[Bug bootstrap/87134] [9 regression] SEGV in cc1 caused by r263875

Thu, 13 Sep 2018 02:21:55 -0700 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=87134

Richard Biener <rguenth at gcc dot gnu.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
           Assignee|unassigned at gcc dot gnu.org      |rguenth at gcc dot 
gnu.org

--- Comment #19 from Richard Biener <rguenth at gcc dot gnu.org> ---
So I have now, with FreeBSD 10.4, bootstrap with host GCC 6.4.0, a libc built
with -g -O0 (eh...):

Starting program: /root/obj/gcc/cc1 -quiet -fpreprocessed cp-demangle.i -quiet
-dumpbase cp-demangle.c -mtune=pentium -march=pentium -auxbase-strip
cp-demangle.o -g -O2 -Wno-error -version -fPIC -o cp-demangle.s
GNU C17 (GCC) version 9.0.0 20180913 (experimental) (i586-unknown-freebsd10.4)
        compiled by GNU C version 6.4.0, GMP version 6.1.2, MPFR version 4.0.1,
MPC version 1.1.0, isl version none
GGC heuristics: --param ggc-min-expand=30 --param ggc-min-heapsize=4096
GNU C17 (GCC) version 9.0.0 20180913 (experimental) (i586-unknown-freebsd10.4)
        compiled by GNU C version 6.4.0, GMP version 6.1.2, MPFR version 4.0.1,
MPC version 1.1.0, isl version none
GGC heuristics: --param ggc-min-expand=30 --param ggc-min-heapsize=4096
Compiler executable checksum: 7de01f066f6d84094dfef092696e3ed8

Program received signal SIGSEGV, Segmentation fault.
0x2a5bbb3f in __jemalloc_arena_dalloc_bin_locked (arena=0x2a8000c0, 
    chunk=0x2ac00000, ptr=0x2aed9000, mapelm=0x2ac02220)
    at jemalloc_arena.c:1717
1717                    bin->stats.allocated -= size;
(gdb) bt
#0  0x2a5bbb3f in __jemalloc_arena_dalloc_bin_locked (arena=0x2a8000c0, 
    chunk=0x2ac00000, ptr=0x2aed9000, mapelm=0x2ac02220)
    at jemalloc_arena.c:1717
#1  0x2a5bc2d6 in __jemalloc_arena_dalloc_bin (arena=0x2a8000c0, 
    chunk=0x2ac00000, ptr=0x2aed9000, pageind=729, mapelm=0x2ac02220)
    at jemalloc_arena.c:1733
#2  0x2a5bc371 in __jemalloc_arena_dalloc_small (arena=0x2a8000c0, 
    chunk=0x2ac00000, ptr=0x2aed9000, pageind=729) at jemalloc_arena.c:1749
#3  0x2a5d3913 in __jemalloc_arena_dalloc (arena=0x2a8000c0, chunk=0x2ac00000, 
    ptr=0x2aed9000, try_tcache=true)
    at
/usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/arena.h:1005
#4  __jemalloc_idallocx (ptr=<optimized out>, try_tcache=<optimized out>, 
    ptr=<optimized out>, try_tcache=<optimized out>)
    at
/usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/jemalloc_internal.h:913
#5  __jemalloc_iqallocx (ptr=0x2aed9000, try_tcache=true)
    at
/usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/jemalloc_internal.h:932
#6  __jemalloc_iqalloc (ptr=0x2aed9000)
    at
/usr/src/lib/libc/../../contrib/jemalloc/include/jemalloc/internal/jemalloc_internal.h:939
#7  __free (ptr=0x2aed9000) at jemalloc_jemalloc.c:1277
#8  0x097d59d5 in dom_walker::dom_walker (this=0xbfbfe6b4, 
    direction=CDI_DOMINATORS, reachability=dom_walker::ALL_BLOCKS)
    at ../../trunk/gcc/domwalk.c:236
#9  0x08e7cf6b in eliminate_dom_walker::eliminate_dom_walker (this=0xbfbfe6b4, 
    direction=CDI_DOMINATORS, inserted_exprs_=0x0)
    at ../../trunk/gcc/tree-ssa-sccvn.c:4693
#10 0x08e80199 in eliminate_with_rpo_vn (inserted_exprs=0x0)
    at ../../trunk/gcc/tree-ssa-sccvn.c:5546
#11 0x08e839b4 in do_rpo_vn (fn=0x2b197680, 
    entry=<edge 0x2b2afa00 (ENTRY -> 2)>, exit_bbs=0x0, iterate=true, 
    eliminate=true) at ../../trunk/gcc/tree-ssa-sccvn.c:6613
#12 0x08e83b1f in (anonymous namespace)::pass_fre::execute (this=0x2ac5b8c0, 
    fun=0x2b197680) at ../../trunk/gcc/tree-ssa-sccvn.c:6681
#13 0x08ab9021 in execute_one_pass (pass=<opt_pass* 0x2ac5b8c0 "fre"(102)>)
    at ../../trunk/gcc/passes.c:2446

