User account creation filtered due to spam.

Bug 68853 - [6 Regression] gcc-6 miscompiles Chromium v8 garbage collector
Summary: [6 Regression] gcc-6 miscompiles Chromium v8 garbage collector
Status: RESOLVED INVALID
Alias: None
Product: gcc
Classification: Unclassified
Component: tree-optimization (show other bugs)
Version: 6.0
: P3 normal
Target Milestone: 6.0
Assignee: Not yet assigned to anyone
URL: https://bugs.chromium.org/p/v8/issues...
Keywords:
: 69234 (view as bug list)
Depends on:
Blocks:
 
Reported: 2015-12-11 11:00 UTC by Markus Trippelsdorf
Modified: 2016-12-27 14:43 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed: 2015-12-11 00:00:00


Attachments
unreduced testcase (561.54 KB, application/x-bzip)
2015-12-11 15:01 UTC, Markus Trippelsdorf
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Markus Trippelsdorf 2015-12-11 11:00:10 UTC
Chromium build with gcc-6 crashes almost immediately in the
v8 (javascript) garbage collector.

Program received signal SIGSEGV, Segmentation fault.
0x0000555557830de0 in v8::internal::IncrementalMarking::ActivateIncrementalWriteBarrier() ()
(gdb) bt
#0  0x0000555557830de0 in v8::internal::IncrementalMarking::ActivateIncrementalWriteBarrier() ()
#1  0x0000555557831007 in v8::internal::IncrementalMarking::StartMarking() ()
#2  0x0000555557831163 in v8::internal::IncrementalMarking::Start(char const*) ()
#3  0x0000555557820e86 in v8::internal::Heap::CollectGarbage(v8::internal::GarbageCollector, char const*, char const*, v8::GCCallbackFlags) ()
#4  0x00005555577f0b7d in v8::internal::Factory::NewRawOneByteString(int, v8::internal::PretenureFlag) ()
#5  0x0000555557b86b62 in v8::internal::Runtime_StringToLowerCase(int, v8::internal::Object**, v8::internal::Isolate*) ()

markus@x4 Release % c++ -MMD -MF obj/v8/src/heap/v8_base.incremental-marking.o.d -DV8_DEPRECATION_WARNINGS -DCLD_VERSION=2 -D_FILE_OFFSET_BITS=64 -DDISABLE_NACL -DCHROMIUM_BUILD -DUI_COMPOSITOR_IMAGE_TRANSPORT -DUSE_AURA=1 -DUSE_ASH=1 -DUSE_PANGO=1 -DUSE_CAIRO=1 -DUSE_DEFAULT_RENDER_THEME=1 -DUSE_LIBJPEG_TURBO=1 -DUSE_X11=1 -DUSE_CLIPBOARD_AURAX11=1 -DENABLE_ONE_CLICK_SIGNIN -DENABLE_WEBRTC=1 -DENABLE_MEDIA_ROUTER=1 -DUSE_PROPRIETARY_CODECS -DENABLE_PEPPER_CDMS -DENABLE_CONFIGURATION_POLICY -DENABLE_NOTIFICATIONS -DENABLE_HIDPI=1 -DENABLE_TOPCHROME_MD=1 -DUSE_UDEV -DDONT_EMBED_BUILD_METADATA -DFIELDTRIAL_TESTING_ENABLED -DENABLE_TASK_MANAGER=1 -DENABLE_EXTENSIONS=1 -DENABLE_PDF=1 -DENABLE_PLUGINS=1 -DENABLE_SESSION_SERVICE=1 -DENABLE_THEMES=1 -DENABLE_AUTOFILL_DIALOG=1 -DENABLE_BACKGROUND=1 -DENABLE_PRINTING=1 -DENABLE_BASIC_PRINTING=1 -DENABLE_PRINT_PREVIEW=1 -DENABLE_SPELLCHECK=1 -DENABLE_CAPTIVE_PORTAL_DETECTION=1 -DENABLE_APP_LIST=1 -DENABLE_SETTINGS_APP=1 -DENABLE_SUPERVISED_USERS=1 -DENABLE_MDNS=1 -DENABLE_SERVICE_DISCOVERY=1 -DV8_USE_EXTERNAL_STARTUP_DATA -DFULL_SAFE_BROWSING -DSAFE_BROWSING_CSD -DSAFE_BROWSING_DB_LOCAL -DV8_TARGET_ARCH_X64 -DV8_I18N_SUPPORT -DV8_IMMINENT_DEPRECATION_WARNINGS -DICU_UTIL_DATA_IMPL=ICU_UTIL_DATA_FILE -DU_USING_ICU_NAMESPACE=0 -DU_ENABLE_DYLOAD=0 -DU_STATIC_IMPLEMENTATION -DUSE_LIBPCI=1 -DUSE_OPENSSL=1 -DUSE_GLIB=1 -DUSE_NSS_CERTS=1 -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 -DENABLE_HANDLE_ZAPPING -I../../v8 -Igen -I../../third_party/icu/source/i18n -I../../third_party/icu/source/common -fstack-protector --param=ssp-buffer-size=4  -pthread -fno-strict-aliasing -Wno-unused-parameter -Wno-missing-field-initializers -fvisibility=hidden -pipe -fPIC -Wno-unused-local-typedefs -Wno-format -Wno-unused-result -m64 -march=x86-64 -m64 -O3 -fno-ident -fdata-sections -ffunction-sections -funwind-tables -fdata-sections -ffunction-sections -O3 -fno-exceptions -fno-rtti -fno-threadsafe-statics -fvisibility-inlines-hidden -Wno-deprecated -std=gnu++11 -Wno-narrowing -Wno-literal-suffix  -c ../../v8/src/heap/incremental-marking.cc -o obj/v8/src/heap/v8_base.incremental-marking.o

