Command line: $ g++ -O2 -fipa-cp-clone -ftracer testcase.C Valgrind output: $ valgrind -q --trace-children=yes /mnt/svn/gcc-trunk/binary-163468-lto-fortran-checking-yes-rtl-df/bin/g++ -O2 -fipa-cp-clone -ftracer testcase.C ==31083== Invalid read of size 8 ==31083== at 0x112BDF0: search_line_sse2 (lex.c:384) ==31083== by 0x112BFD9: _cpp_clean_line (lex.c:649) ==31083== by 0x112C9D7: _cpp_get_fresh_line (lex.c:1862) ==31083== by 0x112E161: _cpp_lex_direct (lex.c:1927) ==31083== by 0x112EF56: _cpp_lex_token (lex.c:1801) ==31083== by 0x1131697: cpp_get_token (macro.c:1240) ==31083== by 0x113194F: cpp_get_token_with_location (macro.c:1352) ==31083== by 0x687E5C: c_lex_with_flags (c-lex.c:302) ==31083== by 0x59ADAF: cp_lexer_get_preprocessor_token (parser.c:525) ==31083== by 0x5C19BA: c_parse_file (parser.c:425) ==31083== by 0x68D4EA: c_common_parse_file (c-opts.c:1206) ==31083== by 0x9E7518: toplev_main (toplev.c:971) ==31083== Address 0x71085b8 is 216 bytes inside a block of size 217 alloc'd ==31083== at 0x4C261DF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==31083== by 0x115545C: xrealloc (xmalloc.c:179) ==31083== by 0x1120BAF: _cpp_convert_input (charset.c:1734) ==31083== by 0x1129542: read_file (files.c:648) ==31083== by 0x1129F6A: _cpp_stack_file (files.c:723) ==31083== by 0x112B850: cpp_read_main_file (init.c:570) ==31083== by 0x68CB9A: c_common_post_options (c-opts.c:1124) ==31083== by 0x9E6A14: toplev_main (toplev.c:1743) ==31083== by 0x6589BBC: (below main) (in /lib64/libc-2.11.2.so) ==31083== ==31083== Invalid read of size 8 ==31083== at 0x112BDE3: search_line_sse2 (lex.c:372) ==31083== by 0x112BFD9: _cpp_clean_line (lex.c:649) ==31083== by 0x112C9D7: _cpp_get_fresh_line (lex.c:1862) ==31083== by 0x112E161: _cpp_lex_direct (lex.c:1927) ==31083== by 0x112EF56: _cpp_lex_token (lex.c:1801) ==31083== by 0x1131697: cpp_get_token (macro.c:1240) ==31083== by 0x113194F: cpp_get_token_with_location (macro.c:1352) ==31083== by 0x687E5C: c_lex_with_flags (c-lex.c:302) ==31083== by 0x59ADAF: cp_lexer_get_preprocessor_token (parser.c:525) ==31083== by 0x5C19BA: c_parse_file (parser.c:425) ==31083== by 0x68D4EA: c_common_parse_file (c-opts.c:1206) ==31083== by 0x9E7518: toplev_main (toplev.c:971) ==31083== Address 0x71085b8 is 216 bytes inside a block of size 217 alloc'd ==31083== at 0x4C261DF: realloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==31083== by 0x115545C: xrealloc (xmalloc.c:179) ==31083== by 0x1120BAF: _cpp_convert_input (charset.c:1734) ==31083== by 0x1129542: read_file (files.c:648) ==31083== by 0x1129F6A: _cpp_stack_file (files.c:723) ==31083== by 0x112B850: cpp_read_main_file (init.c:570) ==31083== by 0x68CB9A: c_common_post_options (c-opts.c:1124) ==31083== by 0x9E6A14: toplev_main (toplev.c:1743) ==31083== by 0x6589BBC: (below main) (in /lib64/libc-2.11.2.so) ==31083== ==31083== Invalid read of size 8 ==31083== at 0xA2CDE5: update_ssa (tree-flow-inline.h:479) ==31083== by 0x8F95D7: execute_function_todo (passes.c:1206) ==31083== by 0x8F9BEE: execute_todo (passes.c:1283) ==31083== by 0x8FC2B9: execute_one_pass (passes.c:1591) ==31083== by 0x8FC4E4: execute_pass_list (passes.c:1623) ==31083== by 0x8FC4F6: execute_pass_list (passes.c:1624) ==31083== by 0xA3EE65: tree_rest_of_compilation (tree-optimize.c:452) ==31083== by 0xBFB595: cgraph_expand_function (cgraphunit.c:1469) ==31083== by 0xBFDF99: cgraph_optimize (cgraphunit.c:1548) ==31083== by 0xBFE4E9: cgraph_finalize_compilation_unit (cgraphunit.c:1012) ==31083== by 0x58BD9C: cp_write_global_declarations (decl2.c:3924) ==31083== by 0x9E7554: toplev_main (toplev.c:983) ==31083== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==31083== testcase.C: In member function 'virtual int S::vm()': testcase.C:11:1: internal compiler error: Segmentation fault Please submit a full bug report, with preprocessed source if appropriate. See <http://gcc.gnu.org/bugs.html> for instructions. Tested revisions: r163468 - crash r162940 - crash r161659 - OK