This is just

      int *postorder = XNEWVEC (int, n_basic_blocks_for_fn (cfun));
      int postorder_num = pre_and_rev_post_order_compute (NULL, postorder,
                                                          true);
      m_bb_to_rpo = XNEWVEC (int, last_basic_block_for_fn (cfun));
      for (int i = 0; i < postorder_num; ++i)
        m_bb_to_rpo[postorder[i]] = i;
      free (postorder);
^^^

#0  0x2a5bbb3f in __jemalloc_arena_dalloc_bin_locked (arena=0x2a8000c0, 
    chunk=0x2ac00000, ptr=0x2aed9000, mapelm=0x2ac02220)
    at jemalloc_arena.c:1717
1717                    bin->stats.allocated -= size;
(gdb) p bin
$1 = (arena_bin_t *) 0x1

where bin is computed as

1697            pageind = ((uintptr_t)ptr - (uintptr_t)chunk) >> LG_PAGE;
1698            run = (arena_run_t *)((uintptr_t)chunk + (uintptr_t)((pageind -
1699                arena_mapbits_small_runind_get(chunk, pageind)) <<
LG_PAGE));
1700            bin = run->bin;

just watching run->bin luckily(?) shows up

Hardware watchpoint 5: *$6

Old value = (arena_bin_t *) 0x2a800abc
New value = (arena_bin_t *) 0x1
vn_nary_op_insert_pieces_predicated (length=2, code=GT_EXPR, type=
    <boolean_type 0x2a3a66c0 _Bool>, ops=0xbfbfe628, 
    result=<integer_cst 0x2b005c58>, value_id=0, 
    pred_e=<edge 0x2b166120 (442 -> 443)>)
    at ../../trunk/gcc/tree-ssa-sccvn.c:3220
3220      return vn_nary_op_insert_into (vno1, valid_info->nary, true);
(gdb) l
3215      vno1->u.values->next = NULL;
3216      vno1->u.values->result = result;
3217      vno1->u.values->n = 1;
3218      vno1->u.values->valid_dominated_by_p[0] = pred_e->dest->index;
3219      vno1->u.values->valid_dominated_by_p[1] = EXIT_BLOCK;
3220      return vn_nary_op_insert_into (vno1, valid_info->nary, true);
3221    }

(gdb) p &vno1->u.values->valid_dominated_by_p[1]
$15 = (int *) 0x2aed3000
(gdb) p $6
$13 = (arena_bin_t **) 0x2aed3000

valid_dominated_by_p was allocated via

  vno1->u.values = (vn_pval *) obstack_alloc (&vn_tables_obstack,
                                              sizeof (vn_pval));

looks I left a stray assing from EXIT_BLOCK in the array when I made
it dynamically allocated... :/

Testing patch.

Reply via email to