_edge::set_call_stmt(cgraph_edge*, gcall*, bool)
        /home/marxin/Programming/gcc/gcc/cgraph.c:820
0x87c39a cgraph_update_edges_for_call_stmt(gimple*, tree_node*, gimple*)
        /home/marxin/Programming/gcc/gcc/cgraph.c:1710
0xd35c4c fold_marked_statements
        /home/marxin/Programming/gcc/gcc/tree-inline.c:5380
0xd476f7 tree_function_versioning(tree_node*, tree_node*, vec<ipa_replace_map*,
va_gc, vl_embed>*, ipa_param_adjustments*, bool, bitmap_head*,
basic_block_def*)
        /home/marxin/Programming/gcc/gcc/tree-inline.c:6412
0x88aeb8 cgraph_node::materialize_clone()
        /home/marxin/Programming/gcc/gcc/cgraphclones.c:1131
0x879485 cgraph_node::get_untransformed_body()
        /home/marxin/Programming/gcc/gcc/cgraph.c:3899
0xd43e57 expand_call_inline
        /home/marxin/Programming/gcc/gcc/tree-inline.c:4842
0xd467f1 gimple_expand_calls_inline
        /home/marxin/Programming/gcc/gcc/tree-inline.c:5280
0xd467f1 optimize_inline_calls(tree_node*)
        /home/marxin/Programming/gcc/gcc/tree-inline.c:5453
0xaa32eb inline_transform(cgraph_node*)
        /home/marxin/Programming/gcc/gcc/ipa-inline-transform.c:790
0xbeaeef execute_one_ipa_transform_pass
        /home/marxin/Programming/gcc/gcc/passes.c:2287
0xbeaeef execute_all_ipa_transforms(bool)
        /home/marxin/Programming/gcc/gcc/passes.c:2334
0x8854ad cgraph_node::expand()
        /home/marxin/Programming/gcc/gcc/cgraphunit.c:1822
0x886a0f expand_all_functions
        /home/marxin/Programming/gcc/gcc/cgraphunit.c:1997
0x886a0f symbol_table::compile()
        /home/marxin/Programming/gcc/gcc/cgraphunit.c:2361
0x7d9e75 lto_main()
        /home/marxin/Programming/gcc/gcc/lto/lto.c:653
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
lto-wrapper: fatal error: g++ returned 1 exit status
compilation terminated.
/usr/bin/ld: error: lto-wrapper failed
collect2: error: ld returned 1 exit status

[Bug ipa/98078] ICE in cgraph_add_edge_to_call_site_hash, at cgraph.c:698 since r6-1705-gd88511aec7338a93

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98078

--- Comment #1 from Martin Liška <marxin at gcc dot gnu.org> ---
Created attachment 49658
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=49658&action=edit
test-case 2

[Bug ipa/98078] ICE in cgraph_add_edge_to_call_site_hash, at cgraph.c:698 since r6-1705-gd88511aec7338a93

[marxin at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98078

Martin Liška <marxin at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hubicka at gcc dot gnu.org,
                   |                            |jamborm at gcc dot gnu.org
             Status|UNCONFIRMED                 |NEW
     Ever confirmed|0                           |1
   Last reconfirmed|                            |2020-12-01

--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
Started with Jason's commit, but it would be related to an inlining change I
guess.

[Bug ipa/98078] ICE in cgraph_add_edge_to_call_site_hash, at cgraph.c:698 since r6-1705-gd88511aec7338a93

[jamborm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98078

--- Comment #3 from Martin Jambor <jamborm at gcc dot gnu.org> ---
Here is what happens.  An IPA-CP clone for a particular
devirtualziation context is created but all devirtualziations based on
it are speculative.  Then the clone is inlined at one of its call
sites and the devirtualization turns out to be exactly right.  The
following goes on in cgraph_edge::set_call_stmt which gets a direct
call as the statement.

We end up in the update_speculative condition, which calls itself on
all the corresponding speculative edges.  First at the direct, which
then is removed and inserted into the call hash.  Then at the
indirect, which is not removed from the has because it is not the one
in there.  At this point, we figure out we have a direct call
statement at our hands and so we call make_direct at the edge, which
in turn simply resolves the speculation and returns the direct
branch, which we store to e.