Created attachment 21569 [details] reduced testcase $ g++ -O2 -fipa-cp-clone -ftracer pr45412.C
Confirmed. The tracer seriously messes up virtual operands. I'm not sure the copy tables work like the author thought they would. After duplicating we have virtual int S::vm() (struct S * const this) { int state; int D.2129; int retval.0; <bb 2>: # .MEM_8 = VDEF <.MEM_7(D)> retval.0_1 = foo (&state); switch (retval.0_1) <default: <L3>, case 0: <L0>, case 1: <L1>> <L0>: # .MEM_9 = VDEF <.MEM_8> bar (); <bb 7>: # .MEM_14 = PHI <.MEM_9(3)> if (this_3(D) != 0B) goto <bb 8>; else goto <bb 6> (<L3>); <bb 8>: # .MEM_15 = VDEF <.MEM_5> S::~S (this_3(D)); # .MEM_16 = VDEF <.MEM_12> operator delete (this_3(D)); <bb 9>: # .MEM_17 = PHI <.MEM_13(8)> # VUSE <.MEM_10> D.2129_18 = state; return D.2129_4; # .MEM_5 = PHI <.MEM_8(2)> <L1>: if (this_3(D) != 0B) goto <bb 5>; else goto <bb 6> (<L3>); <bb 5>: # .MEM_12 = VDEF <.MEM_5> S::~S (this_3(D)); # .MEM_13 = VDEF <.MEM_12> operator delete (this_3(D)); # .MEM_10 = PHI <.MEM_8(2), .MEM_5(4), .MEM_13(5), .MEM_5(7)> <L3>: # VUSE <.MEM_10> D.2129_4 = state; return D.2129_4; } see how virtual SSA form is messed up (and no symbol is marked for renaming).
It is caused by revision 162842: http://gcc.gnu.org/ml/gcc-cvs/2010-08/msg00053.html
Created attachment 21612 [details] different testcase, probably better This one needs only -O2 to reproduce: $ valgrind -q --trace-children=yes gcc -O2 pr45412-2.c ... ==32673== Invalid read of size 8 ==32673== at 0x8F1D95: update_ssa (tree-flow-inline.h:479) ==32673== by 0x7BDA67: execute_function_todo (passes.c:1206) ==32673== by 0x7BE07E: execute_todo (passes.c:1283) ==32673== by 0x7C0739: execute_one_pass (passes.c:1591) ==32673== by 0x7C0964: execute_pass_list (passes.c:1623) ==32673== by 0x7C0976: execute_pass_list (passes.c:1624) ==32673== by 0x903E45: tree_rest_of_compilation (tree-optimize.c:452) ==32673== by 0xAC0C05: cgraph_expand_function (cgraphunit.c:1469) ==32673== by 0xAC3609: cgraph_optimize (cgraphunit.c:1548) ==32673== by 0xAC3B59: cgraph_finalize_compilation_unit (cgraphunit.c:1012) ==32673== by 0x4E0E4E: c_write_global_declarations (c-decl.c:9735) ==32673== by 0x8ABAD4: toplev_main (toplev.c:983) ==32673== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==32673== pr45412-2.c: In function 'bar': pr45412-2.c:6:1: internal compiler error: Segmentation fault Please submit a full bug report, with preprocessed source if appropriate. See <http://gcc.gnu.org/bugs.html> for instructions.
Maybe a similar issue, but this one is after DOM where we have stuff like <bb 7>: # .MEM_8 = PHI <.MEM_7(D)(2)> # VUSE <.MEM_5> j.0_12 = j; goto <bb 6>; after jump-threading supposedly, so indeed a quite similar case.
This fixes the 2nd testcase for me: Index: ipa-split.c =================================================================== --- ipa-split.c (revision 163772) +++ ipa-split.c (working copy) @@ -993,8 +993,8 @@ split_function (struct split_point *spli { gimple stmt = gsi_stmt (gsi); gcc_assert (!is_gimple_reg (gimple_phi_result (stmt))); - mark_sym_for_renaming (SSA_NAME_VAR (PHI_RESULT (stmt))); - gsi_remove (&gsi, false); + mark_virtual_phi_result_for_renaming (stmt); + remove_phi_node (&gsi, true); } } /* When we pass aorund the value, use existing return block. */
And the first one. Mine.
Subject: Bug 45412 Author: rguenth Date: Thu Sep 2 13:42:25 2010 New Revision: 163775 URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=163775 Log: 2010-09-02 Richard Guenther <rguenther@suse.de> PR tree-optimization/44937 PR tree-optimization/45412 * ipa-split.c (split_function): Properly remove PHI nodes. * g++.dg/opt/pr45412.C: New testcase. * gcc.c-torture/compile/pr45412.c: Likewise. * gcc.c-torture/compile/pr44937.c: Likewise. Added: trunk/gcc/testsuite/g++.dg/opt/pr45412.C trunk/gcc/testsuite/gcc.c-torture/compile/pr44937.c trunk/gcc/testsuite/gcc.c-torture/compile/pr45412.c Modified: trunk/gcc/ChangeLog trunk/gcc/ipa-split.c trunk/gcc/testsuite/ChangeLog
Fixed.