public inbox for gcc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug tree-optimization/98192] New: Double free in SLP
@ 2020-12-08 9:06 marxin at gcc dot gnu.org
2020-12-08 9:06 ` [Bug tree-optimization/98192] " marxin at gcc dot gnu.org
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: marxin at gcc dot gnu.org @ 2020-12-08 9:06 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98192
Bug ID: 98192
Summary: Double free in SLP
Product: gcc
Version: 11.0
Status: UNCONFIRMED
Keywords: ice-on-valid-code
Severity: normal
Priority: P3
Component: tree-optimization
Assignee: unassigned at gcc dot gnu.org
Reporter: marxin at gcc dot gnu.org
CC: rguenth at gcc dot gnu.org
Target Milestone: ---
Host: x86_64-linux
Target: ppc64le-linux-gnu
One can see it here:
$ valgrind --trace-children=yes ./xgcc -B.
/home/marxin/Programming/gcc/gcc/testsuite/gcc.target/powerpc/vsx-extract-7.c
-O2 -ftree-slp-vectorize -c
...
==14527== Invalid read of size 1
==14527== at 0x132C855: vec<_stmt_vec_info*, va_heap,
vl_ptr>::using_auto_storage() const (vec.h:2126)
==14527== by 0x132B313: vec<_stmt_vec_info*, va_heap, vl_ptr>::release()
(vec.h:1826)
==14527== by 0x15C2FEA: _bb_vec_info::~_bb_vec_info() (tree-vect-slp.c:3401)
==14527== by 0x15C6EB7: vect_slp_region(vec<basic_block_def*, va_heap,
vl_ptr>, vec<data_reference*, va_heap, vl_ptr>, vec<int, va_heap, vl_ptr>*,
unsigned int) (tree-vect-slp.c:4575)
==14527== by 0x15C73D9: vect_slp_bbs(vec<basic_block_def*, va_heap, vl_ptr>)
(tree-vect-slp.c:4645)
==14527== by 0x15C7884: vect_slp_function(function*) (tree-vect-slp.c:4731)
==14527== by 0x15DA4BF: (anonymous
namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436)
==14527== by 0x10D7207: execute_one_pass(opt_pass*) (passes.c:2567)
==14527== by 0x10D753C: execute_pass_list_1(opt_pass*) (passes.c:2656)
==14527== by 0x10D756D: execute_pass_list_1(opt_pass*) (passes.c:2657)
==14527== by 0x10D756D: execute_pass_list_1(opt_pass*) (passes.c:2657)
==14527== by 0x10D75C5: execute_pass_list(function*, opt_pass*)
(passes.c:2667)
==14527== Address 0x5af0153 is 3 bytes inside a block of size 24 free'd
==14527== at 0x483A9AB: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14527== by 0x132C892: void
va_heap::release<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&)
(vec.h:316)
==14527== by 0x132B333: vec<_stmt_vec_info*, va_heap, vl_ptr>::release()
(vec.h:1832)
==14527== by 0x15BF974: vect_build_slp_instance(vec_info*,
slp_instance_kind, vec<_stmt_vec_info*, va_heap, vl_ptr>, _stmt_vec_info*,
unsigned int, hash_map<vec<gimple*, va_heap, vl_ptr>, _slp_tree*,
simple_hashmap_traits<bst_traits, _slp_tree*> >*, _stmt_vec_info*)
(tree-vect-slp.c:2370)
==14527== by 0x15C0624: vect_analyze_slp(vec_info*, unsigned int)
(tree-vect-slp.c:2586)
==14527== by 0x15C63CB: vect_slp_analyze_bb_1(_bb_vec_info*, int, bool&,
vec<int, va_heap, vl_ptr>*) (tree-vect-slp.c:4385)
==14527== by 0x15C692C: vect_slp_region(vec<basic_block_def*, va_heap,
vl_ptr>, vec<data_reference*, va_heap, vl_ptr>, vec<int, va_heap, vl_ptr>*,
unsigned int) (tree-vect-slp.c:4497)
==14527== by 0x15C73D9: vect_slp_bbs(vec<basic_block_def*, va_heap, vl_ptr>)
(tree-vect-slp.c:4645)
==14527== by 0x15C7884: vect_slp_function(function*) (tree-vect-slp.c:4731)
==14527== by 0x15DA4BF: (anonymous
namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436)
==14527== by 0x10D7207: execute_one_pass(opt_pass*) (passes.c:2567)
==14527== by 0x10D753C: execute_pass_list_1(opt_pass*) (passes.c:2656)
==14527== Block was alloc'd at
==14527== at 0x483977F: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14527== by 0x214853F: xrealloc (xmalloc.c:177)
