https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105279
Bug ID: 105279
Summary: Using libgccjit produces a null pointer access in
GCC's tree-optimization code
Product: gcc
Version: 12.0
Status: UNCONFIRMED
Severity: normal
Priority: P3
Component: jit
Assignee: dmalcolm at gcc dot gnu.org
Reporter: m...@nieper-wisskirchen.de
Target Milestone: ---
Created attachment 52812
--> https://gcc.gnu.org/bugzilla/attachment.cgi?id=52812&action=edit
libgccjit reproducer file
Compiling and running the attached libgccjit reproducer file produces a null
pointer access in GCC's tree-optimization path. The error goes away if I
comment out the call to gcc_jit_block_add_assignment on line 1181 or if I
replace the pointer to the function there ("address_of_program") with a null
pointer in the form of gcc_jit_context_new_rvalue_from_ptr (ctxt_0x6fe3ff0,
ptr_to_union_value______struct_processor____union_value_, NULL).
The error also goes away if I replace both occurrences of "-O3" in reproducer.c
with "-O1" or lower.
$ gcc -lgccjit reproducer.c && valgrind ./a.out
==979255== Memcheck, a memory error detector
==979255== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==979255== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==979255== Command: ./a.out
==979255==
==979255== Invalid read of size 8
==979255== at 0x5D85753: operator_minus::op1_range(irange&, tree_node*,
irange const&, irange const&, tree_code) const (range-op.cc:1460)
==979255== by 0x5CAAC75: gori_compute::compute_operand1_range(irange&,
gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1024)
==979255== by 0x5CAACD9: gori_compute::compute_operand1_range(irange&,
gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1077)
==979255== by 0x5CAC775: gori_compute::outgoing_edge_range_p(irange&,
edge_def*, tree_node*, range_query&) (gimple-range-gori.cc:1271)
==979255== by 0x5CA0FDC: ranger_cache::range_on_edge(irange&, edge_def*,
tree_node*) [clone .part.0] (gimple-range-cache.cc:1083)
==979255== by 0x5C9DFE1: gimple_ranger::range_on_edge(irange&, edge_def*,
tree_node*) (gimple-range.cc:245)
==979255== by 0x52DB39E: range_query::value_on_edge(edge_def*, tree_node*)
(value-query.cc:107)
==979255== by 0x52BDDE7: rvrp_folder::value_on_edge(edge_def*, tree_node*)
(tree-vrp.cc:4281)
==979255== by 0x51D419C:
substitute_and_fold_engine::propagate_into_phi_args(basic_block_def*)
(tree-ssa-propagate.cc:742)
==979255== by 0x51D4CD7:
substitute_and_fold_dom_walker::before_dom_children(basic_block_def*)
(tree-ssa-propagate.cc:942)
==979255== by 0x5C70125: dom_walker::walk(basic_block_def*) (domwalk.cc:309)
==979255== by 0x51D3B6E:
substitute_and_fold_engine::substitute_and_fold(basic_block_def*)
(tree-ssa-propagate.cc:987)
==979255== Address 0x0 is not stack'd, malloc'd or (recently) free'd
==979255==
==979255==
==979255== Process terminating with default action of signal 11 (SIGSEGV)
==979255== Access not within mapped region at address 0x0
==979255== at 0x5D85753: operator_minus::op1_range(irange&, tree_node*,
irange const&, irange const&, tree_code) const (range-op.cc:1460)
==979255== by 0x5CAAC75: gori_compute::compute_operand1_range(irange&,
gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1024)
==979255== by 0x5CAACD9: gori_compute::compute_operand1_range(irange&,
gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1077)
==979255== by 0x5CAC775: gori_compute::outgoing_edge_range_p(irange&,
edge_def*, tree_node*, range_query&) (gimple-range-gori.cc:1271)
==979255== by 0x5CA0FDC: ranger_cache::range_on_edge(irange&, edge_def*,
tree_node*) [clone .part.0] (gimple-range-cache.cc:1083)
==979255== by 0x5C9DFE1: gimple_ranger::range_on_edge(irange&, edge_def*,
tree_node*) (gimple-range.cc:245)
==979255== by 0x52DB39E: range_query::value_on_edge(edge_def*, tree_node*)
(value-query.cc:107)
==979255== by 0x52BDDE7: rvrp_folder::value_on_edge(edge_def*, tree_node*)
(tree-vrp.cc:4281)
==979255== by 0x51D419C:
substitute_and_fold_engine::propagate_into_phi_args(basic_block_def*)
(tree-ssa-propagate.cc:742)
==979255== by 0x51D4CD7:
substitute_and_fold_dom_walker::before_dom_children(basic_block_def*)
(tree-ssa-propagate.cc:942)
==979255== by 0x5C70125: dom_walker::walk(basic_block_def*) (domwalk.cc:309)
==979255== by 0x51D3B6E:
substitute_and_fold_engine::substitute_and_fold(basic_block_def*)
(tree-ssa-propagate.cc:987)
==979255== If you believe this happened as a result of a stack
==979255== overflow in your program's main thread (unlikely but
==979255== possible), you can try to increase the size of the
==979255== main thread stack using the --main-stacksize= flag.
==979255== The main thread stack size used in this run was 67108864.
==979255==
==979255== HEAP SUMMARY:
==979255== in use at exit: 1,635,492 bytes in 3,683 blocks
==979255== total heap usage: 5,493 allocs, 1,810 frees, 2,427,473 bytes
allocated
==979255==
==979255== LEAK SUMMARY:
==979255== definitely lost: 0 bytes in 0 blocks
==979255== indirectly lost: 0 bytes in 0 blocks
==979255== possibly lost: 0 bytes in 0 blocks
==979255== still reachable: 1,635,492 bytes in 3,683 blocks
==979255== suppressed: 0 bytes in 0 blocks
==979255== Rerun with --leak-check=full to see details of leaked memory
==979255==
==979255== For lists of detected and suppressed errors, rerun with: -s
==979255== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Speicherzugriffsfehler (Speicherabzug geschrieben)
