Bug 88214 - ICE in bitmap_intersect_p() on 32-bit BE platforms
Summary: ICE in bitmap_intersect_p() on 32-bit BE platforms
Status: RESOLVED FIXED
Alias: None
Product: gcc
Classification: Unclassified
Component: ipa (show other bugs)
Version: 7.3.0
: P3 normal
Target Milestone: ---
Assignee: Martin Jambor
URL:
Keywords: ice-on-valid-code
Depends on:
Blocks:
 
Reported: 2018-11-27 09:12 UTC by Sergei Trofimovich
Modified: 2019-01-16 15:41 UTC (History)
2 users (show)

See Also:
Host: powerpc-*-linux sparc-*-*
Target:
Build:
Known to work:
Known to fail: 9.0
Last reconfirmed: 2018-11-27 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sergei Trofimovich 2018-11-27 09:12:04 UTC 
Note: this ICE happens on 32-bit BE-hosts and does not happen on i686 host or x86_64 host.

Originally reported at:
    https://bugs.gentoo.org/672032

Minimal reproducer:

  $ cat nc.c
  void i();
  short a;
  void b(e) char * e;
  {
    i();
    b(a);
  }


  $ LANG=C sparc-unknown-linux-gnu-gcc-7.3.0 -Wall -O2 -pipe -o nc.o -c nc.c
  nc.c: In function 'b':
  nc.c:7:1: internal compiler error: Segmentation fault

  $ LANG=C powerpc-unknown-linux-gnu-gcc -Wall -O2 -pipe -o nc.o -c nc.c
  nc.c: In function 'b':
  nc.c:7:1: internal compiler error: Segmentation fault

Note: it seems to be triggered by K&R-style function declarations.

Short backtrace from powerpc-unknown-linux-gnu-gcc-7.3.0:

$ gdb --args /usr/libexec/gcc/powerpc-unknown-linux-gnu/7.3.0/cc1 -quiet -v -D__unix__ -D__gnu_linux__ -D__linux__ -Dunix -D__unix -Dlinux -D__linux -Asystem=linux -Asystem=unix -Asystem=posix nc.c -msecure-plt -quiet -dumpbase nc.c -auxbase-strip nc.o -O2 -Wall -version -o /tmp/ccYGzVuI.s