And then we try to add e to call_site_hash, which is already there and
the assert condition does not take that possibility into account.

  (gdb) p/r *slot
  $42 = (cgraph_edge *) 0x7ffff74d6478
  (gdb) p/r e
  $43 = (cgraph_edge *) 0x7ffff74d6478


So the simplest fix is probably just adding
  if (*slot == e)
    return;
before the assert.

[Bug ipa/98078] ICE in cgraph_add_edge_to_call_site_hash, at cgraph.c:698 since r6-1705-gd88511aec7338a93

[jamborm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98078

--- Comment #4 from Martin Jambor <jamborm at gcc dot gnu.org> ---
Actually no, that would be papering over a bigger problem.  After looking at
the issue a bit more, I proposed a patch on the mailing list:
https://gcc.gnu.org/pipermail/gcc-patches/2021-January/563962.html

[Bug ipa/98078] ICE in cgraph_add_edge_to_call_site_hash, at cgraph.c:698 since r6-1705-gd88511aec7338a93

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98078

--- Comment #5 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Martin Jambor <jamborm@gcc.gnu.org>:

https://gcc.gnu.org/g:b8188b7d7382e4a74af5dd6a125e76e8d43a68a5

commit r11-7525-gb8188b7d7382e4a74af5dd6a125e76e8d43a68a5
Author: Martin Jambor <mjambor@suse.cz>
Date:   Fri Mar 5 17:25:20 2021 +0100

    ipa: Fix resolving speculations through cgraph_edge::set_call_stmt

    In the PR 98078 testcase, speculative call-graph edges which were
    created by IPA-CP are confirmed during inlining but
    cgraph_edge::set_call_stmt does not take it very well.

    The function enters the update_speculative branch and updates the
    edges in the speculation bundle separately (by a recursive call), but
    when it processes the first direct edge, most of the bundle actually
    ceases to exist because it is devirtualized.  It nevertheless goes on
    to attempt to update the indirect edge (that has just been removed),
    which surprisingly gets as far as adding the edge to the
    call_site_hash, the same devirtualized edge for the second time, and
    that triggers an assert.

    Fixed by this patch which makes the function aware that it is about to
    resolve a speculation and do so instead of updating components of
    speculation.  Also, it does so before dealing with the hash because
    the speculation resolution code needs the hash to point to the first
    speculative direct edge and also cleans the hash up by calling
    update_call_stmt_hash_for_removing_direct_edge.

    Bootstrapped and tested on x86_64-linux, also profile-LTO-bootstrapped
    on the same system.

    gcc/ChangeLog:

    2021-01-20  Martin Jambor  <mjambor@suse.cz>

            PR ipa/98078
            * cgraph.c (cgraph_edge::set_call_stmt): Do not update all
            corresponding speculative edges if we are about to resolve
            sepculation.  Make edge direct (and so resolve speculations) before
            removing it from call_site_hash.
            (cgraph_edge::make_direct): Relax the initial assert to allow
calling
            the function on speculative direct edges.

[Bug ipa/98078] ICE in cgraph_add_edge_to_call_site_hash, at cgraph.c:698 since r6-1705-gd88511aec7338a93

[jamborm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98078

--- Comment #6 from Martin Jambor <jamborm at gcc dot gnu.org> ---
Fixed on master so far (both gcc-10 and gcc-9 branches remain affected).

[Bug ipa/98078] ICE in cgraph_add_edge_to_call_site_hash, at cgraph.c:698 since r6-1705-gd88511aec7338a93

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98078

--- Comment #7 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-10 branch has been updated by Martin Jambor
<jamborm@gcc.gnu.org>:

https://gcc.gnu.org/g:27dca33bc5c52971c00d1657560aeabae8f35d18

commit r10-9449-g27dca33bc5c52971c00d1657560aeabae8f35d18
Author: Martin Jambor <mjambor@suse.cz>
Date:   Tue Mar 16 16:42:41 2021 +0100

    ipa: Fix resolving speculations through cgraph_edge::set_call_stmt

    In the PR 98078 testcase, speculative call-graph edges which were
    created by IPA-CP are confirmed during inlining but
    cgraph_edge::set_call_stmt does not take it very well.

