Bug 66396 - [6 regression] FAIL: gcc.dg/graphite/run-id-pr47593.c execution test
Summary: [6 regression] FAIL: gcc.dg/graphite/run-id-pr47593.c execution test
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: tree-optimization (show other bugs)
Version: 6.0
: P3 normal
Target Milestone: 6.0
Assignee: Richard Biener
URL:
Keywords: wrong-code
Depends on:
Blocks: 48052
  Show dependency treegraph
 
Reported: 2015-06-03 11:27 UTC by Andreas Schwab
Modified: 2015-06-09 08:22 UTC (History)
0 users

See Also:
Host:
Target: m68k-*-*, x86_64-*-*
Build:
Known to work:
Known to fail:
Last reconfirmed: 2015-06-03 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schwab 2015-06-03 11:27:10 UTC 
$ gcc/xgcc -Bgcc/ ../gcc/testsuite/gcc.dg/graphite/run-id-pr47593.c   -O2 -fgraphite-identity  -lm    -o ./run-id-pr47593.exe -g
$ ./run-id-pr47593.exe
Segmentation fault

Program received signal SIGSEGV, Segmentation fault.
0x800004e6 in bar () at ../gcc/testsuite/gcc.dg/graphite/run-id-pr47593.c:21
21        return ***(int ***)p;
(gdb) p p
$1 = 0xeffff594 "\200\r\266\b"
(gdb) p {int**}p
$2 = (int **) 0x800db608
(gdb) p *$
Cannot access memory at address 0x800db608
(gdb) i local
f = {p = 0x800db608, q = 0x0}
j = 4
p = 0xeffff5c4 "\200\r\266\b"
x = <synthetic pointer>
y = 0xeffff5c0
(gdb) disass
Dump of assembler code for function bar:
   0x800004d8 <+0>:     linkw %fp,#-12
   0x800004dc <+4>:     moveq #4,%d0
   0x800004de <+6>:     movel %d0,%fp@(-12)
   0x800004e2 <+10>:    moveal %fp@(-4),%a0
=> 0x800004e6 <+14>:    moveal %a0@,%a0
   0x800004e8 <+16>:    movel %a0@,%d0
   0x800004ea <+18>:    unlk %fp
   0x800004ec <+20>:    rts
End of assembler dump.

Before r224020:
(gdb) disass bar
Dump of assembler code for function bar:
   0x800004d8 <+0>:     linkw %fp,#-24
   0x800004dc <+4>:     moveq #1,%d0
   0x800004de <+6>:     unlk %fp
   0x800004e0 <+8>:     rts
End of assembler dump.


05032b10839cf0498c992c819bf2358e86c22bb0 is the first bad commit
commit 05032b10839cf0498c992c819bf2358e86c22bb0
Author: amker <amker@138bc75d-0d04-0410-961f-82ee72b054a4>
Date:   Tue Jun 2 10:19:18 2015 +0000

        PR tree-optimization/48052
...
    git-svn-id: svn+ssh://gcc.gnu.org/svn/gcc/trunk@224020 138bc75d-0d04-0410-961f-82ee72b054a4
Comment 1 Richard Biener 2015-06-03 12:11:53 UTC 
Confirmed.
Comment 2 Richard Biener 2015-06-03 13:04:42 UTC 
on x86_64 with -m32 btw
Comment 3 bin cheng 2015-06-04 04:13:14 UTC 
Interesting case.
I know nothing about graphite, but I guess the case is fixed in patch for PR47653 by skipping graphite transofromation on loops in specific forms.  The skip mechanism is kind of nullified by the overflow change.  But as far as I can see, we shouldn't skip graphite transformation on the case in the first place because it looks good to me.

