[PR 88214] Check that an argument is pointer before attempting agg jf construction from it

[PR 88214] Check that an argument is pointer before attempting agg jf construction from it

[Martin Jambor]

Hi,

ICE in PR 88214 happens because a type-mismatch in K&R C code makes
IPA-CP analysis call ao_ref_init_from_ptr_and_size on an integer
SSA_NAME, this function in turn constructs a temporary MEM_REF based on
that integer SSA_NAME and then later on call_may_clobber_ref_p_1 treats
the MEM_REF base as a pointer, gets its SSA_NAME_PTR_INFO and tries to
work with bitmaps there.  But because the SSA_NAME is an integer, there
is no SSA_NAME_PTR_INFO, there is range info instead and this leads to a
crash.

On a related note, would people object to adding the following assert,
which would have made this bug much more straightforward to find?

index 85a5de7..66cf2f2 100644
--- a/gcc/tree-ssa-alias.c
+++ b/gcc/tree-ssa-alias.c
@@ -710,6 +710,7 @@ ao_ref_init_from_ptr_and_size (ao_ref *ref, tree ptr, tree size)
     }
   else
     {
+      gcc_assert (POINTER_TYPE_P (TREE_TYPE (ptr)));
       ref->base = build2 (MEM_REF, char_type_node,
                          ptr, null_pointer_node);
       ref->offset = 0;


The bug itself can be fixed with the patch below.  I have verified it
avoids the ICE on powerpc64-linux and did a full bootstrap and test on
an x86_64-linux.  The patch is simple enough that I believe that is good
enough.


2018-12-06  Martin Jambor  <mjambor@suse.cz>

	PR ipa/88214
	* ipa-prop.c (determine_locally_known_aggregate_parts): Make sure
	we check pointers against pointers.

	testsuite/
	* gcc.dg/ipa/pr88214.c: New test.
---
 gcc/ipa-prop.c                     |  3 ++-
 gcc/testsuite/gcc.dg/ipa/pr88214.c | 10 ++++++++++
 2 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 gcc/testsuite/gcc.dg/ipa/pr88214.c

diff --git a/gcc/ipa-prop.c b/gcc/ipa-prop.c
index 74052350ac1..4dbe26829e3 100644
--- a/gcc/ipa-prop.c
+++ b/gcc/ipa-prop.c
@@ -1569,7 +1569,8 @@ determine_locally_known_aggregate_parts (gcall *call, tree arg,
       if (TREE_CODE (arg) == SSA_NAME)
 	{
 	  tree type_size;
-          if (!tree_fits_uhwi_p (TYPE_SIZE (TREE_TYPE (arg_type))))
+          if (!tree_fits_uhwi_p (TYPE_SIZE (TREE_TYPE (arg_type)))
+	      || !POINTER_TYPE_P (TREE_TYPE (arg)))
             return;
 	  check_ref = true;
 	  arg_base = arg;
diff --git a/gcc/testsuite/gcc.dg/ipa/pr88214.c b/gcc/testsuite/gcc.dg/ipa/pr88214.c
new file mode 100644
index 00000000000..4daa9829e75
--- /dev/null
+++ b/gcc/testsuite/gcc.dg/ipa/pr88214.c
@@ -0,0 +1,10 @@
+/* { dg-do compile } */
+/* { dg-options "-O2" } */
+
+void i();
+  short a;
+  void b(e) char * e;
+  {
+    i();
+    b(a);
+  }
-- 
2.19.1

Re: [PR 88214] Check that an argument is pointer before attempting agg jf construction from it

[Richard Biener]

On Fri, Dec 7, 2018 at 3:59 PM Martin Jambor <mjambor@suse.cz> wrote:
>
> Hi,
>
> ICE in PR 88214 happens because a type-mismatch in K&R C code makes
> IPA-CP analysis call ao_ref_init_from_ptr_and_size on an integer
> SSA_NAME, this function in turn constructs a temporary MEM_REF based on
> that integer SSA_NAME and then later on call_may_clobber_ref_p_1 treats
> the MEM_REF base as a pointer, gets its SSA_NAME_PTR_INFO and tries to
> work with bitmaps there.  But because the SSA_NAME is an integer, there
> is no SSA_NAME_PTR_INFO, there is range info instead and this leads to a
> crash.
>
> On a related note, would people object to adding the following assert,
> which would have made this bug much more straightforward to find?

