From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 88AD43857C63; Tue, 8 Dec 2020 09:06:18 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 88AD43857C63 From: "marxin at gcc dot gnu.org" To: gcc-bugs@gcc.gnu.org Subject: [Bug tree-optimization/98192] New: Double free in SLP Date: Tue, 08 Dec 2020 09:06:18 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: tree-optimization X-Bugzilla-Version: 11.0 X-Bugzilla-Keywords: ice-on-valid-code X-Bugzilla-Severity: normal X-Bugzilla-Who: marxin at gcc dot gnu.org X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status keywords bug_severity priority component assigned_to reporter cc target_milestone cf_gcchost cf_gcctarget Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: gcc-bugs@gcc.gnu.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gcc-bugs mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Dec 2020 09:06:18 -0000 https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D98192 Bug ID: 98192 Summary: Double free in SLP Product: gcc Version: 11.0 Status: UNCONFIRMED Keywords: ice-on-valid-code Severity: normal Priority: P3 Component: tree-optimization Assignee: unassigned at gcc dot gnu.org Reporter: marxin at gcc dot gnu.org CC: rguenth at gcc dot gnu.org Target Milestone: --- Host: x86_64-linux Target: ppc64le-linux-gnu One can see it here: $ valgrind --trace-children=3Dyes ./xgcc -B. /home/marxin/Programming/gcc/gcc/testsuite/gcc.target/powerpc/vsx-extract-7= .c -O2 -ftree-slp-vectorize -c ... =3D=3D14527=3D=3D Invalid read of size 1 =3D=3D14527=3D=3D at 0x132C855: vec<_stmt_vec_info*, va_heap, vl_ptr>::using_auto_storage() const (vec.h:2126) =3D=3D14527=3D=3D by 0x132B313: vec<_stmt_vec_info*, va_heap, vl_ptr>::r= elease() (vec.h:1826) =3D=3D14527=3D=3D by 0x15C2FEA: _bb_vec_info::~_bb_vec_info() (tree-vect= -slp.c:3401) =3D=3D14527=3D=3D by 0x15C6EB7: vect_slp_region(vec, vec, vec*, unsigned int) (tree-vect-slp.c:4575) =3D=3D14527=3D=3D by 0x15C73D9: vect_slp_bbs(vec) (tree-vect-slp.c:4645) =3D=3D14527=3D=3D by 0x15C7884: vect_slp_function(function*) (tree-vect-= slp.c:4731) =3D=3D14527=3D=3D by 0x15DA4BF: (anonymous namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436) =3D=3D14527=3D=3D by 0x10D7207: execute_one_pass(opt_pass*) (passes.c:25= 67) =3D=3D14527=3D=3D by 0x10D753C: execute_pass_list_1(opt_pass*) (passes.c= :2656) =3D=3D14527=3D=3D by 0x10D756D: execute_pass_list_1(opt_pass*) (passes.c= :2657) =3D=3D14527=3D=3D by 0x10D756D: execute_pass_list_1(opt_pass*) (passes.c= :2657) =3D=3D14527=3D=3D by 0x10D75C5: execute_pass_list(function*, opt_pass*) (passes.c:2667) =3D=3D14527=3D=3D Address 0x5af0153 is 3 bytes inside a block of size 24 f= ree'd =3D=3D14527=3D=3D at 0x483A9AB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) =3D=3D14527=3D=3D by 0x132C892: void va_heap::release<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&) (vec.h:316) =3D=3D14527=3D=3D by 0x132B333: vec<_stmt_vec_info*, va_heap, vl_ptr>::r= elease() (vec.h:1832) =3D=3D14527=3D=3D