Created attachment 57884 [details] reduced testcase Compiler output: $ x86_64-pc-linux-gnu-gcc -O2 -fcondition-coverage testcase.c -wrapper valgrind,-q ==26792== Invalid write of size 4 ==26792== at 0xF3D16E: bitmap_set_bit(bitmap_head*, int) (bitmap.cc:975) ==26792== by 0xFB61F3: symtab_node::check_ifunc_callee_symtab_nodes() (symtab.cc:1449) ==26792== by 0xFCF454: symbol_table::compile() [clone .part.0] (cgraphunit.cc:2320) ==26792== by 0xFD2797: compile (cgraphunit.cc:2315) ==26792== by 0xFD2797: symbol_table::finalize_compilation_unit() (cgraphunit.cc:2589) ==26792== by 0x1513631: compile_file() (toplev.cc:476) ==26792== by 0xDE845B: do_compile (toplev.cc:2154) ==26792== by 0xDE845B: toplev::main(int, char**) (toplev.cc:2310) ==26792== by 0xDE9C3A: main (main.cc:39) ==26792== Address 0x527a330 is 32 bytes inside a block of size 65,536 alloc'd ==26792== at 0x483E804: malloc (vg_replace_malloc.c:442) ==26792== by 0x2AA5B4B: xmalloc (xmalloc.c:149) ==26792== by 0x2AA2384: call_chunkfun (obstack.c:94) ==26792== by 0x2AA2384: _obstack_begin_worker (obstack.c:141) ==26792== by 0xFD0EDE: analyze_functions(bool) (cgraphunit.cc:1172) ==26792== by 0xFD272D: symbol_table::finalize_compilation_unit() (cgraphunit.cc:2560) ==26792== by 0x1513631: compile_file() (toplev.cc:476) ==26792== by 0xDE845B: do_compile (toplev.cc:2154) ==26792== by 0xDE845B: toplev::main(int, char**) (toplev.cc:2310) ==26792== by 0xDE9C3A: main (main.cc:39) ... during IPA pass: profile testcase.c: In function 'do_all_fn_LHASH_DOALL_ARG_arg2': testcase.c:16:1: internal compiler error: Segmentation fault 16 | } | ^ 0x151314f crash_signal /repo/gcc-trunk/gcc/toplev.cc:319 0x15fba9a hash_table_mod1(unsigned int, unsigned int) /repo/gcc-trunk/gcc/hash-table.h:344 0x15fba9a hash_table<hash_map<gcond*, unsigned int, simple_hashmap_traits<default_hash_traits<gcond*>, unsigned int> >::hash_entry, false, xcallocator>::find_with_hash(gcond* const&, unsigned int) /repo/gcc-trunk/gcc/hash-table.h:985 0x15f9c9b hash_map<gcond*, unsigned int, simple_hashmap_traits<default_hash_traits<gcond*>, unsigned int> >::get(gcond* const&) /repo/gcc-trunk/gcc/hash-map.h:191 0x15f9c9b condition_uid /repo/gcc-trunk/gcc/tree-profile.cc:370 0x15f9c9b find_conditions(function*) /repo/gcc-trunk/gcc/tree-profile.cc:877 0x140dc23 branch_prob(bool) /repo/gcc-trunk/gcc/profile.cc:1549 0x15f92f4 tree_profiling /repo/gcc-trunk/gcc/tree-profile.cc:1917 0x15f92f4 execute /repo/gcc-trunk/gcc/tree-profile.cc:2046 Please submit a full bug report, with preprocessed source (by using -freport-bug). Please include the complete backtrace with any bug report. See <https://gcc.gnu.org/bugs/> for instructions. $ x86_64-pc-linux-gnu-gcc -v Using built-in specs. COLLECT_GCC=/repo/gcc-trunk/binary-latest-amd64/bin/x86_64-pc-linux-gnu-gcc COLLECT_LTO_WRAPPER=/repo/gcc-trunk/binary-trunk-r14-9799-20240405035546-g4c8b3600c48-checking-yes-rtl-df-extra-nobootstrap-amd64/bin/../libexec/gcc/x86_64-pc-linux-gnu/14.0.1/lto-wrapper Target: x86_64-pc-linux-gnu Configured with: /repo/gcc-trunk//configure --enable-languages=c,c++ --enable-valgrind-annotations --disable-nls --enable-checking=yes,rtl,df,extra --disable-bootstrap --with-cloog --with-ppl --with-isl --build=x86_64-pc-linux-gnu --host=x86_64-pc-linux-gnu --target=x86_64-pc-linux-gnu --with-ld=/usr/bin/x86_64-pc-linux-gnu-ld --with-as=/usr/bin/x86_64-pc-linux-gnu-as --enable-libsanitizer --disable-libstdcxx-pch --prefix=/repo/gcc-trunk//binary-trunk-r14-9799-20240405035546-g4c8b3600c48-checking-yes-rtl-df-extra-nobootstrap-amd64 Thread model: posix Supported LTO compression algorithms: zlib zstd gcc version 14.0.1 20240405 (experimental) (GCC)
static auto_bitmap ifunc_ref_map; doesn't work - this gets allocated from the bitmap obstack which gets repeatedly cleared. It looks like you may want to use a GC allocated bitmap static GTY(()) bitmap ifunc_ref_map; and GC allocate it when the property is computed.
Or even non-GC, it seems the bitmap is short-lived. Just use BITMAP_ALLOC (). I'll fix it.
