Created attachment 32785 [details] reduced testcase (from g++.old-deja/g++.jason/thunk1.C) Output: $ g++ -O3 testcase.C $ valgrind ./a.out ==21283== Invalid read of size 8 ==21283== at 0x400740: CExample::MixinFunc(int, A) [clone .constprop.0] (testcase.C:3) ==21283== by 0x40062A: main (testcase.C:27) ==21283== Address 0x1 is not stack'd, malloc'd or (recently) free'd Tested revisions: r210308 - fail 4.9 r210307 - fail 4.8 r210303 - OK
Created attachment 32786 [details] testcase causing ICE Slightly modified, "struct A" replaced by "void *". Compiler output: $ g++ -O3 testcase.C testcase.C:28:1: error: edge points to wrong declaration: } ^ <function_decl 0x7f09e2392600 _ZThn8_N8CExample9MixinFuncEiPv.artificial_thunk.1.artificial_thunk.3 type <method_type 0x7f09e237c348 type <pointer_type 0x7f09e22130a8 type <void_type 0x7f09e2213000 void> public unsigned DI size <integer_cst 0x7f09e21edf78 constant 64> unit size <integer_cst 0x7f09e21edf90 constant 8> align 64 symtab 0 alias set 3 canonical type 0x7f09e22130a8 pointer_to_this <pointer_type 0x7f09e2219e70>> QI size <integer_cst 0x7f09e220c078 constant 8> unit size <integer_cst 0x7f09e220c090 constant 1> align 8 symtab 0 alias set -1 canonical type 0x7f09e237c348 method basetype <record_type 0x7f09e2374000 CExample> arg-types <tree_list 0x7f09e2396708 value <pointer_type 0x7f09e23742a0> chain <tree_list 0x7f09e21fdbb8 value <void_type 0x7f09e2213000 void>>>> readonly addressable used decl_5 QI file testcase.C line 11 col 9 align 8 context <record_type 0x7f09e2374000 CExample> arguments <parm_decl 0x7f09e236d580 this type <pointer_type 0x7f09e2374348 type <record_type 0x7f09e2374000 CExample> readonly unsigned DI size <integer_cst 0x7f09e21edf78 64> unit size <integer_cst 0x7f09e21edf90 8> align 64 symtab 0 alias set -1 canonical type 0x7f09e2374348> readonly unsigned DI file testcase.C line 11 col 39 size <integer_cst 0x7f09e21edf78 64> unit size <integer_cst 0x7f09e21edf90 8> align 64 context <function_decl 0x7f09e235ce00 _ZThn8_N8CExample9MixinFuncEiPv> arg-type <pointer_type 0x7f09e2374348> chain <parm_decl 0x7f09e236d600 arg type <integer_type 0x7f09e21ff690 int> used SI file testcase.C line 11 col 24 size <integer_cst 0x7f09e220c1c8 constant 32> unit size <integer_cst 0x7f09e220c1e0 constant 4> align 32 context <function_decl 0x7f09e235ce00 _ZThn8_N8CExample9MixinFuncEiPv> arg-type <integer_type 0x7f09e21ff690 int> chain <parm_decl 0x7f09e236d680 arg2>>>> Instead of: <function_decl 0x7f09e235ce00 _ZThn8_N8CExample9MixinFuncEiPv type <method_type 0x7f09e23741f8 type <pointer_type 0x7f09e22130a8 type <void_type 0x7f09e2213000 void> public unsigned DI size <integer_cst 0x7f09e21edf78 constant 64> unit size <integer_cst 0x7f09e21edf90 constant 8> align 64 symtab 0 alias set 3 canonical type 0x7f09e22130a8 pointer_to_this <pointer_type 0x7f09e2219e70>> QI size <integer_cst 0x7f09e220c078 constant 8> unit size <integer_cst 0x7f09e220c090 constant 1> align 8 symtab 0 alias set -1 canonical type 0x7f09e23741f8 method basetype <record_type 0x7f09e2374000 CExample> arg-types <tree_list 0x7f09e2356938 value <pointer_type 0x7f09e23742a0> chain <tree_list 0x7f09e2356618 value <integer_type 0x7f09e21ff690 int> chain <tree_list 0x7f09e2356640 value <pointer_type 0x7f09e22130a8> chain <tree_list 0x7f09e21fdbb8 value <void_type 0x7f09e2213000 void>>>>> pointer_to_this <pointer_type 0x7f09e2374888>> readonly addressable asm_written used public weak virtual decl_5 QI file