60667 – Undefined behavior in Java FE

Bug 60667 - Undefined behavior in Java FE

Summary: Undefined behavior in Java FE

Status:	RESOLVED WONTFIX

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	java (show other bugs)
Version:	4.9.0

Importance:	P3 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Depends on:
Blocks:

Reported:	2014-03-26 08:45 UTC by Jakub Jelinek
Modified:	2016-09-30 22:50 UTC (History)
CC List:	4 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:

Attachments
gcc49-ubsan.patch (1.77 KB, patch) 2014-03-26 10:47 UTC, Jakub Jelinek	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jakub Jelinek 2014-03-26 08:45:41 UTC

Undefined behavior in java FE.

In --with-build-config=bootstrap-ubsan i686 trunk bootstrap I'm getting several:
../../gcc/double-int.c:1064:33: runtime error: shift exponent -65 is negative
errors (and similar), e.g. on:
/usr/src/gcc/obj985a/./gcc/gcj -B/usr/src/gcc/obj985a/i686-pc-linux-gnu/libjava/ -B/usr/src/gcc/obj985a/./gcc/ -B/usr/local/i686-pc-linux-gnu/bin/ -B/usr/local/i686-pc-linux-gnu/lib/ -isystem /usr/local/i686-pc-linux-gnu/include -isystem /usr/local/i686-pc-linux-gnu/sys-include -ffloat-store -fomit-frame-pointer -Usun -fclasspath= -fbootclasspath=../../../libjava/classpath/lib --encoding=UTF-8 -Wno-deprecated -fbootstrap-classes -g -O2 -c -fsource-filename=/usr/src/gcc/obj985a/i686-pc-linux-gnu/libjava/classpath/lib/classes -MT gnu/java/awt.lo -MD -MP -MF gnu/java/awt.deps @gnu/java/awt.list -fPIC -o gnu/java/.libs/awt.o

This happens on:
#0  double_int::set_bit (this=0xffffc920, bitpos=4294967295) at ../../gcc/double-int.c:1064
#1  0x08258b8a in mark_reference_fields (field=0xf79c1844, mask=<optimized out>, pointer_after_end=0xffffc920, all_bits_set=0x8258e06, 
    last_set_index=0xffffc90c, last_view_index=0xffffc910, ubit=32) at ../../gcc/java/boehm.c:110

p int_byte_position (field)
$12 = 128
p ubit
$13 = 32
p int_size_in_bytes (field->typed.type)
$17 = 4
Thus count is 32, ubit 32, size_words 1 and ubit - count - i - 1 is -1,
thus
*mask = (*mask).set_bit (ubit - count - i - 1);
is set_bit (0xffffffff) and attempts to shift up by (int) (0xffffffff - 64).

p debug_tree (field)
 <field_decl 0xf79c1844 focusListener
    type <pointer_type 0xf79b1c00
        type <record_type 0xf79b1ba0 java.awt.event.FocusListener type_2 type_4 SI
            size <integer_cst 0xf78e3540 constant 32>
            unit size <integer_cst 0xf78e3e54 constant 4>
            align 32 symtab 0 alias set -1 canonical type 0xf79b1ba0 fields <field_decl 0xf7a0c958 D.1856>
            pointer_to_this <pointer_type 0xf79b1c00> chain <type_decl 0xf79a5ca8 java.awt.event.FocusListener>>
        unsigned SI size <integer_cst 0xf78e3540 32>
        unit size <integer_cst 0xf78e355c constant 4>
        align 32 symtab 0 alias set -1 canonical type 0xf79b1c00
        pointer_to_this <pointer_type 0xf79b1d80>>
    unsigned decl_5 SI file /usr/src/gcc/libjava/classpath/java/awt/Component.java line 0 col 0 size <integer_cst 0xf78e3540 32> unit size <integer_cst 0xf78e355c 4>
    align 32 offset_align 128
    offset <integer_cst 0xf78fe1c0 type <integer_type 0xf78f4000 sizetype> constant 128>
    bit offset <integer_cst 0xf78e35e8 type <integer_type 0xf78f4060 bitsizetype> constant 0> context <record_type 0xf7908720 java.awt.Component> chain <field_decl 0xf79c18a0 keyListener>>
$18 = void


Can you please fix this, I have no idea what this code tries to do and why.