Program received signal SIGSEGV, Segmentation fault.
0x1020a4ec in bitmap_intersect_p(bitmap_head const*, bitmap_head const*) ()
(gdb) bt
#0  0x1020a4ec in bitmap_intersect_p(bitmap_head const*, bitmap_head const*) ()
#1  0x107ed1ec in pt_solutions_intersect(pt_solution*, pt_solution*) ()
#2  0x10726524 in call_may_clobber_ref_p_1(gcall*, ao_ref*) ()
#3  0x10726bf0 in stmt_may_clobber_ref_p_1(gimple*, ao_ref*) ()
#4  0x1046c2e4 in ?? ()
#5  0x10471a50 in ?? ()
#6  0x10472878 in analysis_dom_walker::before_dom_children(basic_block_def*) ()
#7  0x10c00160 in dom_walker::walk(basic_block_def*) ()
#8  0x104708f8 in ipa_analyze_node(cgraph_node*) ()
#9  0x10c52378 in ?? ()
#10 0x1056a14c in execute_ipa_summary_passes(ipa_opt_pass_d*) ()
#11 0x10278a20 in ?? ()
#12 0x1027a9f0 in symbol_table::finalize_compilation_unit() ()
#13 0x10648bd8 in ?? ()
#14 0x1011dfd4 in toplev::main(int, char**) ()
#15 0x1011f570 in main ()
Comment 1 Sergei Trofimovich 2018-11-27 10:44:49 UTC 
Also reproduced on current gcc-master. Got nicer backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x102ae880 in bitmap_intersect_p (a=0xf7b73e88, b=0x101afaf) at ../../gcc/gcc/bitmap.c:2184
2184      gcc_checking_assert (!a->tree_form && !b->tree_form);
(gdb) bt
#0  0x102ae880 in bitmap_intersect_p (a=0xf7b73e88, b=0x101afaf) at ../../gcc/gcc/bitmap.c:2184
#1  0x10b2ae68 in pt_solutions_intersect_1 (pt1=pt1@entry=0xf7a992b8, pt2=<optimized out>) at ../../gcc/gcc/tree-ssa-structalias.c:6841
#2  0x10b2b0e8 in pt_solutions_intersect (pt1=pt1@entry=0xf7a992b8, pt2=<optimized out>) at ../../gcc/gcc/tree-ssa-structalias.c:6849
#3  0x10a13e48 in call_may_clobber_ref_p_1 (ref=<optimized out>, call=0xf7a99288) at ../../gcc/gcc/gimple.h:3425
#4  call_may_clobber_ref_p_1 (call=0xf7a99288, ref=<optimized out>) at ../../gcc/gcc/tree-ssa-alias.c:1953
#5  0x10a14b9c in stmt_may_clobber_ref_p_1 (tbaa_p=<optimized out>, ref=0xffffd828, stmt=0xf7a99288) at ../../gcc/gcc/tree-ssa-alias.c:2271
#6  stmt_may_clobber_ref_p_1 (stmt=stmt@entry=0xf7a99288, ref=ref@entry=0xffffd828, tbaa_p=tbaa_p@entry=true) at ../../gcc/gcc/tree-ssa-alias.c:2266
#7  0x1063ef14 in determine_locally_known_aggregate_parts (call=call@entry=0xf7b6e730, arg=<optimized out>, arg@entry=0xf7b4e6e0, arg_type=arg_type@entry=0xf7aa5480, 
    jfunc=jfunc@entry=0xf7b774e8) at ../../gcc/gcc/ipa-prop.c:1631
#8  0x10645ee4 in ipa_compute_jump_functions_for_edge (fbi=fbi@entry=0xffffdb3c, cs=cs@entry=0xf7b6d300) at ../../gcc/gcc/ipa-prop.c:1988
#9  0x106472b4 in ipa_compute_jump_functions_for_bb (bb=<optimized out>, fbi=0xffffdb3c) at ../../gcc/gcc/ipa-prop.c:2016
#10 analysis_dom_walker::before_dom_children (this=<optimized out>, bb=<optimized out>) at ../../gcc/gcc/ipa-prop.c:2534
#11 0x1118990c in dom_walker::walk (this=0xffffdb28, bb=0xf7b6d280) at ../../gcc/gcc/domwalk.c:405
#12 0x106433b8 in ipa_analyze_node (node=node@entry=0xf7a94798) at ../../gcc/gcc/ipa-prop.c:2604
#13 0x11214fd8 in ipcp_generate_summary () at ../../gcc/gcc/ipa-cp.c:5091
#14 0x10797984 in execute_ipa_summary_passes (ipa_pass=0x11ba4f10) at ../../gcc/gcc/passes.c:2183
#15 0x10359cb0 in ipa_passes () at ../../gcc/gcc/cgraphunit.c:2506
#16 symbol_table::compile (this=this@entry=0xf7a940d8) at ../../gcc/gcc/cgraphunit.c:2618
#17 0x1035c9c4 in symbol_table::compile (this=0xf7a940d8) at ../../gcc/gcc/cgraphunit.c:2863
#18 symbol_table::finalize_compilation_unit (this=0xf7a940d8) at ../../gcc/gcc/cgraphunit.c:2863
#19 0x108b5868 in compile_file () at ../../gcc/gcc/toplev.c:481
#20 0x101372a8 in do_compile () at ../../gcc/gcc/toplev.c:2176
#21 toplev::main (this=this@entry=0xffffdcb8, argc=<optimized out>, argc@entry=23, argv=<optimized out>, argv@entry=0xffffdf34) at ../../gcc/gcc/toplev.c:2311
#22 0x10138a00 in main (argc=23, argv=0xffffdf34) at ../../gcc/gcc/main.c:39