Compiling this file with gcc-5 fixes the issue.
I will try to narrow this further down to a single function.
Comment 1 Markus Trippelsdorf 2015-12-11 11:30:00 UTC
-fno-tree-fre "fixes" the issue.
Comment 2 Markus Trippelsdorf 2015-12-11 12:22:27 UTC
g++ -MMD -MF obj/third_party/WebKit/Source/core/layout/webcore_rendering.LayoutObject.o.d -DV8_DEPRECATION_WARNINGS -DCLD_VERSION=2 -D_FILE_OFFSET_BITS=64 -DDISABLE_NACL -DCHROMIUM_BUILD -DUI_COMPOSITOR_IMAGE_TRANSPORT -DUSE_AURA=1 -DUSE_ASH=1 -DUSE_PANGO=1 -DUSE_CAIRO=1 -DUSE_DEFAULT_RENDER_THEME=1 -DUSE_LIBJPEG_TURBO=1 -DUSE_X11=1 -DUSE_CLIPBOARD_AURAX11=1 -DENABLE_ONE_CLICK_SIGNIN -DENABLE_WEBRTC=1 -DENABLE_MEDIA_ROUTER=1 -DUSE_PROPRIETARY_CODECS -DENABLE_PEPPER_CDMS -DENABLE_CONFIGURATION_POLICY -DENABLE_NOTIFICATIONS -DENABLE_HIDPI=1 -DENABLE_TOPCHROME_MD=1 -DUSE_UDEV -DDONT_EMBED_BUILD_METADATA -DFIELDTRIAL_TESTING_ENABLED -DENABLE_TASK_MANAGER=1 -DENABLE_EXTENSIONS=1 -DENABLE_PDF=1 -DENABLE_PLUGINS=1 -DENABLE_SESSION_SERVICE=1 -DENABLE_THEMES=1 -DENABLE_AUTOFILL_DIALOG=1 -DENABLE_BACKGROUND=1 -DENABLE_PRINTING=1 -DENABLE_BASIC_PRINTING=1 -DENABLE_PRINT_PREVIEW=1 -DENABLE_SPELLCHECK=1 -DENABLE_CAPTIVE_PORTAL_DETECTION=1 -DENABLE_APP_LIST=1 -DENABLE_SETTINGS_APP=1 -DENABLE_SUPERVISED_USERS=1 -DENABLE_MDNS=1 -DENABLE_SERVICE_DISCOVERY=1 -DV8_USE_EXTERNAL_STARTUP_DATA -DFULL_SAFE_BROWSING -DSAFE_BROWSING_CSD -DSAFE_BROWSING_DB_LOCAL -DGL_GLEXT_PROTOTYPES -DBLINK_IMPLEMENTATION=1 -DINSIDE_BLINK -DENABLE_LAYOUT_UNIT_IN_INLINE_BOXES=0 -DWTF_USE_CONCATENATED_IMPULSE_RESPONSES=1 -DENABLE_INPUT_MULTIPLE_FIELDS_UI=1 -DENABLE_WEB_AUDIO=1 -DWTF_USE_WEBAUDIO_FFMPEG=1 -DWTF_USE_DEFAULT_RENDER_THEME=1 -DU_USING_ICU_NAMESPACE=0 -DU_ENABLE_DYLOAD=0 -DU_STATIC_IMPLEMENTATION -DSK_SUPPORT_GPU=1 -DSK_IGNORE_LINEONLY_AA_CONVEX_PATH_OPTS -DCHROME_PNG_WRITE_SUPPORT -DPNG_USER_CONFIG -DLIBXML_STATIC -DLIBXSLT_STATIC -DUSE_LIBPCI=1 -DUSE_OPENSSL=1 -DUSE_GLIB=1 -DUSE_NSS_CERTS=1 -D__STDC_CONSTANT_MACROS -D__STDC_FORMAT_MACROS -DNDEBUG -DNVALGRIND -DDYNAMIC_ANNOTATIONS_ENABLED=0 -D_FORTIFY_SOURCE=2 -Igen -I../.. -I../../skia/config -I../../third_party/WebKit/Source -I../../third_party/khronos -I../../gpu -Igen/angle -Igen/blink -I../../third_party/angle/include -I../../third_party/ffmpeg -I../../third_party/icu/source/i18n -I../../third_party/icu/source/common -I../../third_party/WebKit -I../../third_party/skia/include/core -I../../third_party/skia/include/effects -I../../third_party/skia/include/pdf -I../../third_party/skia/include/gpu -I../../third_party/skia/include/lazy -I../../third_party/skia/include/pathops -I../../third_party/skia/include/pipe -I../../third_party/skia/include/ports -I../../third_party/skia/include/utils -I../../skia/ext -I../../third_party/iccjpeg -I../../third_party/libpng -I../../third_party/libwebp -I../../third_party/libxml/linux/include -I../../third_party/libxml/src/include -I../../third_party/libxslt -I../../third_party/npapi -I../../third_party/npapi/bindings -I../../third_party/ots/include -I../../third_party/qcms/src -I../../third_party/zlib -I../../v8/include -fstack-protector --param=ssp-buffer-size=4 -pthread -fno-strict-aliasing -Wall -Wno-unused-parameter -Wno-missing-field-initializers -fvisibility=hidden -pipe -fPIC -Wno-unused-local-typedefs -fno-strict-aliasing -I/usr/include/freetype2 -I/usr/include/libpng16 -I/usr/include/harfbuzz -I/usr/include/freetype2 -I/usr/include/libpng16 -I/usr/include/harfbuzz -I/usr/include/glib-2.0 -I/usr/lib64/glib-2.0/include -m64 -march=x86-64 -O3 -fno-ident -fdata-sections -ffunction-sections -funwind-tables -fno-exceptions -fno-rtti -fno-threadsafe-statics -fvisibility-inlines-hidden -Wsign-compare -Wno-c++0x-compat -std=gnu++11 -Wno-narrowing -Wno-literal-suffix -c ../../third_party/WebKit/Source/core/layout/LayoutObject.cpp -o obj/third_party/WebKit/Source/core/layout/webcore_rendering.LayoutObject.o 