by 0x15BF974: vect_build_slp_instance(vec_info*, slp_instance_kind, vec<_stmt_vec_info*, va_heap, vl_ptr>, _stmt_vec_info*, unsigned int, hash_map, _slp_tree*, simple_hashmap_traits >*, _stmt_vec_info*) (tree-vect-slp.c:2370) =3D=3D14527=3D=3D by 0x15C0624: vect_analyze_slp(vec_info*, unsigned int) (tree-vect-slp.c:2586) =3D=3D14527=3D=3D by 0x15C63CB: vect_slp_analyze_bb_1(_bb_vec_info*, int= , bool&, vec*) (tree-vect-slp.c:4385) =3D=3D14527=3D=3D by 0x15C692C: vect_slp_region(vec, vec, vec*, unsigned int) (tree-vect-slp.c:4497) =3D=3D14527=3D=3D by 0x15C73D9: vect_slp_bbs(vec) (tree-vect-slp.c:4645) =3D=3D14527=3D=3D by 0x15C7884: vect_slp_function(function*) (tree-vect-= slp.c:4731) =3D=3D14527=3D=3D by 0x15DA4BF: (anonymous namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436) =3D=3D14527=3D=3D by 0x10D7207: execute_one_pass(opt_pass*) (passes.c:25= 67) =3D=3D14527=3D=3D by 0x10D753C: execute_pass_list_1(opt_pass*) (passes.c= :2656) =3D=3D14527=3D=3D Block was alloc'd at =3D=3D14527=3D=3D at 0x483977F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) =3D=3D14527=3D=3D by 0x214853F: xrealloc (xmalloc.c:177) =3D=3D14527=3D=3D by 0x132C995: void va_heap::reserve<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&, unsigned int, bool) (vec.h:290) =3D=3D14527=3D=3D by 0x132B3E5: vec<_stmt_vec_info*, va_heap, vl_ptr>::reserve(unsigned int, bool) (vec.h:1778) =3D=3D14527=3D=3D by 0x15CEC18: vec<_stmt_vec_info*, va_heap, vl_ptr>::reserve_exact(unsigned int) (vec.h:1798) =3D=3D14527=3D=3D by 0x15CCEE2: vec<_stmt_vec_info*, va_heap, vl_ptr>::create(unsigned int) (vec.h:1813) =3D=3D14527=3D=3D by 0x15C5C54: vect_slp_check_for_constructors(_bb_vec_= info*) (tree-vect-slp.c:4269) =3D=3D14527=3D=3D by 0x15C62E2: vect_slp_analyze_bb_1(_bb_vec_info*, int= , bool&, vec*) (tree-vect-slp.c:4360) =3D=3D14527=3D=3D by 0x15C692C: vect_slp_region(vec, vec, vec*, unsigned int) (tree-vect-slp.c:4497) =3D=3D14527=3D=3D by 0x15C73D9: vect_slp_bbs(vec) (tree-vect-slp.c:4645) =3D=3D14527=3D=3D by 0x15C7884: vect_slp_function(function*) (tree-vect-= slp.c:4731) =3D=3D14527=3D=3D by 0x15DA4BF: (anonymous namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436) =3D=3D14527=3D=3D=20 =3D=3D14527=3D=3D Invalid free() / delete / delete[] / realloc() =3D=3D14527=3D=3D at 0x483A9AB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) =3D=3D14527=3D=3D by 0x132C892: void va_heap::release<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&) (vec.h:316) =3D=3D14527=3D=3D by 0x132B333: vec<_stmt_vec_info*, va_heap, vl_ptr>::r= elease() (vec.h:1832) =3D=3D14527=3D=3D by 0x15C2FEA: _bb_vec_info::~_bb_vec_info() (tree-vect= -slp.c:3401) =3D=3D14527=3D=3D by 0x15C6EB7: vect_slp_region(vec, vec, vec*, unsigned int) (tree-vect-slp.c:4575) =3D=3D14527=3D=3D by 0x15C73D9: vect_slp_bbs(vec) (tree-vect-slp.c:4645) =3D=3D14527=3D=3D by 0x15C7884: vect_slp_function(function*) (tree-vect-= slp.c:4731) =3D=3D14527=3D=3D by 0x15DA4BF: (anonymous namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436) =3D=3D14527=3D=3D by 0x10D7207: execute_one_pass(opt_pass*) (passes.c:25= 67) =3D=3D14527=3D=3D by 0x10D753C: execute_pass_list_1(opt_pass*) (passes.c= :2656) =3D=3D14527=3D=3D by 0x10D756D: execute_pass_list_1(opt_pass*) (passes.c= :2657) =3D=3D14527=3D=3D by 0x10D756D: execute_pass_list_1(opt_pass*) (passes.c= :2657) =3D=3D14527=3D=3D Address 0x5af0150 is 0 bytes inside a block of size 24 f= ree'd =3D=3D14527=3D=3D at 0x483A9AB: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) =3D=3D14527=3D=3D by 0x132C892: void va_heap::release<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&) (vec.h:316) =3D=3D14527=3D=3D by 0x132B333: vec<_stmt_vec_info*, va_heap, vl_ptr>::r= elease() (vec.h:1832) =3D=3D14527=3D=3D by 0x15BF974: vect_build_slp_instance(vec_info*, slp_instance_kind, vec<_stmt_vec_info*, va_heap, vl_ptr>, _stmt_vec_info*, unsigned int, hash_map, _slp_tree*, simple_hashmap_traits >*, _stmt_vec_info*) (tree-vect-slp.c:2370) =3D=3D14527=3D=3D by 0x15C0624: vect_analyze_slp(vec_info*, unsigned int) (tree-vect-slp.c:2586) =3D=3D14527=3D=3D by 0x15C63CB: vect_slp_analyze_bb_1(_bb_vec_info*, int= , bool&, vec*) (tree-vect-slp.c:4385) =3D=3D14527=3D=3D by 0x15C692C: vect_slp_region(vec, vec, vec*, unsigned int) (tree-vect-slp.c:4497) =3D=3D14527=3D=3D by 0x15C73D9: vect_slp_bbs(vec) (tree-vect-slp.c:4645) =3D=3D14527=3D=3D by 0x15C7884: vect_slp_function(function*) (tree-vect-= slp.c:4731) =3D=3D14527=3D=3D by 0x15DA4BF: (anonymous namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436) =3D=3D14527=3D=3D by 0x10D7207: execute_one_pass(opt_pass*) (passes.c:25= 67) =3D=3D14527=3D=3D by 0x10D753C: execute_pass_list_1(opt_pass*) (passes.c= :2656) =3D=3D14527=3D=3D Block was alloc'd at =3D=3D14527=3D=3D at 0x483977F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) =3D=3D14527=3D=3D by 0x214853F: xrealloc (xmalloc.c:177) =3D=3D14527=3D=3D by 0x132C995: void va_heap::reserve<_stmt_vec_info*>(vec<_stmt_vec_info*, va_heap, vl_embed>*&, unsigned int, bool) (vec.h:290) =3D=3D14527=3D=3D by 0x132B3E5: vec<_stmt_vec_info*, va_heap, vl_ptr>::reserve(unsigned int, bool) (vec.h:1778) =3D=3D14527=3D=3D by 0x15CEC18: vec<_stmt_vec_info*, va_heap, vl_ptr>::reserve_exact(unsigned int) (vec.h:1798) =3D=3D14527=3D=3D by 0x15CCEE2: vec<_stmt_vec_info*, va_heap, vl_ptr>::create(unsigned int) (vec.h:1813) =3D=3D14527=3D=3D by 0x15C5C54: vect_slp_check_for_constructors(_bb_vec_= info*) (tree-vect-slp.c:4269) =3D=3D14527=3D=3D by 0x15C62E2: vect_slp_analyze_bb_1(_bb_vec_info*, int= , bool&, vec*) (tree-vect-slp.c:4360) =3D=3D14527=3D=3D by 0x15C692C: vect_slp_region(vec, vec, vec*, unsigned int) (tree-vect-slp.c:4497) =3D=3D14527=3D=3D by 0x15C73D9: vect_slp_bbs(vec) (tree-vect-slp.c:4645) =3D=3D14527=3D=3D by 0x15C7884: vect_slp_function(function*) (tree-vect-= slp.c:4731) =3D=3D14527=3D=3D by 0x15DA4BF: (anonymous namespace)::pass_slp_vectorize::execute(function*) (tree-vectorizer.c:1436)=