Comment 1 Jakub Jelinek 2014-03-26 08:47:25 UTC

CCing also Tom as he is listed as author.

Comment 2 Andrew Haley 2014-03-26 09:27:01 UTC

I can't investigate this with today's trunk, because it does not build with ubsan:

i386 /scratch/gcc/configure --with-build-config=bootstrap-ubsan --enable-languages=java


/scratch/gcc/obj-i686-pc-linux-gnu/./prev-gcc/xg++ -B/scratch/gcc/obj-i686-pc-linux-gnu/./prev-gcc/ -B/usr/local/i686-pc-linux-gnu/bin/ -nostdinc++ -B/scratch/gcc/obj-i686-pc-linux-gnu/prev-i686-pc-linux-gnu/libstdc++-v3/src/.libs -B/scratch/gcc/obj-i686-pc-linux-gnu/prev-i686-pc-linux-gnu/libstdc++-v3/libsupc++/.libs  -I/scratch/gcc/obj-i686-pc-linux-gnu/prev-i686-pc-linux-gnu/libstdc++-v3/include/i686-pc-linux-gnu  -I/scratch/gcc/obj-i686-pc-linux-gnu/prev-i686-pc-linux-gnu/libstdc++-v3/include  -I/scratch/gcc/libstdc++-v3/libsupc++ -L/scratch/gcc/obj-i686-pc-linux-gnu/prev-i686-pc-linux-gnu/libstdc++-v3/src/.libs -L/scratch/gcc/obj-i686-pc-linux-gnu/prev-i686-pc-linux-gnu/libstdc++-v3/libsupc++/.libs -c   -g -O2 -fsanitize=undefined -DIN_GCC    -fno-exceptions -fno-rtti -fasynchronous-unwind-tables -W -Wall -Wno-narrowing -Wwrite-strings -Wcast-qual -Wmissing-format-attribute -pedantic -Wno-long-long -Wno-variadic-macros -Wno-overlength-strings -Werror -fno-common  -DHAVE_CONFIG_H -DGENERATOR_FILE -I. -Ibuild -I/scratch/gcc/gcc -I/scratch/gcc/gcc/build -I/scratch/gcc/gcc/../include  -I/scratch/gcc/gcc/../libcpp/include  \
	-o build/read-rtl.o /scratch/gcc/gcc/read-rtl.c
/scratch/gcc/gcc/read-rtl.c: In function 'bool read_rtx(const char*, rtx_def**)':
/scratch/gcc/gcc/read-rtl.c:1031:1: internal compiler error: Segmentation fault
 read_rtx (const char *rtx_name, rtx *x)
 ^
0xda18f2 crash_signal
	/scratch/gcc/gcc/toplev.c:337
0x5ea774 contains_struct_check(tree_node*, tree_node_structure_enum, char const*, int, char const*)
	/scratch/gcc/gcc/tree.h:2826
0xd9282f place_field(record_layout_info_s*, tree_node*)
	/scratch/gcc/gcc/stor-layout.c:1076
0xd98085 layout_type(tree_node*)
	/scratch/gcc/gcc/stor-layout.c:2292
0xdc4480 ubsan_create_data(char const*, unsigned int, ubsan_mismatch_data const*, ...)
	/scratch/gcc/gcc/ubsan.c:465
0xdc4829 ubsan_instrument_unreachable(unsigned int)
	/scratch/gcc/gcc/ubsan.c:517
0x92d8cb fold_builtin_0
	/scratch/gcc/gcc/builtins.c:10306
0x93022c fold_builtin_n
	/scratch/gcc/gcc/builtins.c:11111
0x93a145 fold_call_stmt(gimple_statement_base*, bool)
	/scratch/gcc/gcc/builtins.c:14251
0xb2690b gimple_fold_builtin(gimple_statement_base*)
	/scratch/gcc/gcc/gimple-fold.c:888
0xb27967 gimple_fold_call
	/scratch/gcc/gcc/gimple-fold.c:1179
0xb27d6d fold_stmt_1
	/scratch/gcc/gcc/gimple-fold.c:1258
0xb282fb fold_stmt(gimple_stmt_iterator*)
	/scratch/gcc/gcc/gimple-fold.c:1366
0xe2140c fold_marked_statements
	/scratch/gcc/gcc/tree-inline.c:4497
0xe2188e optimize_inline_calls(tree_node*)
	/scratch/gcc/gcc/tree-inline.c:4622
0x1492868 inline_transform(cgraph_node*)
	/scratch/gcc/gcc/ipa-inline-transform.c:453
0xcb73f0 execute_one_ipa_transform_pass
	/scratch/gcc/gcc/passes.c:2066
0xcb7557 execute_all_ipa_transforms()
	/scratch/gcc/gcc/passes.c:2107
0x9951c4 expand_function
	/scratch/gcc/gcc/cgraphunit.c:1767
0x9957e1 expand_all_functions
	/scratch/gcc/gcc/cgraphunit.c:1908
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <http://gcc.gnu.org/bugs.html> for instructions.
make[3]: *** [build/read-rtl.o] Error 1
make[3]: Leaving directory `/scratch/gcc/obj-i686-pc-linux-gnu/gcc'
make[2]: *** [all-stage2-gcc] Error 2
make[2]: Leaving directory `/scratch/gcc/obj-i686-pc-linux-gnu'
make[1]: *** [stage2-bubble] Error 2
make[1]: Leaving directory `/scratch/gcc/obj-i686-pc-linux-gnu'
make: *** [all] Error 2