See dumps before graphite pass:

bar ()
{
  _Bool j_lsm.8;
  int j_lsm.7;
  int * y;
  int * x;
  char * p;
  int i;
  int j;
  struct Foo f;
  unsigned int j.2_11;
  int j.1_13;
  int * * _15;
  int * _16;
  int _17;
  int j.0_31;

  <bb 2>:
  i = 1;
  x = &i;
  y = &j;
  f.p = &y;
  f.q = &x;

  <bb 3>:
  # p_27 = PHI <&f(2), p_12(4)>
  # j.0_31 = PHI <0(2), j.1_13(4)>
  p_12 = p_27 + 1;
  j.1_13 = j.0_31 + 1;
  j.2_11 = (unsigned int) j.1_13;
  if (j.2_11 <= 3)
    goto <bb 4>;
  else
    goto <bb 5>;

  <bb 4>:
  goto <bb 3>;

  <bb 5>:
  p_25 = &f + 4;
  j = 4;
  _15 = MEM[(int * * *)p_25];
  _16 = *_15;
  _17 = *_16;
  f ={v} {CLOBBER};
  j ={v} {CLOBBER};
  i ={v} {CLOBBER};
  x ={v} {CLOBBER};
  y ={v} {CLOBBER};
  return _17;

}
graphite transforms it infor below shape:
bar ()
{
  _Bool j_lsm.8;
  int j_lsm.7;
  int * y;
  int * x;
  char * p;
  int i;
  int j;
  struct Foo f;
  int * * _15;
  int * _16;
  int _17;

  <bb 2>:
  i = 1;
  x = &i;
  y = &j;
  f.p = &y;
  f.q = &x;
  p_25 = &f + 4;
  j = 4;
  _15 = MEM[(int * * *)p_25];
  _16 = *_15;
  _17 = *_16;
  f ={v} {CLOBBER};
  j ={v} {CLOBBER};
  i ={v} {CLOBBER};
  x ={v} {CLOBBER};
  y ={v} {CLOBBER};
  return _17;

}

It is dce4 pass that deletes the bounch of initialization code at beginning of bb 2.  dce4.dump is as below:
bar ()
{
  _Bool j_lsm.8;
  int j_lsm.7;
  int * y;
  int * x;
  char * p;
  int i;
  int j;
  struct Foo f;
  int * * _15;
  int * _16;
  int _17;

  <bb 2>:
  p_25 = &f + 4;
  j = 4;
  _15 = MEM[(int * * *)p_25];
  _16 = *_15;
  _17 = *_16;
  f ={v} {CLOBBER};
  j ={v} {CLOBBER};
  i ={v} {CLOBBER};
  x ={v} {CLOBBER};
  y ={v} {CLOBBER};
  return _17;

}

I thought this was a strict-aliasing issue, but specifying "-fno-strict-aliasing" doesn't give any difference.
Comment 4 bin cheng 2015-06-04 04:13:55 UTC 
BTW, it happens on ilp32 platforms I think.
Comment 5 Richard Biener 2015-06-04 11:15:03 UTC 
I will have a look.
Comment 6 Richard Biener 2015-06-08 11:51:12 UTC 
The issue is corrupted VOPs.

  <bb 2>:
  # .MEM_4 = VDEF <.MEM_3(D)>
  iD.1808@ = 1;
  # .MEM_5 = VDEF <.MEM_4>
  xD.1810@ = &iD.1808@;
  # .MEM_6 = VDEF <.MEM_5>
  yD.1811@ = &jD.1807@;
  # .MEM_7 = VDEF <.MEM_6>
  fD.1806@.pD.1801 = &yD.1811@;
  # .MEM_8 = VDEF <.MEM_7>
  fD.1806@.qD.1802 = &xD.1810@;
  # PT = { D.1806 }
  p_25 = &fD.1806@ + 4;
  # .MEM_28 = VDEF <.MEM_3(D)>
  jD.1807@ = 4;

see how that uses the wrong VUSE.
Comment 7 Richard Biener 2015-06-08 12:18:25 UTC 
The code in SESE doesn't deal with virtual operands correctly.  In other places
GRAPHITE tries to paper over this with marking all vops for renaming.  But
that isn't done when no code is generated, thus this breaks.
Comment 8 Richard Biener 2015-06-09 07:51:56 UTC 
Author: rguenth
Date: Tue Jun  9 07:51:24 2015
New Revision: 224266

URL: https://gcc.gnu.org/viewcvs?rev=224266&root=gcc&view=rev
Log:
2015-06-09  Richard Biener  <rguenther@suse.de>

	PR tree-optimization/66396
	* graphite-isl-ast-to-gimple.c (graphite_regenerate_ast_isl):
	Rename virtual operands.

Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/graphite-isl-ast-to-gimple.c
Comment 9 Richard Biener 2015-06-09 08:22:37 UTC 
Fixed.