testcase.C line 11 col 9 align 8 context <record_type 0x7f09e2374000 CExample> arguments <parm_decl 0x7f09e236d580 this type <pointer_type 0x7f09e2374348 type <record_type 0x7f09e2374000 CExample> readonly unsigned DI size <integer_cst 0x7f09e21edf78 64> unit size <integer_cst 0x7f09e21edf90 8> align 64 symtab 0 alias set -1 canonical type 0x7f09e2374348> readonly unsigned DI file testcase.C line 11 col 39 size <integer_cst 0x7f09e21edf78 64> unit size <integer_cst 0x7f09e21edf90 8> align 64 context <function_decl 0x7f09e235ce00 _ZThn8_N8CExample9MixinFuncEiPv> arg-type <pointer_type 0x7f09e2374348> chain <parm_decl 0x7f09e236d600 arg type <integer_type 0x7f09e21ff690 int> used SI file testcase.C line 11 col 24 size <integer_cst 0x7f09e220c1c8 constant 32> unit size <integer_cst 0x7f09e220c1e0 constant 4> align 32 context <function_decl 0x7f09e235ce00 _ZThn8_N8CExample9MixinFuncEiPv> arg-type <integer_type 0x7f09e21ff690 int> chain <parm_decl 0x7f09e236d680 arg2>>> full-name "virtual void* CExample::_ZThn8_N8CExample9MixinFuncEiPv(int, void*)" > main/14 (int main()) @0x7f09e237f7b0 Type: function definition analyzed Visibility: externally_visible public References: Referring: Availability: available First run: 0 Function flags: body only_called_at_startup Called by: Calls: _ZThn8_N8CExample9MixinFuncEiPv.artificial_thunk.1.artificial_thunk.3/38 (1.00 per call) (can throw external) testcase.C:28:1: internal compiler error: verify_cgraph_node failed 0x94409f verify_cgraph_node(cgraph_node*) /mnt/svn/gcc-trunk/gcc/cgraph.c:2996 0x93f27e verify_symtab_node(symtab_node*) /mnt/svn/gcc-trunk/gcc/symtab.c:882 0x93f2b7 verify_symtab() /mnt/svn/gcc-trunk/gcc/symtab.c:899 0xb47f9f symtab_remove_unreachable_nodes(bool, _IO_FILE*) /mnt/svn/gcc-trunk/gcc/ipa.c:308 0xc1a827 execute_todo /mnt/svn/gcc-trunk/gcc/passes.c:1843 Please submit a full bug report, with preprocessed source if appropriate. Please include the complete backtrace with any bug report. See <http://gcc.gnu.org/bugs.html> for instructions.
Started with r202145 (aka speculative devirtualization addition).
This seems to be IPA-CP related, so I will have a look.
These are in fact two different issues. I proposed the following to patches on the mailing list to address them: https://gcc.gnu.org/ml/gcc-patches/2014-05/msg02658.html and https://gcc.gnu.org/ml/gcc-patches/2014-05/msg02660.html
Author: jamborm Date: Tue Jun 3 10:09:20 2014 New Revision: 211170 URL: http://gcc.gnu.org/viewcvs?rev=211170&root=gcc&view=rev Log: 2014-06-03 Martin Jambor <mjambor@suse.cz> PR ipa/61160 * ipa-cp.c (cgraph_edge_brings_value_p): Handle edges leading to thunks. testsuite/ * g++.dg/ipa/pr61160-1.C: New test. Added: trunk/gcc/testsuite/g++.dg/ipa/pr61160-1.C Modified: trunk/gcc/ChangeLog trunk/gcc/ipa-cp.c trunk/gcc/testsuite/ChangeLog
Author: jamborm Date: Tue Jun 3 10:13:15 2014 New Revision: 211171 URL: http://gcc.gnu.org/viewcvs?rev=211171&root=gcc&view=rev Log: 2014-06-03 Martin Jambor <mjambor@suse.cz> PR ipa/61160 * ipa-cp.c (cgraph_edge_brings_value_p): Handle edges leading to thunks. testsuite/ * g++.dg/ipa/pr61160-1.C: New test. Added: branches/gcc-4_9-branch/gcc/testsuite/g++.dg/ipa/pr61160-1.C Modified: branches/gcc-4_9-branch/gcc/ChangeLog branches/gcc-4_9-branch/gcc/ipa-cp.c branches/gcc-4_9-branch/gcc/testsuite/ChangeLog
The first patch has been approved and committed, the second one (https://gcc.gnu.org/ml/gcc-patches/2014-05/msg02660.html) is still pending approval.