Comment 3 Jakub Jelinek 2014-03-26 10:47:50 UTC

Created attachment 32458 [details]
gcc49-ubsan.patch

Ah, sounds like a very recent regression, most likely Honza's r208831.
Now, this patch makes ubsan more robust, so that it handles even stmts with UNKNOWN_LOCATION properly, but the question remains if it is ok to change a call to _ZN3vecIP7mapping7va_heap6vl_ptrE8truncateEj.part.3 (inserted during fnsplit pass and why it doesn't set gimple_location for that call?) into __builtin_unreachable ().

Comment 4 Andrew Haley 2014-03-28 15:11:51 UTC

Still no luck with ubsan, which seems to be broken:

/usr/local/i686-pc-linux-gnu/sys-include    -O2  -g -O2 -DIN_GCC    -W -Wall -Wno-narrowing -Wwrite-strings -Wcast-qual -Wstrict-prototypes -Wmissing-prototypes -Wold-style-definition  -isystem ./include   -fpic -mlong-double-80 -g -DIN_LIBGCC2 -fbuilding-libgcc -fno-stack-protector  -shared -nodefaultlibs -Wl,--soname=libgcc_s.so.1 -Wl,--version-script=libgcc.map -o ./libgcc_s.so.1.tmp -g -O2 -B./ _muldi3_s.o _negdi2_s.o _lshrdi3_s.o _ashldi3_s.o _ashrdi3_s.o _cmpdi2_s.o _ucmpdi2_s.o _clear_cache_s.o _trampoline_s.o __main_s.o _absvsi2_s.o _absvdi2_s.o _addvsi3_s.o _addvdi3_s.o _subvsi3_s.o _subvdi3_s.o _mulvsi3_s.o _mulvdi3_s.o _negvsi2_s.o _negvdi2_s.o _ctors_s.o _ffssi2_s.o _ffsdi2_s.o _clz_s.o _clzsi2_s.o _clzdi2_s.o _ctzsi2_s.o _ctzdi2_s.o _popcount_tab_s.o _popcountsi2_s.o _popcountdi2_s.o _paritysi2_s.o _paritydi2_s.o _powisf2_s.o _powidf2_s.o _powixf2_s.o _powitf2_s.o _mulsc3_s.o _muldc3_s.o _mulxc3_s.o _multc3_s.o _divsc3_s.o _divdc3_s.o _divxc3_s.o _divtc3_s.o _bswapsi2_s.o _bswapdi2_s.o _clrsbsi2_s.o _clrsbdi2_s.o _fixunssfsi_s.o _fixunsdfsi_s.o _fixunsxfsi_s.o _fixsfdi_s.o _fixdfdi_s.o _fixxfdi_s.o _fixunssfdi_s.o _fixunsdfdi_s.o _fixunsxfdi_s.o _floatdisf_s.o _floatdidf_s.o _floatdixf_s.o _floatundisf_s.o _floatundidf_s.o _floatundixf_s.o _divdi3_s.o _moddi3_s.o _udivdi3_s.o _umoddi3_s.o _udiv_w_sdiv_s.o _udivmoddi4_s.o cpuinfo_s.o tf-signs_s.o sfp-exceptions_s.o addtf3_s.o divtf3_s.o eqtf2_s.o getf2_s.o letf2_s.o multf3_s.o negtf2_s.o subtf3_s.o unordtf2_s.o fixtfsi_s.o fixunstfsi_s.o floatsitf_s.o floatunsitf_s.o fixtfdi_s.o fixunstfdi_s.o floatditf_s.o floatunditf_s.o extendsftf2_s.o extenddftf2_s.o extendxftf2_s.o trunctfsf2_s.o trunctfdf2_s.o trunctfxf2_s.o enable-execute-stack_s.o unwind-dw2_s.o unwind-dw2-fde-dip_s.o unwind-sjlj_s.o unwind-c_s.o emutls_s.o libgcc.a -lc && rm -f ./libgcc_s.so && if [ -f ./libgcc_s.so.1 ]; then mv -f ./libgcc_s.so.1 ./libgcc_s.so.1.backup; else true; fi && mv ./libgcc_s.so.1.tmp ./libgcc_s.so.1 && ln -s libgcc_s.so.1 ./libgcc_s.so