The master branch has been updated by Richard Biener <rguenth@gcc.gnu.org>: https://gcc.gnu.org/g:9ab8fdfeef5b1a47b358e08a98177b2fad65fed9 commit r14-9803-g9ab8fdfeef5b1a47b358e08a98177b2fad65fed9 Author: Richard Biener <rguenther@suse.de> Date: Fri Apr 5 10:16:41 2024 +0200 middle-end/114599 - fix bitmap allocation for check_ifunc_callee_symtab_nodes There's no default bitmap obstack during global CTORs, so allocate the bitmap locally. PR middle-end/114599 PR gcov-profile/114115 * symtab.cc (ifunc_ref_map): Do not use auto_bitmap. (is_caller_ifunc_resolver): Optimize bitmap_bit_p/bitmap_set_bit pair. (symtab_node::check_ifunc_callee_symtab_nodes): Properly allocate ifunc_ref_map here.
Fixed.
Created attachment 57888 [details] A testcase The bug isn't fixed: [hjl@gnu-tgl-3 gcc]$ /export/build/gnu/tools-build/gcc-debug/build-x86_64-linux/gcc/xgcc -B/export/build/gnu/tools-build/gcc-debug/build-x86_64-linux/gcc/ /export/gnu/import/git/sources/gcc/gcc/testsuite/gcc.misc-tests/gcov-24.c -fdiagnostics-plain-output -O2 -fcondition-coverage -S -o gcov-24.s during IPA pass: profile /export/gnu/import/git/sources/gcc/gcc/testsuite/gcc.misc-tests/gcov-24.c: In function ‘do_all_fn_LHASH_DOALL_ARG_arg2’: /export/gnu/import/git/sources/gcc/gcc/testsuite/gcc.misc-tests/gcov-24.c:20:1: internal compiler error: Segmentation fault 0x16ccfa6 crash_signal /export/gnu/import/git/sources/gcc/gcc/toplev.cc:319 0x180579d hash_table<hash_map<gcond*, unsigned int, simple_hashmap_traits<default_hash_traits<gcond*>, unsigned int> >::hash_entry, false, xcallocator>::find_with_hash(gcond* const&, unsigned int) /export/gnu/import/git/sources/gcc/gcc/hash-table.h:983 0x1804c87 hash_map<gcond*, unsigned int, simple_hashmap_traits<default_hash_traits<gcond*>, unsigned int> >::get(gcond* const&) /export/gnu/import/git/sources/gcc/gcc/hash-map.h:191 0x17fdbf8 condition_uid /export/gnu/import/git/sources/gcc/gcc/tree-profile.cc:370 0x17ff420 find_conditions(function*) /export/gnu/import/git/sources/gcc/gcc/tree-profile.cc:877 0x158b963 branch_prob(bool) /export/gnu/import/git/sources/gcc/gcc/profile.cc:1549 0x1802b86 tree_profiling /export/gnu/import/git/sources/gcc/gcc/tree-profile.cc:1917 0x1803210 execute /export/gnu/import/git/sources/gcc/gcc/tree-profile.cc:2046 Please submit a full bug report, with preprocessed source (by using -freport-bug). Please include the complete backtrace with any bug report. See <https://gcc.gnu.org/bugs/> for instructions. [hjl@gnu-tgl-3 gcc]$
Not fixed.
The master branch has been updated by J?rgen Kvalsvik <jkv@gcc.gnu.org>: https://gcc.gnu.org/g:c6892a430a9752aea167265621c3ae7a3e11159f commit r14-9819-gc6892a430a9752aea167265621c3ae7a3e11159f Author: Jørgen Kvalsvik <j@lambda.is> Date: Fri Apr 5 21:42:07 2024 +0200 Copy condition->expr map when inlining [PR114599] When a function is tree-inlined, copy the condition -> expression mapping from the inlined function into the caller, shifted so uids are not mixed. Tree inlining was always problematic under condition coverage - either through a nullptr dereference (triggered by the test case), or through quietly mixing caller conditions with the callee conditions. PR middle-end/114599 gcc/ChangeLog: * tree-inline.cc (add_local_variables): Copy cond_uids mappings. gcc/testsuite/ChangeLog: * gcc.misc-tests/gcov-pr114599.c: New test.
The master branch has been updated by J?rgen Kvalsvik <jkv@gcc.gnu.org>: https://gcc.gnu.org/g:2daeb89d6f025d6daf7e560575863b3280120be8 commit r14-9863-g2daeb89d6f025d6daf7e560575863b3280120be8 Author: Jørgen Kvalsvik <j@lambda.is> Date: Mon Apr 8 09:28:27 2024 +0200 Add tree-inlined gconds to caller cond->expr map Properly add the condition -> expression mapping of inlined gconds from the caller into the callee map. This is a fix for PR114599 that works beyond fixing the segfault, as the previous fixed copied references to the source gconds, not the deep copied ones that end up in the calle body. The new tests checks this, both in the case of a calle without conditions (which triggered the segfault), and a test that shows that conditions are properly mapped, and not mixed. PR middle-end/114599 gcc/ChangeLog: * tree-inline.cc (copy_bb): Copy cond_uids into callee. (prepend_lexical_block): Remove outdated comment. (add_local_variables): Remove bad cond_uids copy. gcc/testsuite/ChangeLog: * gcc.misc-tests/gcov-19.c: New test.