Bug 84746 - [7 Regression] ICE on valid code at -O2 and -O3: Segmentation fault
Summary: [7 Regression] ICE on valid code at -O2 and -O3: Segmentation fault
Status: ASSIGNED
Alias: None
Product: gcc
Classification: Unclassified
Component: tree-optimization (show other bugs)
Version: 8.0
: P2 normal
Target Milestone: 7.5
Assignee: Richard Biener
URL:
Keywords: ice-on-valid-code
Depends on:
Blocks:
 
Reported: 2018-03-07 07:57 UTC by Zhendong Su
Modified: 2018-12-06 10:06 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Known to work: 8.0
Known to fail:
Last reconfirmed: 2018-03-07 00:00:00


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zhendong Su 2018-03-07 07:57:38 UTC
$ gcctk -v
Using built-in specs.
COLLECT_GCC=gcctk
COLLECT_LTO_WRAPPER=/home/su/software/tmp/gcc/gcc-trunk/libexec/gcc/x86_64-pc-linux-gnu/8.0.1/lto-wrapper
Target: x86_64-pc-linux-gnu
Configured with: ../gcc-source-trunk/configure --enable-languages=c,c++,lto --prefix=/home/su/software/tmp/gcc/gcc-trunk --disable-bootstrap
Thread model: posix
gcc version 8.0.1 20180307 (experimental) [trunk revision 258312] (GCC) 
$ 
$ gcctk -Os -c small.c
$ gcc-7.2.0 -O2 -c small.c
$ 
$ gcctk -O2 -c small.c
during GIMPLE pass: pre
small.c: In function ‘fn1’:
small.c:4:6: internal compiler error: Segmentation fault
 void fn1 ()
      ^~~
0xca7f6f crash_signal
	../../gcc-source-trunk/gcc/toplev.c:325
0xedd700 update_dep_bb
	../../gcc-source-trunk/gcc/tree-ssa-tail-merge.c:402
0xedfbf9 same_succ_hash
	../../gcc-source-trunk/gcc/tree-ssa-tail-merge.c:506
0xedfbf9 find_same_succ_bb
	../../gcc-source-trunk/gcc/tree-ssa-tail-merge.c:717
0xee00ff find_same_succ
	../../gcc-source-trunk/gcc/tree-ssa-tail-merge.c:748
0xee00ff init_worklist
	../../gcc-source-trunk/gcc/tree-ssa-tail-merge.c:767
0xee00ff tail_merge_optimize(unsigned int)
	../../gcc-source-trunk/gcc/tree-ssa-tail-merge.c:1733
0xe7c6b6 execute
	../../gcc-source-trunk/gcc/tree-ssa-pre.c:4196
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.
$ 


--------------------------------------------------


int a, b, c, d, e;
char f, g;

void fn1 ()
{
  while (1)
    {
      if (d)
        goto L1;
      if (e)
        goto L3;
      int q = (c && a) % (f * (d || a)) && b;
      e = q;
      if (b)
        break;
    L1:
    L2:
      c = f;
    L3:
      f = g;
      while (a)
        goto L2;
    }
}
Comment 1 Marek Polacek 2018-03-07 08:07:00 UTC
Confirmed.
Comment 2 Marek Polacek 2018-03-07 08:08:32 UTC
Started with r258124.
Comment 3 Jakub Jelinek 2018-03-07 08:57:40 UTC
We are calling update_dep_bb on a in-freelist SSA_NAME.
Comment 4 Jakub Jelinek 2018-03-07 09:02:23 UTC
The SSA_NAME has been freed in:
#1  0x0000000001291cfd in release_ssa_name_fn (fn=0x7fffefd9b000, var=<error_mark 0x7fffefda75a0>) at ../../gcc/tree-ssanames.c:579
#2  0x00000000010b76eb in release_ssa_name (name=<error_mark 0x7fffefda75a0>) at ../../gcc/tree-ssanames.h:141
#3  0x00000000010b8590 in remove_phi_node (gsi=0x7fffffffdb50, release_lhs_p=true) at ../../gcc/tree-phinodes.c:449
#4  0x0000000001221501 in vn_eliminate (inserted_exprs=0x2b51008) at ../../gcc/tree-ssa-sccvn.c:5928
#5  0x00000000011e94a2 in (anonymous namespace)::pass_pre::execute (this=0x2ae9720, fun=0x7fffefd9b000) at ../../gcc/tree-ssa-pre.c:4173
#6  0x0000000000e735c5 in execute_one_pass (pass=<opt_pass* 0x2ae9720 "pre"(139)>) at ../../gcc/passes.c:2497
Comment 5 Richard Biener 2018-03-07 09:10:43 UTC
Mine.
Comment 6 Richard Biener 2018-03-07 10:18:54 UTC
The issue is PRE inserted a PHI with a SSA name argument that is not available
there.  The reason is that

            constant = fully_constant_expression (expr);
...
                if (constant->kind != CONSTANT)
                  {
...
                        unsigned value_id = get_expr_value_id (constant);
                        constant = find_leader_in_sets (value_id, set1, set2,
                                                        AVAIL_OUT (pred));

is wrong in using the ANTIC sets to find a leader.  See the original fix I
pasted into PR84670.  This fix regresses some testcase(s) though
(gcc.dg/tree-ssa/pr35287.c at least).  Trying to recover with sth more clever
regressed sth else.  As the other fix (for the assert) fixed all testcases
I had I didn't pursue this further.

Looking again.
Comment 7 Richard Biener 2018-03-07 11:28:01 UTC
This is also latent on the GCC 7 branch.
Comment 8 Richard Biener 2018-03-08 09:24:23 UTC
Fixed on trunk, I'm eventually going to backport a variant of this.
Comment 9 Richard Biener 2018-03-08 09:24:25 UTC
Author: rguenth
Date: Thu Mar  8 09:23:44 2018
New Revision: 258361

URL: https://gcc.gnu.org/viewcvs?rev=258361&root=gcc&view=rev
Log:
2018-03-08  Richard Biener  <rguenther@suse.de>

	PR tree-optimization/84746
	* tree-ssa-pre.c (find_leader_in_sets): Deal with SET1 being NULL.
	(phi_translate): Pass in destination ANTIC_OUT set.
	(phi_translate_1): Likewise.  For a simplified result lookup
	a leader in ANTIC_OUT and AVAIL_OUT, not the ANTIC_IN sets.
	(phi_translate_set): Adjust.
	(do_pre_regular_insertion): Likewise.
	(do_pre_partial_partial_insertion): Likewise.

	* gcc.dg/torture/pr84746.c: New testcase.

Added:
    trunk/gcc/testsuite/gcc.dg/torture/pr84746.c
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/testsuite/ChangeLog
    trunk/gcc/tree-ssa-pre.c
Comment 10 Richard Biener 2018-03-08 10:49:43 UTC
Fixed on trunk, I'm eventually going to backport a variant of this.