==14527== by 0x132C995: void
va_heap::reserve<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&,
unsigned int, bool) (vec.h:290)
==14527== by 0x132B3E5: vec<_stmt_vec_info*, va_heap,
vl_ptr>::reserve(unsigned int, bool) (vec.h:1778)
==14527== by 0x15CEC18: vec<_stmt_vec_info*, va_heap,
vl_ptr>::reserve_exact(unsigned int) (vec.h:1798)
==14527== by 0x15CCEE2: vec<_stmt_vec_info*, va_heap,
vl_ptr>::create(unsigned int) (vec.h:1813)
==14527== by 0x15C5C54: vect_slp_check_for_constructors(_bb_vec_info*)
(tree-vect-slp.c:4269)
==14527== by 0x15C62E2: vect_slp_analyze_bb_1(_bb_vec_info*, int, bool&,
vec<int, va_heap, vl_ptr>*) (tree-vect-slp.c:4360)
==14527== by 0x15C692C: vect_slp_region(vec<basic_block_def*, va_heap,
vl_ptr>, vec<data_reference*, va_heap, vl_ptr>, vec<int, va_heap, vl_ptr>*,
unsigned int) (tree-vect-slp.c:4497)
==14527== by 0x15C73D9: vect_slp_bbs(vec<basic_block_def*, va_heap, vl_ptr>)
(tree-vect-slp.c:4645)
==14527== by 0x15C7884: vect_slp_function(function*) (tree-vect-slp.c:4731)
==14527== by 0x15DA4BF: (anonymous
namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436)
==14527==
==14527== Invalid free() / delete / delete[] / realloc()
==14527== at 0x483A9AB: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14527== by 0x132C892: void
va_heap::release<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&)
(vec.h:316)
==14527== by 0x132B333: vec<_stmt_vec_info*, va_heap, vl_ptr>::release()
(vec.h:1832)
==14527== by 0x15C2FEA: _bb_vec_info::~_bb_vec_info() (tree-vect-slp.c:3401)
==14527== by 0x15C6EB7: vect_slp_region(vec<basic_block_def*, va_heap,
vl_ptr>, vec<data_reference*, va_heap, vl_ptr>, vec<int, va_heap, vl_ptr>*,
unsigned int) (tree-vect-slp.c:4575)
==14527== by 0x15C73D9: vect_slp_bbs(vec<basic_block_def*, va_heap, vl_ptr>)
(tree-vect-slp.c:4645)
==14527== by 0x15C7884: vect_slp_function(function*) (tree-vect-slp.c:4731)
==14527== by 0x15DA4BF: (anonymous
namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436)
==14527== by 0x10D7207: execute_one_pass(opt_pass*) (passes.c:2567)
==14527== by 0x10D753C: execute_pass_list_1(opt_pass*) (passes.c:2656)
==14527== by 0x10D756D: execute_pass_list_1(opt_pass*) (passes.c:2657)
==14527== by 0x10D756D: execute_pass_list_1(opt_pass*) (passes.c:2657)
==14527== Address 0x5af0150 is 0 bytes inside a block of size 24 free'd
==14527== at 0x483A9AB: free (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14527== by 0x132C892: void
va_heap::release<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&)
(vec.h:316)
==14527== by 0x132B333: vec<_stmt_vec_info*, va_heap, vl_ptr>::release()
(vec.h:1832)
==14527== by 0x15BF974: vect_build_slp_instance(vec_info*,
slp_instance_kind, vec<_stmt_vec_info*, va_heap, vl_ptr>, _stmt_vec_info*,
unsigned int, hash_map<vec<gimple*, va_heap, vl_ptr>, _slp_tree*,
simple_hashmap_traits<bst_traits, _slp_tree*> >*, _stmt_vec_info*)
(tree-vect-slp.c:2370)
==14527== by 0x15C0624: vect_analyze_slp(vec_info*, unsigned int)
(tree-vect-slp.c:2586)
==14527== by 0x15C63CB: vect_slp_analyze_bb_1(_bb_vec_info*, int, bool&,
vec<int, va_heap, vl_ptr>*) (tree-vect-slp.c:4385)
==14527== by 0x15C692C: vect_slp_region(vec<basic_block_def*, va_heap,
vl_ptr>, vec<data_reference*, va_heap, vl_ptr>, vec<int, va_heap, vl_ptr>*,
unsigned int) (tree-vect-slp.c:4497)
==14527== by 0x15C73D9: vect_slp_bbs(vec<basic_block_def*, va_heap, vl_ptr>)
(tree-vect-slp.c:4645)
==14527== by 0x15C7884: vect_slp_function(function*) (tree-vect-slp.c:4731)
==14527== by 0x15DA4BF: (anonymous
namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436)