Author: jamborm Date: Fri Jun 27 11:32:00 2014 New Revision: 212070 URL: https://gcc.gnu.org/viewcvs?rev=212070&root=gcc&view=rev Log: 2014-06-27 Martin Jambor <mjambor@suse.cz> PR ipa/61160 * cgraphclones.c (duplicate_thunk_for_node): Removed parameter args_to_skip, use those from node instead. Copy args_to_skip and combined_args_to_skip from node to the new thunk. (redirect_edge_duplicating_thunks): Removed parameter args_to_skip. (cgraph_create_virtual_clone): Moved computation of combined_args_to_skip... (cgraph_clone_node): ...here, simplify it to bitmap_ior.. testsuite/ * g++.dg/ipa/pr61160-2.C: New test. * g++.dg/ipa/pr61160-3.C: Likewise. Added: branches/gcc-4_9-branch/gcc/testsuite/g++.dg/ipa/pr61160-2.C branches/gcc-4_9-branch/gcc/testsuite/g++.dg/ipa/pr61160-3.C Modified: branches/gcc-4_9-branch/gcc/ChangeLog branches/gcc-4_9-branch/gcc/cgraphclones.c branches/gcc-4_9-branch/gcc/testsuite/ChangeLog
Author: jamborm Date: Fri Jun 27 13:29:09 2014 New Revision: 212071 URL: https://gcc.gnu.org/viewcvs?rev=212071&root=gcc&view=rev Log: 2014-06-27 Martin Jambor <mjambor@suse.cz> PR ipa/61160 * cgraphclones.c (duplicate_thunk_for_node): Removed parameter args_to_skip, use those from node instead. Copy args_to_skip and combined_args_to_skip from node to the new thunk. (redirect_edge_duplicating_thunks): Removed parameter args_to_skip. (cgraph_create_virtual_clone): Moved computation of combined_args_to_skip... (cgraph_clone_node): ...here, simplify it to bitmap_ior.. testsuite/ * g++.dg/ipa/pr61160-2.C: New test. * g++.dg/ipa/pr61160-3.C: Likewise. Added: trunk/gcc/testsuite/g++.dg/ipa/pr61160-2.C trunk/gcc/testsuite/g++.dg/ipa/pr61160-3.C Modified: trunk/gcc/ChangeLog trunk/gcc/cgraphclones.c trunk/gcc/testsuite/ChangeLog
Fixed.
I've noticed that pr61160-2.C crashes at execution (under qemu) when: * GCC configured as: --target=arm-none-linux-gnueabi --with-cpu=cortex-a9 --with-fpu=neon * pr61160-2.C compiled with: -O3 --param ipa-cp-eval-threshold=1 -lm -march=armv5t -mthumb Removing -mthumb makes the execution succeed.
I'm seeing FAIL: g++.dg/ipa/pr61160-3.C -std=gnu++98 execution test FAIL: g++.dg/ipa/pr61160-3.C -std=gnu++11 execution test FAIL: g++.dg/ipa/pr61160-3.C -std=gnu++1y execution test on x86_64-linux -m32, both on the trunk and 4.9 branch. make check-g++ RUNTESTFLAGS='--target_board=unix\{-m32,-m64\} dg.exp=pr61160-3.C'
Mea culpa, I did not check what main was returning. It should just return zero, I have just verified it would still test the bug with that change. I will fix the testcase in svn tomorrow.
Author: jamborm Date: Tue Jul 22 16:20:25 2014 New Revision: 212915 URL: https://gcc.gnu.org/viewcvs?rev=212915&root=gcc&view=rev Log: 2014-07-22 Martin Jambor <mjambor@suse.cz> PR ipa/61160 * g++.dg/ipa/pr61160-3.C (main): Return zero. Modified: trunk/gcc/testsuite/ChangeLog trunk/gcc/testsuite/g++.dg/ipa/pr61160-3.C
Author: jamborm Date: Thu Jul 24 13:03:22 2014 New Revision: 212987 URL: https://gcc.gnu.org/viewcvs?rev=212987&root=gcc&view=rev Log: 2014-07-24 Martin Jambor <mjambor@suse.cz> PR ipa/61160 * g++.dg/ipa/pr61160-2.C (main): Always return zero. Modified: trunk/gcc/testsuite/ChangeLog trunk/gcc/testsuite/g++.dg/ipa/pr61160-2.C
Author: jamborm Date: Thu Jul 24 13:20:33 2014 New Revision: 212988 URL: https://gcc.gnu.org/viewcvs?rev=212988&root=gcc&view=rev Log: 2014-07-24 Martin Jambor <mjambor@suse.cz> PR ipa/61160 * g++.dg/ipa/pr61160-2.C (main): Return zero. * g++.dg/ipa/pr61160-3.C (main): Likewise. Modified: branches/gcc-4_9-branch/gcc/testsuite/ChangeLog branches/gcc-4_9-branch/gcc/testsuite/g++.dg/ipa/pr61160-1.C branches/gcc-4_9-branch/gcc/testsuite/g++.dg/ipa/pr61160-2.C
I'm seeing segfaults from pr61160-2.C and pr61160-3.C on arm-none-linux-gnueabi with -mthumb -- probably the same trouble reported by Christophe earlier. I believe this is a binutils issue. I reported the details here: https://sourceware.org/bugzilla/show_bug.cgi?id=17444
Author: jamborm Date: Wed Jul 8 11:24:38 2015 New Revision: 225543 URL: https://gcc.gnu.org/viewcvs?rev=225543&root=gcc&view=rev Log: Make gcc/testsuite/g++.dg/ipa/pr61160-3.C main return zero. 2015-07-08 Martin Jambor <mjambor@suse.cz> PR ipa/61820 Backport from mainline r212915 2014-07-22 Martin Jambor <mjambor@suse.cz> PR ipa/61160 * g++.dg/ipa/pr61160-3.C (main): Return zero. Modified: branches/gcc-4_9-branch/gcc/testsuite/ChangeLog branches/gcc-4_9-branch/gcc/testsuite/g++.dg/ipa/pr61160-3.C