Also gets miscompiled:

Program received signal SIGSEGV, Segmentation fault.
0x0000555558ad00a5 in blink::LayoutObject::isDescendantOf(blink::LayoutObject const*) const ()
(gdb) bt
#0  0x0000555558ad00a5 in blink::LayoutObject::isDescendantOf(blink::LayoutObject const*) const ()
#1  0x0000555558b60790 in blink::CompositedLayerMapping::containingSquashedLayer(blink::LayoutObject const*, unsigned int) ()
#2  0x0000555558be0bf6 in blink::CompositingLayerAssigner::assignLayersToBackingsInternal(blink::PaintLayer*, blink::CompositingLayerAssigner::SquashingState&, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&) ()
#3  0x0000555558be0769 in blink::CompositingLayerAssigner::assignLayersToBackingsInternal(blink::PaintLayer*, blink::CompositingLayerAssigner::SquashingState&, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&) ()
#4  0x0000555558be0769 in blink::CompositingLayerAssigner::assignLayersToBackingsInternal(blink::PaintLayer*, blink::CompositingLayerAssigner::SquashingState&, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&) ()
#5  0x0000555558be0e11 in blink::CompositingLayerAssigner::assign(blink::PaintLayer*, WTF::Vector<blink::PaintLayer*, 0ul, WTF::PartitionAllocator>&) ()
#6  0x0000555558b66758 in blink::PaintLayerCompositor::updateIfNeeded() ()
#7  0x0000555558b680a6 in blink::PaintLayerCompositor::updateIfNeededRecursive() ()