==14527== by 0x10D7207: execute_one_pass(opt_pass*) (passes.c:2567)
==14527== by 0x10D753C: execute_pass_list_1(opt_pass*) (passes.c:2656)
==14527== Block was alloc'd at
==14527== at 0x483977F: malloc (in
/usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==14527== by 0x214853F: xrealloc (xmalloc.c:177)
==14527== by 0x132C995: void
va_heap::reserve<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&,
unsigned int, bool) (vec.h:290)
==14527== by 0x132B3E5: vec<_stmt_vec_info*, va_heap,
vl_ptr>::reserve(unsigned int, bool) (vec.h:1778)
==14527== by 0x15CEC18: vec<_stmt_vec_info*, va_heap,
vl_ptr>::reserve_exact(unsigned int) (vec.h:1798)
==14527== by 0x15CCEE2: vec<_stmt_vec_info*, va_heap,
vl_ptr>::create(unsigned int) (vec.h:1813)
==14527== by 0x15C5C54: vect_slp_check_for_constructors(_bb_vec_info*)
(tree-vect-slp.c:4269)
==14527== by 0x15C62E2: vect_slp_analyze_bb_1(_bb_vec_info*, int, bool&,
vec<int, va_heap, vl_ptr>*) (tree-vect-slp.c:4360)
==14527== by 0x15C692C: vect_slp_region(vec<basic_block_def*, va_heap,
vl_ptr>, vec<data_reference*, va_heap, vl_ptr>, vec<int, va_heap, vl_ptr>*,
unsigned int) (tree-vect-slp.c:4497)
==14527== by 0x15C73D9: vect_slp_bbs(vec<basic_block_def*, va_heap, vl_ptr>)
(tree-vect-slp.c:4645)
==14527== by 0x15C7884: vect_slp_function(function*) (tree-vect-slp.c:4731)
==14527== by 0x15DA4BF: (anonymous
namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436)
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug tree-optimization/98192] Double free in SLP
2020-12-08 9:06 [Bug tree-optimization/98192] New: Double free in SLP marxin at gcc dot gnu.org
@ 2020-12-08 9:06 ` marxin at gcc dot gnu.org
2020-12-08 9:07 ` marxin at gcc dot gnu.org
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: marxin at gcc dot gnu.org @ 2020-12-08 9:06 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98192
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |NEW
Target Milestone|--- |11.0
Known to fail| |11.0
Ever confirmed|0 |1
Last reconfirmed| |2020-12-08
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug tree-optimization/98192] Double free in SLP
2020-12-08 9:06 [Bug tree-optimization/98192] New: Double free in SLP marxin at gcc dot gnu.org
2020-12-08 9:06 ` [Bug tree-optimization/98192] " marxin at gcc dot gnu.org
@ 2020-12-08 9:07 ` marxin at gcc dot gnu.org
2020-12-08 9:37 ` rguenth at gcc dot gnu.org
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: marxin at gcc dot gnu.org @ 2020-12-08 9:07 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98192
Martin Liška <marxin at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|P3 |P1
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug tree-optimization/98192] Double free in SLP
2020-12-08 9:06 [Bug tree-optimization/98192] New: Double free in SLP marxin at gcc dot gnu.org
2020-12-08 9:06 ` [Bug tree-optimization/98192] " marxin at gcc dot gnu.org
2020-12-08 9:07 ` marxin at gcc dot gnu.org
@ 2020-12-08 9:37 ` rguenth at gcc dot gnu.org
2020-12-08 9:59 ` marxin at gcc dot gnu.org
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: rguenth at gcc dot gnu.org @ 2020-12-08 9:37 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98192
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |ASSIGNED
Assignee|unassigned at gcc dot gnu.org |rguenth at gcc dot gnu.org
--- Comment #1 from Richard Biener <rguenth at gcc dot gnu.org> ---
Mine.
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug tree-optimization/98192] Double free in SLP
2020-12-08 9:06 [Bug tree-optimization/98192] New: Double free in SLP marxin at gcc dot gnu.org
` (2 preceding siblings ...)