# ./gcc/xgcc -v
Using built-in specs.
COLLECT_GCC=./gcc/xgcc
Target: powerpc-unknown-linux-gnu
Configured with: ../gcc/configure --enable-languages=c CC=/usr/lib/ccache/bin/gcc CXX=/usr/lib/ccache/bin/g++ CFLAGS='-O1 -ggdb' CXXFLAGS='-O1 -ggdb'
Thread model: posix
gcc version 9.0.0 20181127 (experimental) (GCC)
Comment 2 Martin Liška 2018-11-27 13:43:03 UTC 
I can confirm that on a compile farm machine (gcc110.fsffrance.org) with:

$ ./xgcc -B. /tmp/pr.c -m32 -c -Wall -O2
during IPA pass: cp
/tmp/pr.c: In function ‘b’:
/tmp/pr.c:7:3: internal compiler error: Segmentation fault
7 |   }
  |   ^
0x10933cab crash_signal
	../../gcc/toplev.c:325
0x102d23e4 bitmap_intersect_p(bitmap_head const*, bitmap_head const*)
	../../gcc/bitmap.c:1808
0x10bd1c8f pt_solutions_intersect_1
	../../gcc/tree-ssa-structalias.c:6847
0x10bd1f7f pt_solutions_intersect(pt_solution*, pt_solution*)
	../../gcc/tree-ssa-structalias.c:6853
0x10aac207 call_may_clobber_ref_p_1(gcall*, ao_ref*)
	../../gcc/tree-ssa-alias.c:2238
0x10aad38b stmt_may_clobber_ref_p_1(gimple*, ao_ref*, bool)
	../../gcc/tree-ssa-alias.c:2280
0x1069cecb determine_locally_known_aggregate_parts
	../../gcc/ipa-prop.c:1632
0x106a44d3 ipa_compute_jump_functions_for_edge
	../../gcc/ipa-prop.c:1996
0x106a59d3 ipa_compute_jump_functions_for_bb
	../../gcc/ipa-prop.c:2024
0x106a59d3 analysis_dom_walker::before_dom_children(basic_block_def*)
	../../gcc/ipa-prop.c:2542
0x11332657 dom_walker::walk(basic_block_def*)
	../../gcc/domwalk.c:353
0x106a157b ipa_analyze_node(cgraph_node*)
	../../gcc/ipa-prop.c:2612
0x113c27f7 ipcp_generate_summary
	../../gcc/ipa-cp.c:5112
0x10805fa7 execute_ipa_summary_passes(ipa_opt_pass_d*)
	../../gcc/passes.c:2149
0x1038742f ipa_passes
	../../gcc/cgraphunit.c:2432
0x1038742f symbol_table::compile()
	../../gcc/cgraphunit.c:2543
0x1038a66f symbol_table::compile()
	../../gcc/cgraphunit.c:2522
0x1038a66f symbol_table::finalize_compilation_unit()
	../../gcc/cgraphunit.c:2788

Martin can you please take a look?
Comment 3 Martin Jambor 2018-11-27 14:13:55 UTC 
OK
Comment 4 Martin Jambor 2018-12-06 17:22:24 UTC 
I don't think this has much to do with IPA-CP per se.  What is
happening is that call_may_clobber_ref_p_1 extracts SSA_NAME_PTR_INFO
of an SSA_NAME that is a base of a MEM_REF and runs
pt_solutions_intersect on it, but the SSA_NAME_PTR_INFO just has
invalid pt.vars bitmap address 0xffffffffffff8000 in it (before IPA-CP
changed anything).

When I set a watch in gdb to find out how the value got there, it
turned out to be from a rather unexpected context:

Watchpoint 5: ((ptr_info_def *) 0x3fffaf246e20)->pt.vars

Old value = (bitmap) 0xafafafafafafafaf
New value = (bitmap) 0xffffffffffff8000
wi::copy<trailing_wide_int_storage, generic_wide_int<wide_int_ref_storage<false, true> > > (x=..., y=...)
    at /home/jamborm/gcc/mine/src/gcc/wide-int.h:1776
1776      do
(gdb) bt
#0  wi::copy<trailing_wide_int_storage, generic_wide_int<wide_int_ref_storage<false, true> > > (x=..., y=...)
    at /home/jamborm/gcc/mine/src/gcc/wide-int.h:1776
#1  0x00000000112eea1c in trailing_wide_int_storage::operator=<generic_wide_int<wide_int_ref_storage<false, true> > > (this=0x3fffffffd920, x=...) at /home/jamborm/gcc/mine/src/gcc/wide-int.h:1432
#2  0x00000000112edff8 in generic_wide_int<trailing_wide_int_storage>::operator=<generic_wide_int<wide_int_ref_storage<false, true> > > (this=0x3fffffffd920, x=...) at /home/jamborm/gcc/mine/src/gcc/wide-int.h:916
#3  0x00000000112ed96c in range_info_def::set_min<generic_wide_int<wide_int_ref_storage<false, true> > > (
    this=0x3fffaf246e20, x=...) at /home/jamborm/gcc/mine/src/gcc/tree-ssanames.h:52
#4  0x00000000112ea434 in set_range_info_raw (name=<ssa_name 0x3fffaf2e0990>, range_type=VR_RANGE, min=..., 
    max=...) at /home/jamborm/gcc/mine/src/gcc/tree-ssanames.c:360
#5  0x00000000112ea91c in set_range_info (name=<ssa_name 0x3fffaf2e0990>, range_type=VR_RANGE, min=..., 
    max=...) at /home/jamborm/gcc/mine/src/gcc/tree-ssanames.c:398
#6  0x0000000011c25b44 in evrp_range_analyzer::set_ssa_range_info (this=0x3fffffffe0f8, 
    lhs=<ssa_name 0x3fffaf2e0990>, vr=0x3fffffffddb0)
    at /home/jamborm/gcc/mine/src/gcc/gimple-ssa-evrp-analyze.c:116
#7  0x0000000011c26a18 in evrp_range_analyzer::record_ranges_from_stmt (this=0x3fffffffe0f8, 
    stmt=0x3fffaf43e290, temporary=false) at /home/jamborm/gcc/mine/src/gcc/gimple-ssa-evrp-analyze.c:312
#8  0x0000000011c22ab4 in evrp_dom_walker::before_dom_children (this=0x3fffffffe0c0, bb=0x3fffaf450138)
    at /home/jamborm/gcc/mine/src/gcc/gimple-ssa-evrp.c:139
#9  0x0000000011bdc634 in dom_walker::walk (this=0x3fffffffe0c0, bb=0x3fffaf450138)
    at /home/jamborm/gcc/mine/src/gcc/domwalk.c:353
#10 0x0000000011c23448 in execute_early_vrp () at /home/jamborm/gcc/mine/src/gcc/gimple-ssa-evrp.c:311
#11 0x0000000011c235f0 in (anonymous namespace)::pass_early_vrp::execute (this=0x1282aed0)
    at /home/jamborm/gcc/mine/src/gcc/gimple-ssa-evrp.c:348

That looks like some memory corruption or unwanted memory sharing...?
Comment 5 Martin Jambor 2018-12-06 17:37:47 UTC 
OK, I take it all back.  SSA_NAME_RANGE_INFO and SSA_NAME_PTR_INFO
share storage by design, the latter should not be accessed because the
SSA_NAME is an integer but it still happens to be a base in a MEM_REF
constructed as a part of ao_ref_init_from_ptr_and_size done during
ipa-prop's function scan.  So hopefully all is missing is a
POINTER_TYPE_P somewhere.
Comment 6 Martin Jambor 2018-12-06 18:11:13 UTC 
I'm going to test the following fix:

diff --git a/gcc/ipa-prop.c b/gcc/ipa-prop.c
index 7405235..4dbe268 100644
--- a/gcc/ipa-prop.c
+++ b/gcc/ipa-prop.c
@@ -1569,7 +1569,8 @@ determine_locally_known_aggregate_parts (gcall *call, tree arg,
       if (TREE_CODE (arg) == SSA_NAME)
        {
          tree type_size;
-          if (!tree_fits_uhwi_p (TYPE_SIZE (TREE_TYPE (arg_type))))
+          if (!tree_fits_uhwi_p (TYPE_SIZE (TREE_TYPE (arg_type)))
+             || !POINTER_TYPE_P (TREE_TYPE (arg)))
             return;
          check_ref = true;
          arg_base = arg;
Comment 7 Martin Jambor 2018-12-07 15:01:22 UTC 
I have posted the patch to the mailing list for review:

https://gcc.gnu.org/ml/gcc-patches/2018-12/msg00460.html
Comment 8 Martin Jambor 2018-12-10 12:46:25 UTC 
Author: jamborm
Date: Mon Dec 10 12:45:47 2018
New Revision: 266953

URL: https://gcc.gnu.org/viewcvs?rev=266953&root=gcc&view=rev
Log:
[PR 88214] Check that an argument is a pointer

2018-12-10  Martin Jambor  <mjambor@suse.cz>

	PR ipa/88214
	* ipa-prop.c (determine_locally_known_aggregate_parts): Make sure
	we check pointers against pointers.

	testsuite/
	* gcc.dg/ipa/pr88214.c: New test.


Added:
    trunk/gcc/testsuite/gcc.dg/ipa/pr88214.c
Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/ipa-prop.c
    trunk/gcc/testsuite/ChangeLog
Comment 9 Martin Jambor 2018-12-10 12:53:23 UTC 
Fixed.
Comment 10 Martin Jambor 2018-12-20 14:14:54 UTC 
Author: jamborm
Date: Thu Dec 20 14:14:22 2018
New Revision: 267298

URL: https://gcc.gnu.org/viewcvs?rev=267298&root=gcc&view=rev
Log:
[PR 88214] Assert that ptr is a pointer

2018-12-20  Martin Jambor  <mjambor@suse.cz>

	PR ipa/88214
	* tree-ssa-alias.c (ao_ref_init_from_ptr_and_size): Assert that
	ptr is a pointer.


Modified:
    trunk/gcc/ChangeLog
    trunk/gcc/tree-ssa-alias.c
Comment 11 Martin Jambor 2019-01-16 15:38:05 UTC 
Author: jamborm
Date: Wed Jan 16 15:37:33 2019
New Revision: 267974

URL: https://gcc.gnu.org/viewcvs?rev=267974&root=gcc&view=rev
Log:
[PR 88214] Check that an argument is a pointer

2019-01-16  Martin Jambor  <mjambor@suse.cz>

	Backported from mainline
	2018-12-10  Martin Jambor  <mjambor@suse.cz>

	PR ipa/88214
	* ipa-prop.c (determine_locally_known_aggregate_parts): Make sure
	we check pointers against pointers.

	testsuite/
	* gcc.dg/ipa/pr88214.c: New test.


Added:
    branches/gcc-8-branch/gcc/testsuite/gcc.dg/ipa/pr88214.c
Modified:
    branches/gcc-8-branch/gcc/ChangeLog
    branches/gcc-8-branch/gcc/ipa-prop.c
    branches/gcc-8-branch/gcc/testsuite/ChangeLog
Comment 12 Martin Jambor 2019-01-16 15:41:39 UTC 
Author: jamborm
Date: Wed Jan 16 15:41:07 2019
New Revision: 267975

URL: https://gcc.gnu.org/viewcvs?rev=267975&root=gcc&view=rev
Log:
[PR 88214] Check that an argument is a pointer

2019-01-16  Martin Jambor  <mjambor@suse.cz>

	Backported from mainline
	2018-12-10  Martin Jambor  <mjambor@suse.cz>

	PR ipa/88214
	* ipa-prop.c (determine_locally_known_aggregate_parts): Make sure
	we check pointers against pointers.

	testsuite/
	* gcc.dg/ipa/pr88214.c: New test.


Added:
    branches/gcc-7-branch/gcc/testsuite/gcc.dg/ipa/pr88214.c
Modified:
    branches/gcc-7-branch/gcc/ChangeLog
    branches/gcc-7-branch/gcc/ipa-prop.c
    branches/gcc-7-branch/gcc/testsuite/ChangeLog