https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105279
Bug ID: 105279 Summary: Using libgccjit produces a null pointer access in GCC's tree-optimization code Product: gcc Version: 12.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: jit Assignee: dmalcolm at gcc dot gnu.org Reporter: m...@nieper-wisskirchen.de Target Milestone: --- Created attachment 52812 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=52812&action=edit libgccjit reproducer file Compiling and running the attached libgccjit reproducer file produces a null pointer access in GCC's tree-optimization path. The error goes away if I comment out the call to gcc_jit_block_add_assignment on line 1181 or if I replace the pointer to the function there ("address_of_program") with a null pointer in the form of gcc_jit_context_new_rvalue_from_ptr (ctxt_0x6fe3ff0, ptr_to_union_value______struct_processor____union_value_, NULL). The error also goes away if I replace both occurrences of "-O3" in reproducer.c with "-O1" or lower. $ gcc -lgccjit reproducer.c && valgrind ./a.out ==979255== Memcheck, a memory error detector ==979255== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==979255== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info ==979255== Command: ./a.out ==979255== ==979255== Invalid read of size 8 ==979255== at 0x5D85753: operator_minus::op1_range(irange&, tree_node*, irange const&, irange const&, tree_code) const (range-op.cc:1460) ==979255== by 0x5CAAC75: gori_compute::compute_operand1_range(irange&, gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1024) ==979255== by 0x5CAACD9: gori_compute::compute_operand1_range(irange&, gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1077) ==979255== by 0x5CAC775: gori_compute::outgoing_edge_range_p(irange&, edge_def*, tree_node*, range_query&) (gimple-range-gori.cc:1271) ==979255== by 0x5CA0FDC: ranger_cache::range_on_edge(irange&, edge_def*, tree_node*) [clone .part.0] (gimple-range-cache.cc:1083) ==979255== by 0x5C9DFE1: gimple_ranger::range_on_edge(irange&, edge_def*, tree_node*) (gimple-range.cc:245) ==979255== by 0x52DB39E: range_query::value_on_edge(edge_def*, tree_node*) (value-query.cc:107) ==979255== by 0x52BDDE7: rvrp_folder::value_on_edge(edge_def*, tree_node*) (tree-vrp.cc:4281) ==979255== by 0x51D419C: substitute_and_fold_engine::propagate_into_phi_args(basic_block_def*) (tree-ssa-propagate.cc:742) ==979255== by 0x51D4CD7: substitute_and_fold_dom_walker::before_dom_children(basic_block_def*) (tree-ssa-propagate.cc:942) ==979255== by 0x5C70125: dom_walker::walk(basic_block_def*) (domwalk.cc:309) ==979255== by 0x51D3B6E: substitute_and_fold_engine::substitute_and_fold(basic_block_def*) (tree-ssa-propagate.cc:987) ==979255== Address 0x0 is not stack'd, malloc'd or (recently) free'd ==979255== ==979255== ==979255== Process terminating with default action of signal 11 (SIGSEGV) ==979255== Access not within mapped region at address 0x0 ==979255== at 0x5D85753: operator_minus::op1_range(irange&, tree_node*, irange const&, irange const&, tree_code) const (range-op.cc:1460) ==979255== by 0x5CAAC75: gori_compute::compute_operand1_range(irange&, gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1024) ==979255== by 0x5CAACD9: gori_compute::compute_operand1_range(irange&, gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1077) ==979255== by 0x5CAC775: gori_compute::outgoing_edge_range_p(irange&, edge_def*, tree_node*, range_query&) (gimple-range-gori.cc:1271) ==979255== by 0x5CA0FDC: ranger_cache::range_on_edge(irange&, edge_def*, tree_node*) [clone .part.0] (gimple-range-cache.cc:1083) ==979255== by 0x5C9DFE1: gimple_ranger::range_on_edge(irange&, edge_def*, tree_node*) (gimple-range.cc:245) ==979255== by 0x52DB39E: range_query::value_on_edge(edge_def*, tree_node*) (value-query.cc:107) ==979255== by 0x52BDDE7: rvrp_folder::value_on_edge(edge_def*, tree_node*) (tree-vrp.cc:4281) ==979255== by 0x51D419C: substitute_and_fold_engine::propagate_into_phi_args(basic_block_def*) (tree-ssa-propagate.cc:742) ==979255== by 0x51D4CD7: substitute_and_fold_dom_walker::before_dom_children(basic_block_def*) (tree-ssa-propagate.cc:942) ==979255== by 0x5C70125: dom_walker::walk(basic_block_def*) (domwalk.cc:309) ==979255== by 0x51D3B6E: substitute_and_fold_engine::substitute_and_fold(basic_block_def*) (tree-ssa-propagate.cc:987) ==979255== If you believe this happened as a result of a stack ==979255== overflow in your program's main thread (unlikely but ==979255== possible), you can try to increase the size of the ==979255== main thread stack using the --main-stacksize= flag. ==979255== The main thread stack size used in this run was 67108864. ==979255== ==979255== HEAP SUMMARY: ==979255== in use at exit: 1,635,492 bytes in 3,683 blocks ==979255== total heap usage: 5,493 allocs, 1,810 frees, 2,427,473 bytes allocated ==979255== ==979255== LEAK SUMMARY: ==979255== definitely lost: 0 bytes in 0 blocks ==979255== indirectly lost: 0 bytes in 0 blocks ==979255== possibly lost: 0 bytes in 0 blocks ==979255== still reachable: 1,635,492 bytes in 3,683 blocks ==979255== suppressed: 0 bytes in 0 blocks ==979255== Rerun with --leak-check=full to see details of leaked memory ==979255== ==979255== For lists of detected and suppressed errors, rerun with: -s ==979255== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Speicherzugriffsfehler (Speicherabzug geschrieben)