[Bug rtl-optimization/50068] New: Invalid memory access in incr_ticks_for_insn
uwe at netbsd dot org
gcc-bugzilla@gcc.gnu.org
Sat Aug 13 01:18:00 GMT 2011
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=50068
Bug #: 50068
Summary: Invalid memory access in incr_ticks_for_insn
Classification: Unclassified
Product: gcc
Version: unknown
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: rtl-optimization
AssignedTo: unassigned@gcc.gnu.org
ReportedBy: uwe@netbsd.org
I'm not sure about a good short description for this, so please bear with me.
NetBSD is currently in a process of switching to gcc-4.5.3 as its system
compiler. I have built a NetBSD release with the new gcc and, as a test, I
decided to build NetBSD/landisk (SuperH) on a landisk machine itself (with the
newly compiled system) to verify bootstrap/self-hosting. While it takes
several days, it's an interesting exercise and last time I did it I actually
found a sequence point bug in out lint... But I digressed.
The build failed with:
# compile libstdc++-v3/fstream-inst.o
/usr/nb/tools/bin/shle--netbsdelf-c++ -frandom-seed=4cd80fc7 -Os
-freorder-blocks -Werror -fno-implicit-templates
-fdiagnostics-show-location=once --sysroot=/usr/nb/distrib/landisk
-I/usr/src/external/gpl3/gcc/dist/gcc -I/usr/src/external/gpl3/gcc/dist/include
-I/usr/src/external/gpl3/gcc/dist/libstdc++-v3/libsupc++
-I/usr/src/external/gpl3/gcc/lib/libstdc++-v3/../libstdc++-v3_4/arch/sh3el -I.
-DHAVE_STDLIB_H -DHAVE_STRING_H
-I/usr/src/external/gpl3/gcc/dist/libstdc++-v3/include
-I/usr/src/external/gpl3/gcc/lib/libstdc++-v3/arch/sh3el -c
-Wno-stack-protector -std=gnu++0x
/usr/src/external/gpl3/gcc/dist/libstdc++-v3/src/fstream-inst.cc -o
fstream-inst.o
/usr/src/external/gpl3/gcc/dist/libstdc++-v3/src/fstream-inst.cc: In member
function 'void
std::basic_fstream<char>::_ZTv0_n12_NSt13basic_fstreamIcSt11char_traitsIcEED1Ev()':
/usr/src/external/gpl3/gcc/dist/libstdc++-v3/src/fstream-inst.cc:46:1: internal
compiler error: Bus error
That SIGBUS happens in incr_ticks_for_insn at resource.c:1275 doing
bb_ticks[b]++;
and bb_ticks is an address aligned as x*4+2. Since it's not properly aligned
for int*, there's SIGBUS triggered.
bb_ticks is allocated at resource.c:1201 as:
bb_ticks = XCNEWVEC (int, last_basic_block);
and for the faulty allocation the last_basic_block is 0. Now, xcalloc in
libiberty checks that
if (nelem == 0 || elsize == 0)
nelem = elsize = 1;
and so it ends up with calloc(1, 1). NetBSD's jemalloc rounds allocation
size=1 up to 2 and allocates memory at x*4+2 that IS properly aligned for
size=2, but IS NOT properly aligned for int *bb_ticks. Since SuperH is strict
about alignment, eventual invalid access in incr_ticks_for_insn causes SIGBUS
and exposes the bug.
The compiler under investigation in the above was build on SuperH to run on
SuperH targeting SuperH.
To verify this bug I did a cross-build of NetBSD/landisk on an amd64 RedHat
machine. Then I manually ran the command that failed in my landisk build using
valgrind. So in this verification I used compiler built on amd64, running on
amd64 targeting SuperH. Valgrind complained about:
==12675== Invalid read of size 4
==12675== at 0x743398: incr_ticks_for_insn (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x741636: fill_simple_delay_slots (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x741FA9: dbr_schedule (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x8D9BC7: sh_output_mi_thunk (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x8DF98E: cgraph_expand_function (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x8E11A4: cgraph_optimize (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x8E1A54: cgraph_finalize_compilation_unit (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x4D2BF4: cp_write_global_declarations (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x78D905: do_compile (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x78E04D: toplev_main (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x35C801D973: (below main) (in /lib64/libc-2.5.so)
==12675== Address 0x4f22524 is 3 bytes after a block of size 1 alloc'd
==12675== at 0x4A0516B: calloc (vg_replace_malloc.c:418)
==12675== by 0xA2C628: xcalloc (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x74412B: init_resource_info (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x741F62: dbr_schedule (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x8D9BC7: sh_output_mi_thunk (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x8DF98E: cgraph_expand_function (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3a/cc1plus)
==12675== by 0x8E11A4: cgraph_optimize (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x8E1A54: cgraph_finalize_compilation_unit (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x4D2BF4: cp_write_global_declarations (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x78D905: do_compile (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x78E04D: toplev_main (in
netbsd/tools/libexec/gcc/shle--netbsdelf/4.5.3/cc1plus)
==12675== by 0x35C801D973: (below main) (in /lib64/libc-2.5.so)
thus confirming the bug.
More information about the Gcc-bugs
mailing list