That's fine with me.

> index 85a5de7..66cf2f2 100644
> --- a/gcc/tree-ssa-alias.c
> +++ b/gcc/tree-ssa-alias.c
> @@ -710,6 +710,7 @@ ao_ref_init_from_ptr_and_size (ao_ref *ref, tree ptr, tree size)
>      }
>    else
>      {
> +      gcc_assert (POINTER_TYPE_P (TREE_TYPE (ptr)));
>        ref->base = build2 (MEM_REF, char_type_node,
>                           ptr, null_pointer_node);
>        ref->offset = 0;
>
>
> The bug itself can be fixed with the patch below.  I have verified it
> avoids the ICE on powerpc64-linux and did a full bootstrap and test on
> an x86_64-linux.  The patch is simple enough that I believe that is good
> enough.

OK.

Richard.

>
> 2018-12-06  Martin Jambor  <mjambor@suse.cz>
>
>         PR ipa/88214
>         * ipa-prop.c (determine_locally_known_aggregate_parts): Make sure
>         we check pointers against pointers.
>
>         testsuite/
>         * gcc.dg/ipa/pr88214.c: New test.
> ---
>  gcc/ipa-prop.c                     |  3 ++-
>  gcc/testsuite/gcc.dg/ipa/pr88214.c | 10 ++++++++++
>  2 files changed, 12 insertions(+), 1 deletion(-)
>  create mode 100644 gcc/testsuite/gcc.dg/ipa/pr88214.c
>
> diff --git a/gcc/ipa-prop.c b/gcc/ipa-prop.c
> index 74052350ac1..4dbe26829e3 100644
> --- a/gcc/ipa-prop.c
> +++ b/gcc/ipa-prop.c
> @@ -1569,7 +1569,8 @@ determine_locally_known_aggregate_parts (gcall *call, tree arg,
>        if (TREE_CODE (arg) == SSA_NAME)
>         {
>           tree type_size;
> -          if (!tree_fits_uhwi_p (TYPE_SIZE (TREE_TYPE (arg_type))))
> +          if (!tree_fits_uhwi_p (TYPE_SIZE (TREE_TYPE (arg_type)))
> +             || !POINTER_TYPE_P (TREE_TYPE (arg)))
>              return;
>           check_ref = true;
>           arg_base = arg;
> diff --git a/gcc/testsuite/gcc.dg/ipa/pr88214.c b/gcc/testsuite/gcc.dg/ipa/pr88214.c
> new file mode 100644
> index 00000000000..4daa9829e75
> --- /dev/null
> +++ b/gcc/testsuite/gcc.dg/ipa/pr88214.c
> @@ -0,0 +1,10 @@
> +/* { dg-do compile } */
> +/* { dg-options "-O2" } */
> +
> +void i();
> +  short a;
> +  void b(e) char * e;
> +  {
> +    i();
> +    b(a);
> +  }
> --
> 2.19.1
>
>
>

Re: [PR 88214] Check that an argument is pointer before attempting agg jf construction from it

[Martin Jambor]

Hi,

On Mon, Dec 10 2018, Richard Biener wrote:
> On Fri, Dec 7, 2018 at 3:59 PM Martin Jambor <mjambor@suse.cz> wrote:
>>

...

>>
>> On a related note, would people object to adding the following assert,
>> which would have made this bug much more straightforward to find?
>
> That's fine with me.

Thanks, I have just committed the following as r267298 after
bootstrapping and testing it on x86_64-linux.

