Bug in edge redirection code

Daniel Berlin dan@cgsoftware.com
Thu Jul 26 09:34:00 GMT 2001


Okay, i found why my malloc debugger hates the following code
(crashing on first->count -= e->count)

3136          else if (redirect_edge_and_branch (e, target))
3137            {
3138              /* We successfully forwarded the edge.  Now update profile
3139                 data: for each edge we traversed in the chain, remove
3140                 the original edge's execution count.  */
3141              do
3142                {
3143                  first->count -= e->count;
3144                  first->succ->count -= e->count;
3145                  first->frequency -= ((e->probability * b->frequency

What happens is that redirect_edge_and_branch calls
redirect_edge_succ_nodup which sees the edge is already 
present, so it remove_edge's it.
However, what it just remove_edge'd was "e", so when we get back to
the above code, having succeeded in forwarding, and try to access e->count,
we're screwed.

Once you'd redirected e to target, you can't count on e still being
the edge you redirected, or even valid,  because we'll remove it if it was a
duplicate.

This bug also exists in the slightly older version of
try_forward_edges on the new-regalloc-branch.

I'm not quite sure how you want to fix this.


--Dan

-- 
"They say we're 98% water.  We're that close to drowning...
(Picks up his glass of water from the stool...)  I like to live
on the edge...
"-Steven Wright



More information about the Gcc-bugs mailing list