Bug 64121 - [5 Regression] ICE: SSA corruption with -O -fsanitize=undefined
Summary: [5 Regression] ICE: SSA corruption with -O -fsanitize=undefined
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: tree-optimization (show other bugs)
Version: 5.0
: P1 normal
Target Milestone: 5.0
Assignee: Marek Polacek
URL:
Keywords: ice-on-valid-code
Depends on:
Blocks:
 
Reported: 2014-11-30 09:32 UTC by Zdenek Sojka
Modified: 2014-12-01 15:44 UTC (History)
1 user (show)

See Also:
Host: x86_64-pc-linux-gnu
Target: x86_64-pc-linux-gnu
Build:
Known to work:
Known to fail: 5.0
Last reconfirmed: 2014-11-30 00:00:00

Attachments
reduced testcase (118 bytes, text/x-csrc)
2014-11-30 09:32 UTC, Zdenek Sojka 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Zdenek Sojka 2014-11-30 09:32:52 UTC 
Created attachment 34145 [details]
reduced testcase

Compiler output:
$ gcc -O -fsanitize=undefined testcase.c         

Unable to coalesce ssa_names 1 and 6 which are marked as MUST COALESCE.
xp_1(ab) and  xp_6(ab)
testcase.c: In function 'execute':
testcase.c:4:1: internal compiler error: SSA corruption
 execute (int *ip, int x)
 ^
0xd2c828 fail_abnormal_edge_coalesce
        /mnt/svn/gcc-trunk/gcc/tree-ssa-coalesce.c:921
0xd2c828 coalesce_partitions
        /mnt/svn/gcc-trunk/gcc/tree-ssa-coalesce.c:1219
0xd2c828 coalesce_ssa_name()
        /mnt/svn/gcc-trunk/gcc/tree-ssa-coalesce.c:1364
0xcc27cf remove_ssa_form
        /mnt/svn/gcc-trunk/gcc/tree-outof-ssa.c:999
0xcc27cf rewrite_out_of_ssa(ssaexpand*)
        /mnt/svn/gcc-trunk/gcc/tree-outof-ssa.c:1233
0x7d3c37 execute
        /mnt/svn/gcc-trunk/gcc/cfgexpand.c:5703
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <http://gcc.gnu.org/bugs.html> for instructions.

Tested revisions:
r218181 - ICE
4_9 r218177 - OK
Comment 1 Marek Polacek 2014-11-30 10:04:39 UTC 
Confirmed, -O -fsanitize=object-size is enough.
Comment 2 Richard Biener 2014-12-01 10:00:13 UTC 
  # xp_1(ab) = PHI <xp_3(2), xp_7(ab)(4)>
base:
  if (x_5(D) != 0)
    goto <bb 5>;
  else
    goto <bb 4>;

  <bb 4>:
  xp.0_6 = xp_1(ab);
  xp_7(ab) = xp.0_6 + 4;
  _15 = __builtin_object_size (ip_8(D), 0);
  _16 = ip_8(D);
  UBSAN_OBJECT_SIZE (_16, 4, _15, 0);
  _9 = *ip_8(D);
  _17 = __builtin_object_size (xp_1(ab), 0);
...
 _13 = &base + _12;
  gotovar.1_14 = _13;
  goto gotovar.1_14;


xp_1 and xp_7 are life at the same time - the above is from 017t.ubsan.

You may not refer to xp_1(ab) but should use xp.0_6 here.
Comment 3 Marek Polacek 2014-12-01 10:13:11 UTC 
Thanks.  Let me dig into this.
Comment 4 Jakub Jelinek 2014-12-01 12:45:29 UTC 
Maybe you should just add to the instrument_object_size while (TREE_CODE (base) == SSA_NAME) loop
  if (SSA_NAME_OCCURS_IN_ABNORMAL_PHI (base))
    break;
?
Comment 5 Marek Polacek 2014-12-01 12:54:27 UTC 
Unfortunately, that doesn't seem to help.
Comment 6 Jakub Jelinek 2014-12-01 13:02:17 UTC 
Ah, indeed.  So perhaps better replace the:
1565		base = gimple_assign_rhs1 (def_stmt);
line in the loop with
{
  tree rhs1 = gimple_assign_rhs1 (def_stmt);
  if (TREE_CODE (rhs1) == SSA_NAME && SSA_NAME_OCCURS_IN_ABNORMAL_PHI (rhs1))
    break;
  else
    base = rhs1;
}
or so?
Comment 7 Marek Polacek 2014-12-01 13:11:37 UTC 
Yup, that works.  Testing in progress.  Thanks.
Comment 8 Marek Polacek 2014-12-01 15:38:27 UTC 
Author: mpolacek
Date: Mon Dec  1 15:37:55 2014
New Revision: 218222

URL: https://gcc.gnu.org/viewcvs?rev=218222&root=gcc&view=rev
Log:
	PR sanitizer/64121
	* ubsan.c (instrument_object_size): Stop searching if the base
	occurs in abnormal phi.

	* c-c++-common/ubsan/pr64121.c: New test.

Added:
    trunk/gcc/testsuite/c-c++-common/ubsan/pr64121.c
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/testsuite/ChangeLog
    trunk/gcc/ubsan.c
Comment 9 Marek Polacek 2014-12-01 15:44:09 UTC 
Fixed.