Bug 58598

Summary: ICE: SIGSEGV (write after free) with -O -flto -fno-fat-lto-objects -fvtable-verify=std
Product: gcc Reporter: Zdenek Sojka <zsojka>
Component: middle-endAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED FIXED    
Severity: normal Keywords: ice-on-valid-code, lto
Priority: P3    
Version: 4.9.0   
Target Milestone: ---   
Host: x86_64-pc-linux-gnu Target: x86_64-pc-linux-gnu
Build: Known to work: 6.4.0, 7.2.0
Known to fail: 4.9.0, 5.4.0 Last reconfirmed:
Attachments: reduced testcase

Description Zdenek Sojka 2013-10-02 20:47:59 UTC 
Created attachment 30949 [details]
reduced testcase

Compiler output:
gcc -O -flto -fno-fat-lto-objects -fvtable-verify=std -wrapper valgrind,-q testcase.C 
==3463== Invalid write of size 8
==3463==    at 0x7F05C1: bitmap_obstack_alloc_stat(bitmap_obstack*) (bitmap.h:277)
==3463==    by 0xC5C141: (anonymous namespace)::pass_build_ssa::execute() (tree-into-ssa.c:2242)
==3463==    by 0xB05269: execute_one_pass(opt_pass*) (passes.c:2201)
==3463==    by 0xB05445: execute_pass_list(opt_pass*) (passes.c:2253)
==3463==    by 0x86D76D: cgraph_process_new_functions() (cgraphunit.c:324)
==3463==    by 0x780316: vtv_generate_init_routine() (vtable-class-hierarchy.c:1187)
==3463==    by 0x670815: cp_write_global_declarations() (decl2.c:4369)
==3463==    by 0xBF7DCC: compile_file() (toplev.c:560)
==3463==    by 0xBF9CB9: toplev_main(int, char**) (toplev.c:1893)
==3463==    by 0x5A3C60C: (below main) (in /lib64/libc-2.15.so)
==3463==  Address 0x6159070 is 96 bytes inside a block of size 4,064 free'd
==3463==    at 0x4C2B3EC: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==3463==    by 0x5A9CFD4: obstack_free (in /lib64/libc-2.15.so)
==3463==    by 0x86CE82: analyze_function(cgraph_node*) (cgraphunit.c:652)
==3463==    by 0x86D72F: cgraph_process_new_functions() (cgraphunit.c:320)
==3463==    by 0x780316: vtv_generate_init_routine() (vtable-class-hierarchy.c:1187)
==3463==    by 0x670815: cp_write_global_declarations() (decl2.c:4369)
==3463==    by 0xBF7DCC: compile_file() (toplev.c:560)
==3463==    by 0xBF9CB9: toplev_main(int, char**) (toplev.c:1893)
==3463==    by 0x5A3C60C: (below main) (in /lib64/libc-2.15.so)
==3463== 
==3463== Invalid write of size 8
==3463==    at 0x7F05C9: bitmap_obstack_alloc_stat(bitmap_obstack*) (bitmap.h:277)
==3463==    by 0xC5C141: (anonymous namespace)::pass_build_ssa::execute() (tree-into-ssa.c:2242)
==3463==    by 0xB05269: execute_one_pass(opt_pass*) (passes.c:2201)
==3463==    by 0xB05445: execute_pass_list(opt_pass*) (passes.c:2253)
==3463==    by 0x86D76D: cgraph_process_new_functions() (cgraphunit.c:324)
==3463==    by 0x780316: vtv_generate_init_routine() (vtable-class-hierarchy.c:1187)
==3463==    by 0x670815: cp_write_global_declarations() (decl2.c:4369)
==3463==    by 0xBF7DCC: compile_file() (toplev.c:560)
==3463==    by 0xBF9CB9: toplev_main(int, char**) (toplev.c:1893)
==3463==    by 0x5A3C60C: (below main) (in /lib64/libc-2.15.so)
==3463==  Address 0x6159068 is 88 bytes inside a block of size 4,064 free'd
==3463==    at 0x4C2B3EC: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==3463==    by 0x5A9CFD4: obstack_free (in /lib64/libc-2.15.so)
==3463==    by 0x86CE82: analyze_function(cgraph_node*) (cgraphunit.c:652)
==3463==    by 0x86D72F: cgraph_process_new_functions() (cgraphunit.c:320)
==3463==    by 0x780316: vtv_generate_init_routine() (vtable-class-hierarchy.c:1187)                                                                 
==3463==    by 0x670815: cp_write_global_declarations() (decl2.c:4369)                                                                               
==3463==    by 0xBF7DCC: compile_file() (toplev.c:560)                                                                                               
==3463==    by 0xBF9CB9: toplev_main(int, char**) (toplev.c:1893)                                                                                    
==3463==    by 0x5A3C60C: (below main) (in /lib64/libc-2.15.so)                                                                                      
==3463==                                                                                                                                             
....

Crashes randomly.

Tested revisions:
r203053 - crash
Comment 1 Andrew Pinski 2016-08-13 05:59:21 UTC 
Does this work now?
Comment 2 Zdenek Sojka 2017-12-20 10:01:50 UTC 
No longer crashing in 6.4.0+
Comment 3 Eric Gallager 2017-12-20 13:58:11 UTC 
(In reply to Zdenek Sojka from comment #2)
> No longer crashing in 6.4.0+

So... that's FIXED then, since the "Known to fail" branches are both closed