Bug 83177 - [7/8/9 Regression] ICE with -mmpx -fcheck-pointer-bounds + __builtin___bnd_narrow_ptr_bounds + _setjmp
Summary: [7/8/9 Regression] ICE with -mmpx -fcheck-pointer-bounds + __builtin___bnd_na...
Status: RESOLVED WONTFIX
Alias: None
Product: gcc
Classification: Unclassified
Component: tree-optimization (show other bugs)
Version: 7.2.1
: P4 normal
Target Milestone: 7.4
Assignee: Not yet assigned to anyone
URL:
Keywords: needs-reduction
Depends on:
Blocks:
 
Reported: 2017-11-27 08:41 UTC by Paul Eggert
Modified: 2018-06-22 08:39 UTC (History)
2 users (show)

See Also:
Host: x86-64
Target: x86_64-*-*, i?86-*-*
Build:
Known to work: 6.4.1
Known to fail: 7.2.1, 8.0
Last reconfirmed: 2017-11-27 00:00:00

Attachments
Preprocessed source code illustrating the bug. (1.95 KB, text/plain)
2017-11-27 08:41 UTC, Paul Eggert 		Details
Compiler output generated for crash on v.i (2.69 KB, text/x-csrc)
2017-11-27 08:45 UTC, Paul Eggert 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Paul Eggert 2017-11-27 08:41:42 UTC 
Created attachment 42726 [details]
Preprocessed source code illustrating the bug.

I got this when compiling an experimental version of GNU Emacs. I used GCC 7.2.1 20170915 (Red Hat 7.2.1-2) on x86-74 (Fedora 27). To reproduce, compile the attached program via:

gcc -mmpx -fcheck-pointer-bounds -S v.i

The output is:

Unable to coalesce ssa_names 253 and 236 which are marked as MUST COALESCE.
__bound_tmp.11_253(ab) and  __bound_tmp.11_236(ab)
v.i: In function ‘internal_lisp_condition_case.chkp’:
v.i:143:1: internal compiler error: SSA corruption
 internal_lisp_condition_case (Lisp_Object var, Lisp_Object bodyform,
 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
Please submit a full bug report,
with preprocessed source if appropriate.
See <http://bugzilla.redhat.com/bugzilla> for instructions.
Preprocessed source stored into /tmp/ccZ79fr1.out file, please attach this to y\
our bugreport.

I will attach /tmp/ccZ79fr1.out.
Comment 1 Paul Eggert 2017-11-27 08:45:42 UTC 
Created attachment 42727 [details]
Compiler output generated for crash on v.i
Comment 2 Richard Biener 2017-11-27 13:44:43 UTC 
Confirmed.  Seems to work on the GCC 6 branch and when optimizing.
Comment 3 Jakub Jelinek 2017-12-01 14:36:17 UTC 
Reduced testcase below.  Started with r224643.

/* PR tree-optimization/83177 */
/* { dg-do compile } */
/* { dg-options "-mmpx -fcheck-pointer-bounds" } */

extern int setjmp (void *);
void *buf[64];
void bar (void);

int
foo (int *a)
{
  int i, r = 0;
  for (i = 0; i < 64; ++i)
    {
      bar ();
      r += *--a;
      bar ();
    }
  for (i = 0; i < 64; ++i)
    {
      r += *a;
      setjmp (buf);
      bar ();
    }
  return r;
}
Comment 4 Jakub Jelinek 2017-12-01 16:15:31 UTC 
Seems chkp_get_bounds_by_definition is called multiple times for the same stmt and we end up with:
  a_24(ab) = a_2(ab) + 18446744073709551612;
  __bound_tmp.1_39 = __bound_tmp.0_35(ab);
  __bound_tmp.0_40(ab) = __bound_tmp.1_39;
  __bound_tmp.1_37 = __bound_tmp.0_35(ab);
  __bound_tmp.0_38 = __bound_tmp.1_37;
where the first pair of __bound_tmp assignments comes from the second invocation and the second pair from the first one.  That is of course invalid, as it has overlapping ranges for (ab) __bound_tmp.0.

Not sure what would be the best fix, maybe if we need bounds across some abnormal edge create a new SSA_NAME for that and assign it near the bottom of the bb that computes that bound.

Anyway, not working on this.
Comment 5 Jeffrey A. Law 2017-12-08 20:35:47 UTC 
Given likely MPX deprecation -> P4.
Comment 6 Richard Biener 2018-01-25 08:22:05 UTC 
GCC 7.3 is being released, adjusting target milestone.
Comment 7 Martin Liška 2018-06-22 08:39:34 UTC 
MPX is removed, won't fix then.