However this is a different issue, because -O1 "fixes" it.
Comment 3 Richard Biener 2015-12-11 13:07:11 UTC
Can you bisect it to the alias changes from Honza or is this older?  Is this part of chromium single-threaded?
Comment 4 Markus Trippelsdorf 2015-12-11 13:16:26 UTC
(In reply to Richard Biener from comment #3)
> Can you bisect it to the alias changes from Honza or is this older?

The first issue is older. At least a few weeks.
I don't have a powerful enough machine to bisect this and the 
compile farm machines cannot build Chromium, because of missing
libraries. 
(I've seen the second issue for the first time today.)

> Is this  part of chromium single-threaded?

If you start chromium with:
 google-chrome --no-sandbox --renderer-cmd-prefix='xterm -title renderer -e gdb -ex run --args'
it will attach a debugger to every started thread.
The segfault happens in one of them.
Comment 5 Markus Trippelsdorf 2015-12-11 13:21:05 UTC
(In reply to Markus Trippelsdorf from comment #4)
> (In reply to Richard Biener from comment #3)
> > Can you bisect it to the alias changes from Honza or is this older?
> 
> The first issue is older. At least a few weeks.
> I don't have a powerful enough machine to bisect this and the 
> compile farm machines cannot build Chromium, because of missing
> libraries. 

OK. I will run a bisection just on that one object file...
Comment 6 Markus Trippelsdorf 2015-12-11 15:01:50 UTC
Created attachment 36995 [details]
unreduced testcase

Started with r226861.
Comment 7 Markus Trippelsdorf 2015-12-11 15:27:01 UTC
The while loop in:

 421 void IncrementalMarking::ActivateIncrementalWriteBarrier() {
 422   ActivateIncrementalWriteBarrier(heap_->old_space());
 423   ActivateIncrementalWriteBarrier(heap_->map_space());
 424   ActivateIncrementalWriteBarrier(heap_->code_space());
 425   ActivateIncrementalWriteBarrier(heap_->new_space());
 426
 427   LargePage* lop = heap_->lo_space()->first_page();
 428   while (lop->is_valid()) {
 429     SetOldSpacePageFlags(lop, true, is_compacting_);
 430     lop = lop->next_page();
 431   }
 432 }


Good:                          Bad:     
    .p2align 4,,10                 .p2align 4,,10
    .p2align 3                     .p2align 3
.L2183:                        .L2176:
    orq $12, 8(%rax)               orq $12, 8(%rax)
    movq    176(%rax), %rax        movq    176(%rax), %rax
    testq   %rax, %rax             jmp .L2176
    jne .L2183                 
    rep ret                    
.L2192:                        
    rep ret
Comment 8 Andrew Pinski 2015-12-11 18:21:52 UTC
Calling a NULL object is undefined.  


  Address address() { return reinterpret_cast<Address>(this); }

  bool is_valid() { return address() !=
# 475 "../../v8/src/heap/spaces.h" 3 4
                                       __null
# 475 "../../v8/src/heap/spaces.h"
                                           ; }


That will always be true.  That is this can never be NULL.
Comment 9 Markus Trippelsdorf 2015-12-11 18:41:10 UTC
Thanks Andrew.
Turned out the issue from comment 2 is similar.
Both issues are solved with -fno-delete-null-pointer-checks.
Maybe the chromium devs should add that flag to their default gcc flags...
Comment 10 Markus Trippelsdorf 2016-01-11 23:21:50 UTC
*** Bug 69234 has been marked as a duplicate of this bug. ***
Comment 11 Andrew Pinski 2016-01-11 23:55:22 UTC
*** Bug 69234 has been marked as a duplicate of this bug. ***