Bug 44937

Summary: [4.6 Regression] IPA-split causes crash due to null pointer deref
Product: gcc Reporter: John Regehr <regehr>
Component: tree-optimizationAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal CC: alexey, chenyang, gcc-bugs, hubicka
Priority: P1    
Version: 4.6.0   
Target Milestone: 4.6.0   
Host: x86_64-unknown-linux-gnu Target: x86_64-unknown-linux-gnu
Build: x86_64-unknown-linux-gnu Known to work:
Known to fail: Last reconfirmed: 2010-07-15 08:21:55

Description John Regehr 2010-07-14 18:34:07 UTC 
[regehr@gamow tmp420]$ current-gcc -v
Using built-in specs.
COLLECT_GCC=current-gcc
COLLECT_LTO_WRAPPER=/uusoc/exports/scratch/regehr/z/compiler-install/gcc-r162143-install/bin/../libexec/gcc/x86_64-unknown-linux-gnu/4.6.0/lto-wrapper
Target: x86_64-unknown-linux-gnu
Configured with: ../configure --with-libelf=/usr/local --enable-lto --prefix=/home/regehr/z/compiler-install/gcc-r162143-install --program-prefix=r162143- --enable-languages=c,c++
Thread model: posix
gcc version 4.6.0 20100713 (experimental) (GCC) 

[regehr@gamow tmp420]$ valgrind -q --trace-children=yes current-gcc -O2 small.c 
-w

==30337== Invalid read of size 2
==30337==    at 0x697485: walk_stmt_load_store_addr_ops (gimple.c:4776)
==30337==    by 0x9B3512: rebuild_cgraph_edges (cgraphbuild.c:471)
==30337==    by 0x72D5CD: execute_one_pass (passes.c:1565)
==30337==    by 0x72D864: execute_pass_list (passes.c:1620)
==30337==    by 0x72CACB: do_per_function_toporder (passes.c:1158)
==30337==    by 0x72DC85: execute_ipa_pass_list (passes.c:1920)
==30337==    by 0x9B8BF0: cgraph_optimize (cgraphunit.c:1851)
==30337==    by 0x9B8E4A: cgraph_finalize_compilation_unit (cgraphunit.c:1171)
==30337==    by 0x4A7C32: c_write_global_declarations (c-decl.c:9698)
==30337==    by 0x7CED29: toplev_main (toplev.c:990)
==30337==    by 0x5935ABC: (below main) (libc-start.c:220)
==30337==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==30337== 
small.c: In function 'func_4':
small.c:29:1: internal compiler error: Segmentation fault
Please submit a full bug report,
with preprocessed source if appropriate.
See <http://gcc.gnu.org/bugs.html> for instructions.

[regehr@gamow tmp420]$ cat small.c

int g_19;
int *g_42;
int **volatile g = &g_42;
int g_67[5][9][2][1] = {
};

int
func_4 (int p_5, unsigned char p_6, unsigned char p_7)
{
  unsigned char l_8[1];
  if (p_6)
    goto lbl_13;
  for (p_6 = 0; p_6; p_6 = (p_6, 0))
    if (0)
      {
      }
    else
    lbl_13:for (p_6 = 0; p_6 < 1; p_6 += 1)
	l_8[p_6] = 0;
  return 0;
}

int *
func_45 (unsigned long p_46, unsigned char p_47)
{
  int *l_56 = &g_19;
  &l_56 != &g | !1 == func_4 (0, g_67[2][6][1][0], 0) ^ func_4 (1, 0, 0);
  return 0;
}
Comment 1 Richard Biener 2010-07-15 08:21:55 UTC 
Confirmed.

(gdb) call debug_gimple_stmt (stmt)
.MEM_12 = PHI <.MEM_13(D)(2), (3)>

we miss a PHI arg here after splitting the function.

func_4 (int p_5, unsigned char p_6, unsigned char p_7)
{
<bb 2>:
  if (p_6_3(D) != 0)
    goto <bb 3>;
  else
    goto <bb 4>;

<bb 3>:
  # p_6_10 = PHI <0(2)>
  func_4.part.0 ();

<bb 4>:
  # .MEM_12 = PHI <.MEM_13(D)(2), (3)>
  return 0;
Comment 2 Jan Hubicka 2010-07-15 09:37:04 UTC 
Subject: Re:  [4.6 Regression] IPA-split
	causes crash due to null pointer deref

> (gdb) call debug_gimple_stmt (stmt)
> .MEM_12 = PHI <.MEM_13(D)(2), (3)>
Hmm, I make no attempts to update alias info.  Why return has VOP?

Honza
Comment 3 Richard Biener 2010-07-15 09:58:48 UTC 
It doesn't.  It's a PHI node.  So I suppose there was a CFG confluence
point here.
Comment 4 Richard Biener 2010-07-15 10:00:45 UTC 
CDDCE removes the single store in the loop but doesn't remove the virtual
PHI nodes.  But you still have to deal with them I guess.
Comment 5 Jan Hubicka 2010-07-15 11:31:28 UTC 
Subject: Re:  [4.6 Regression] IPA-split
	causes crash due to null pointer deref

> CDDCE removes the single store in the loop but doesn't remove the virtual
> PHI nodes.  But you still have to deal with them I guess.
OK, how I deal with those then?

Honza
Comment 6 Richard Biener 2010-07-23 12:40:34 UTC 
(In reply to comment #5)
> Subject: Re:  [4.6 Regression] IPA-split
>         causes crash due to null pointer deref
> 
> > CDDCE removes the single store in the loop but doesn't remove the virtual
> > PHI nodes.  But you still have to deal with them I guess.
> OK, how I deal with those then?

Well, you have to either delete it, update it or avoid splitting.

As I said earlier splitting the edge to the split part if there are PHI
nodes would avoid most of the issues.

> Honza
>
Comment 7 Richard Biener 2010-09-02 13:42:51 UTC 
Subject: Bug 44937

Author: rguenth
Date: Thu Sep  2 13:42:25 2010
New Revision: 163775

URL: http://gcc.gnu.org/viewcvs?root=gcc&view=rev&rev=163775
Log:
2010-09-02  Richard Guenther  <rguenther@suse.de>

	PR tree-optimization/44937
	PR tree-optimization/45412
	* ipa-split.c (split_function): Properly remove PHI nodes.

	* g++.dg/opt/pr45412.C: New testcase.
	* gcc.c-torture/compile/pr45412.c: Likewise.
	* gcc.c-torture/compile/pr44937.c: Likewise.

Added:
    trunk/gcc/testsuite/g++.dg/opt/pr45412.C
    trunk/gcc/testsuite/gcc.c-torture/compile/pr44937.c
    trunk/gcc/testsuite/gcc.c-torture/compile/pr45412.c
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/ipa-split.c
    trunk/gcc/testsuite/ChangeLog
Comment 8 Richard Biener 2010-09-02 13:43:06 UTC 
Fixed.
Comment 9 Richard Biener 2010-09-06 13:53:11 UTC 
*** Bug 45557 has been marked as a duplicate of this bug. ***