    The function enters the update_speculative branch and updates the
    edges in the speculation bundle separately (by a recursive call), but
    when it processes the first direct edge, most of the bundle actually
    ceases to exist because it is devirtualized.  It nevertheless goes on
    to attempt to update the indirect edge (that has just been removed),
    which surprisingly gets as far as adding the edge to the
    call_site_hash, the same devirtualized edge for the second time, and
    that triggers an assert.

    Fixed by this patch which makes the function aware that it is about to
    resolve a speculation and do so instead of updating components of
    speculation.  Also, it does so before dealing with the hash because
    the speculation resolution code needs the hash to point to the first
    speculative direct edge and also cleans the hash up by calling
    update_call_stmt_hash_for_removing_direct_edge.

    Bootstrapped and tested on x86_64-linux, also profile-LTO-bootstrapped
    on the same system.

    gcc/ChangeLog:

    2021-01-20  Martin Jambor  <mjambor@suse.cz>

            PR ipa/98078
            * cgraph.c (cgraph_edge::set_call_stmt): Do not update all
            corresponding speculative edges if we are about to resolve
            sepculation.  Make edge direct (and so resolve speculations) before
            removing it from call_site_hash.
            (cgraph_edge::make_direct): Relax the initial assert to allow
calling
            the function on speculative direct edges.

    (cherry picked from commit b8188b7d7382e4a74af5dd6a125e76e8d43a68a5)

[Bug ipa/98078] ICE in cgraph_add_edge_to_call_site_hash, at cgraph.c:698 since r6-1705-gd88511aec7338a93

[cvs-commit at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98078

--- Comment #8 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The releases/gcc-9 branch has been updated by Martin Jambor
<jamborm@gcc.gnu.org>:

https://gcc.gnu.org/g:25fc4cb3ff7bb86d31ac886e04bbe5dd69db832e

commit r9-9291-g25fc4cb3ff7bb86d31ac886e04bbe5dd69db832e
Author: Martin Jambor <mjambor@suse.cz>
Date:   Wed Mar 17 11:32:50 2021 +0100

    ipa: Fix resolving speculations through cgraph_edge::set_call_stmt

    In the PR 98078 testcase, speculative call-graph edges which were
    created by IPA-CP are confirmed during inlining but
    cgraph_edge::set_call_stmt does not take it very well.

    The function enters the update_speculative branch and updates the
    edges in the speculation bundle separately (by a recursive call), but
    when it processes the first direct edge, most of the bundle actually
    ceases to exist because it is devirtualized.  It nevertheless goes on
    to attempt to update the indirect edge (that has just been removed),
    which surprisingly gets as far as adding the edge to the
    call_site_hash, the same devirtualized edge for the second time, and
    that triggers an assert.

    Fixed by this patch which makes the function aware that it is about to
    resolve a speculation and do so instead of updating components of
    speculation.  Also, it does so before dealing with the hash because
    the speculation resolution code needs the hash to point to the first
    speculative direct edge and also cleans the hash up by calling
    update_call_stmt_hash_for_removing_direct_edge.

    Bootstrapped and tested on x86_64-linux, also profile-LTO-bootstrapped
    on the same system.

    gcc/ChangeLog:

    2021-01-20  Martin Jambor  <mjambor@suse.cz>

            PR ipa/98078
            * cgraph.c (cgraph_edge::set_call_stmt): Do not update all
            corresponding speculative edges if we are about to resolve
            speculation.  Make edge direct (and so resolve speculations) before
            removing it from call_site_hash.
            (cgraph_edge::make_direct): Relax the initial assert to allow
calling
            the function on speculative direct edges.

    (cherry picked from commit b8188b7d7382e4a74af5dd6a125e76e8d43a68a5)

[Bug ipa/98078] ICE in cgraph_add_edge_to_call_site_hash, at cgraph.c:698 since r6-1705-gd88511aec7338a93

[jamborm at gcc dot gnu.org]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98078

Martin Jambor <jamborm at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #9 from Martin Jambor <jamborm at gcc dot gnu.org> ---
Fixed on master and both opened released branches.