/usr/bin/ld: /gcc/obj-i686-pc-linux-gnu/./gcc/liblto_plugin.so: error loading plugin: /gcc/obj-i686-pc-linux-gnu/./gcc/liblto_plugin.so: undefined symbol: __ubsan_handle_type_mismatch
collect2: error: ld returned 1 exit status
make[3]: *** [libgcc_s.so] Error 1
make[3]: Leaving directory `/gcc/obj-i686-pc-linux-gnu/i686-pc-linux-gnu/libgcc'
make[2]: *** [all-stage2-target-libgcc] Error 2
make[2]: Leaving directory `/gcc/obj-i686-pc-linux-gnu'
make[1]: *** [stage2-bubble] Error 2
make[1]: Leaving directory `/gcc/obj-i686-pc-linux-gnu'
make: *** [all] Error 2

If you can tell me how you do a build I'll be grateful.

Comment 5 Jakub Jelinek 2014-03-28 15:35:10 UTC

The http://gcc.gnu.org/ml/gcc-patches/2014-03/msg01370.html
fix is still waiting for review, you need that for both --with-build-config=bootstrap-ubsan
and --with-build-config=bootstrap-asan.
For --with-build-config=bootstrap-asan also the
http://gcc.gnu.org/ml/gcc-patches/2014-03/msg01433.html
patch is needed, plus --with-build-config=bootstrap-asan will only work with -disable-werror for now (fix for that expected only in stage1).

Comment 6 Andrew Haley 2014-03-28 15:36:05 UTC

OK, pls ping me whan the tree is stable and I'll fix the Java FE.

Comment 7 Jakub Jelinek 2014-03-28 16:06:18 UTC

Supposedly you could just try to configure with --disable-lto to workaround it.
Not to mention that you really don't need to do bootstrap-ubsan for this, just add
--- gcc/double-int.c	2014-01-03 11:40:46.102383481 +0100
+++ gcc/double-int.c	2014-03-28 17:05:37.237498526 +0100
@@ -1060,9 +1060,11 @@ double_int::set_bit (unsigned bitpos) co
   double_int a = *this;
   if (bitpos < HOST_BITS_PER_WIDE_INT)
     a.low |= (unsigned HOST_WIDE_INT) 1 << bitpos;
-  else
+  else if (bitpos < HOST_BITS_PER_DOUBLE_INT)
     a.high |= (HOST_WIDE_INT) 1 <<  (bitpos - HOST_BITS_PER_WIDE_INT);
- 
+  else
+    gcc_unreachable ();
+
   return a;
 }
 
and you should be able to reproduce it with normal bootstrap/regtest.

Comment 8 Andrew Pinski 2016-09-30 22:50:58 UTC

Closing as won't fix as the Java front-end has been removed from the trunk.