This is the mail archive of the
gcc-patches@gcc.gnu.org
mailing list for the GCC project.
[RFC, PATCH] Fix GC crash related to free PHI nodes
- From: Ulrich Weigand <weigand at i1 dot informatik dot uni-erlangen dot de>
- To: gcc-patches at gcc dot gnu dot org
- Date: Thu, 16 Sep 2004 23:17:45 +0200 (CEST)
- Subject: [RFC, PATCH] Fix GC crash related to free PHI nodes
Hello,
I'm seeing a bootstrap failure on s390x-ibm-linux caused by SIGSEGV
during garbage collection, which appears to be caused by a dangling
reference to a phi-node on the free list. (This would appear to be
related to the PR 17437 issue -- or maybe not ...)
Specifically, the garbage collector walks through the following
chain of references:
- the ssa_names varray
- a SSA_NAME in the array
- a MODIFY_EXPR chained off the SSA_NAME (via TREE_CHAIN)
- a STMT_ANN annotation hanging off the MODIFY_EXPR
- a dataflow structure hanging off the annotation
- a PHI node present as immediate use in the df structure
(note that this PHI node is on the free_phinodes list)
- a whole bunch of other PHI nodes on the free_phinodes list,
chained together via TREE_CHAIN
- one of those PHI nodes contains a pointer to a basic block
data structure which was already freed, and the memory
reused for something else
- following a random pointer obtained from the clobbered basic
block structure
Now, the free_phinodes list is marked as deletable, so it
shouldn't matter that a free PHI node points to a deleted
basic block. However, if the free_phinodes list is reachable
via some *other* reference, this becomes a problem.
So the question is, why is there a dangling reference to a
freed PHI node (I assume this is not supposed to happen)?
This situation is created by add_phi_arg which needs to
reallocate the PHI node structure to resize it. Thus the
old PHI node (which is pointed to by the immediate uses
structure) gets freed, and a new PHI node is allocated.
However, the immediate uses are never updated to point to
the newly allocated PHI node.
This caller of add_phi_arg where this happens is thread_jumps.
I've tried to fix the problem by adding a call to
redirect_immediate_uses to that routine to fix up any references
to reallocated PHI nodes. This change fixes the particular
instance where I was seeing the crash.
I'm not sure if there are potentially any other references to
PHI nodes that would need to be fixed up at this location;
likewise I don't know whether any other users of add_phi_arg
face a similar problem. Maybe someone familiar with the
tree-ssa infrastructure could look into this?
I'm still running bootstrap/regtest on the patch below;
OK to commit if this goes through?
Bye,
Ulrich
ChangeLog:
* tree-cfg.c (thread_jumps): Call redirect_immediate_uses to
account for reallocated PHI nodes.
Index: gcc/tree-cfg.c
===================================================================
RCS file: /cvs/gcc/gcc/gcc/tree-cfg.c,v
retrieving revision 2.50
diff -c -p -r2.50 tree-cfg.c
*** gcc/tree-cfg.c 11 Sep 2004 20:42:03 -0000 2.50
--- gcc/tree-cfg.c 16 Sep 2004 20:40:39 -0000
*************** thread_jumps (void)
*** 3942,3950 ****
--- 3942,3956 ----
Otherwise we would have changed our target block above. */
for (phi = phi_nodes (dest); phi; phi = PHI_CHAIN (phi))
{
+ tree old_phi = phi;
+
arg = phi_arg_from_edge (phi, last);
gcc_assert (arg >= 0);
add_phi_arg (&phi, PHI_ARG_DEF (phi, arg), e);
+
+ /* Update dataflow to use the new PHI node. */
+ if (old_phi != phi)
+ redirect_immediate_uses (old_phi, phi);
}
}
--
Dr. Ulrich Weigand
weigand@informatik.uni-erlangen.de