Martin


2018-12-20  Martin Jambor  <mjambor@suse.cz>

	PR ipa/88214
	* tree-ssa-alias.c (ao_ref_init_from_ptr_and_size): Assert that
	ptr is a pointer.
---
 gcc/tree-ssa-alias.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/gcc/tree-ssa-alias.c b/gcc/tree-ssa-alias.c
index 85a5de7ce05..66cf2f2c669 100644
--- a/gcc/tree-ssa-alias.c
+++ b/gcc/tree-ssa-alias.c
@@ -710,6 +710,7 @@ ao_ref_init_from_ptr_and_size (ao_ref *ref, tree ptr, tree size)
     }
   else
     {
+      gcc_assert (POINTER_TYPE_P (TREE_TYPE (ptr)));
       ref->base = build2 (MEM_REF, char_type_node,
 			  ptr, null_pointer_node);
       ref->offset = 0;
-- 
2.19.2

Re: [PR 88214] Check that an argument is pointer before attempting agg jf construction from it

[Martin Jambor]

Hi,

On Mon, Dec 10 2018, Richard Biener wrote:
> On Fri, Dec 7, 2018 at 3:59 PM Martin Jambor <mjambor@suse.cz> wrote:
>>
>> Hi,
>>
>> ICE in PR 88214 happens because a type-mismatch in K&R C code makes
>> IPA-CP analysis call ao_ref_init_from_ptr_and_size on an integer
>> SSA_NAME, this function in turn constructs a temporary MEM_REF based on
>> that integer SSA_NAME and then later on call_may_clobber_ref_p_1 treats
>> the MEM_REF base as a pointer, gets its SSA_NAME_PTR_INFO and tries to
>> work with bitmaps there.  But because the SSA_NAME is an integer, there
>> is no SSA_NAME_PTR_INFO, there is range info instead and this leads to a
>> crash.
>>

...

>> The bug itself can be fixed with the patch below.  I have verified it
>> avoids the ICE on powerpc64-linux and did a full bootstrap and test on
>> an x86_64-linux.  The patch is simple enough that I believe that is good
>> enough.
>
> OK.
>
> Richard.

I have bootstrapped the patch on gcc-8 an gcc-7 branches too and will
commit it there in a few moments too.

Thanks,

Martin


>
>>
>> 2018-12-06  Martin Jambor  <mjambor@suse.cz>
>>
>>         PR ipa/88214
>>         * ipa-prop.c (determine_locally_known_aggregate_parts): Make sure
>>         we check pointers against pointers.
>>
>>         testsuite/
>>         * gcc.dg/ipa/pr88214.c: New test.
>> ---
>>  gcc/ipa-prop.c                     |  3 ++-
>>  gcc/testsuite/gcc.dg/ipa/pr88214.c | 10 ++++++++++
>>  2 files changed, 12 insertions(+), 1 deletion(-)
>>  create mode 100644 gcc/testsuite/gcc.dg/ipa/pr88214.c
>>
>> diff --git a/gcc/ipa-prop.c b/gcc/ipa-prop.c
>> index 74052350ac1..4dbe26829e3 100644
>> --- a/gcc/ipa-prop.c
>> +++ b/gcc/ipa-prop.c
>> @@ -1569,7 +1569,8 @@ determine_locally_known_aggregate_parts (gcall *call, tree arg,
>>        if (TREE_CODE (arg) == SSA_NAME)
>>         {
>>           tree type_size;
>> -          if (!tree_fits_uhwi_p (TYPE_SIZE (TREE_TYPE (arg_type))))
>> +          if (!tree_fits_uhwi_p (TYPE_SIZE (TREE_TYPE (arg_type)))
>> +             || !POINTER_TYPE_P (TREE_TYPE (arg)))
>>              return;
>>           check_ref = true;
>>           arg_base = arg;
>> diff --git a/gcc/testsuite/gcc.dg/ipa/pr88214.c b/gcc/testsuite/gcc.dg/ipa/pr88214.c
>> new file mode 100644
>> index 00000000000..4daa9829e75
>> --- /dev/null
>> +++ b/gcc/testsuite/gcc.dg/ipa/pr88214.c
>> @@ -0,0 +1,10 @@
>> +/* { dg-do compile } */
>> +/* { dg-options "-O2" } */
>> +
>> +void i();
>> +  short a;
>> +  void b(e) char * e;
>> +  {
>> +    i();
>> +    b(a);
>> +  }
>> --
>> 2.19.1
>>
>>
>>