2020-12-08 9:37 ` rguenth at gcc dot gnu.org
@ 2020-12-08 9:59 ` marxin at gcc dot gnu.org
2020-12-08 11:57 ` cvs-commit at gcc dot gnu.org
2020-12-08 11:57 ` rguenth at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: marxin at gcc dot gnu.org @ 2020-12-08 9:59 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98192
--- Comment #2 from Martin Liška <marxin at gcc dot gnu.org> ---
One more reduced test-case for x86_64-linux-gnu:
$ cat skcms.ii
template <int N, typename T> struct VecHelper {
typedef T __attribute__((vector_size(N * sizeof(int)))) V;
};
template <int N, typename T> using Vec = typename VecHelper<N, T>::V;
template <typename T> using V = Vec<4, T>;
using Color = float;
using F = V<Color>;
using U32 = V<unsigned>;
template <typename T, typename P> void store(P, T);
template <typename D, typename S> D cast(S v) {
D d;
for (int i = 0; i < 4; i++)
d[i] = v[i];
return d;
}
F to_fixed_f;
U32 exec_ops_dst___trans_tmp_3;
void exec_ops_dst() {
exec_ops_dst___trans_tmp_3 = U32(to_fixed_f);
__attribute__((__vector_size__(4 * sizeof(int)))) unsigned __trans_tmp_1 =
cast<U32>(exec_ops_dst___trans_tmp_3);
store(exec_ops_dst, __trans_tmp_1);
}
$ g++ skcms.ii -c -O3
free(): double free detected in tcache 2
during GIMPLE pass: slp
skcms.ii: In function ‘void exec_ops_dst()’:
skcms.ii:18:6: internal compiler error: Aborted
18 | void exec_ops_dst() {
| ^~~~~~~~~~~~
0x10539ef crash_signal
/home/marxin/Programming/gcc/gcc/toplev.c:327
0x12e26cb void va_heap::release<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap,
vl_embed>*&)
/home/marxin/Programming/gcc/gcc/vec.h:316
0x12e26cb vec<_stmt_vec_info*, va_heap, vl_ptr>::release()
/home/marxin/Programming/gcc/gcc/vec.h:1832
0x12e26cb _bb_vec_info::~_bb_vec_info()
/home/marxin/Programming/gcc/gcc/tree-vect-slp.c:3401
0x12f13c0 vect_slp_region
/home/marxin/Programming/gcc/gcc/tree-vect-slp.c:4575
0x12f13c0 vect_slp_bbs
/home/marxin/Programming/gcc/gcc/tree-vect-slp.c:4645
0x12f3a64 vect_slp_function(function*)
/home/marxin/Programming/gcc/gcc/tree-vect-slp.c:4731
0x12f5732 execute
/home/marxin/Programming/gcc/gcc/tree-vectorizer.c:1436
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug tree-optimization/98192] Double free in SLP
2020-12-08 9:06 [Bug tree-optimization/98192] New: Double free in SLP marxin at gcc dot gnu.org
` (3 preceding siblings ...)
2020-12-08 9:59 ` marxin at gcc dot gnu.org
@ 2020-12-08 11:57 ` cvs-commit at gcc dot gnu.org
2020-12-08 11:57 ` rguenth at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2020-12-08 11:57 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98192
--- Comment #3 from CVS Commits <cvs-commit at gcc dot gnu.org> ---
The master branch has been updated by Richard Biener <rguenth@gcc.gnu.org>:
https://gcc.gnu.org/g:1746681c3c167adafb7c0a30978dc2ca96144121
commit r11-5847-g1746681c3c167adafb7c0a30978dc2ca96144121
Author: Richard Biener <rguenther@suse.de>
Date: Tue Dec 8 12:54:48 2020 +0100
tree-optimization/98192 - fix double free in SLP
This makes sure to clear the vector pointer on release.
2020-12-08 Richard Biener <rguenther@suse.de>
PR tree-optimization/98192
* tree-vect-slp.c (vect_build_slp_instance): Get scalar_stmts
by reference.
^ permalink raw reply [flat|nested] 7+ messages in thread* [Bug tree-optimization/98192] Double free in SLP
2020-12-08 9:06 [Bug tree-optimization/98192] New: Double free in SLP marxin at gcc dot gnu.org
` (4 preceding siblings ...)
2020-12-08 11:57 ` cvs-commit at gcc dot gnu.org
@ 2020-12-08 11:57 ` rguenth at gcc dot gnu.org
5 siblings, 0 replies; 7+ messages in thread
From: rguenth at gcc dot gnu.org @ 2020-12-08 11:57 UTC (permalink / raw)
To: gcc-bugs
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=98192
Richard Biener <rguenth at gcc dot gnu.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|ASSIGNED |RESOLVED
--- Comment #4 from Richard Biener <rguenth at gcc dot gnu.org> ---
Fixed.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2020-12-08 11:57 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-12-08 9:06 [Bug tree-optimization/98192] New: Double free in SLP marxin at gcc dot gnu.org
2020-12-08 9:06 ` [Bug tree-optimization/98192] " marxin at gcc dot gnu.org
2020-12-08 9:07 ` marxin at gcc dot gnu.org
2020-12-08 9:37 ` rguenth at gcc dot gnu.org
2020-12-08 9:59 ` marxin at gcc dot gnu.org
2020-12-08 11:57 ` cvs-commit at gcc dot gnu.org
2020-12-08 11:57 ` rguenth at gcc dot gnu.org
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).