https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105279

            Bug ID: 105279
           Summary: Using libgccjit produces a null pointer access in
                    GCC's tree-optimization code
           Product: gcc
           Version: 12.0
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: jit
          Assignee: dmalcolm at gcc dot gnu.org
          Reporter: m...@nieper-wisskirchen.de
  Target Milestone: ---

Created attachment 52812
  --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=52812&action=edit
libgccjit reproducer file

Compiling and running the attached libgccjit reproducer file produces a null
pointer access in GCC's tree-optimization path.  The error goes away if I
comment out the call to gcc_jit_block_add_assignment on line 1181 or if I
replace the pointer to the function there ("address_of_program") with a null
pointer in the form of gcc_jit_context_new_rvalue_from_ptr (ctxt_0x6fe3ff0,
ptr_to_union_value______struct_processor____union_value_, NULL).

The error also goes away if I replace both occurrences of "-O3" in reproducer.c
with "-O1" or lower.

$ gcc -lgccjit reproducer.c && valgrind ./a.out 
==979255== Memcheck, a memory error detector
==979255== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==979255== Using Valgrind-3.17.0 and LibVEX; rerun with -h for copyright info
==979255== Command: ./a.out
==979255== 
==979255== Invalid read of size 8
==979255==    at 0x5D85753: operator_minus::op1_range(irange&, tree_node*,
irange const&, irange const&, tree_code) const (range-op.cc:1460)
==979255==    by 0x5CAAC75: gori_compute::compute_operand1_range(irange&,
gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1024)
==979255==    by 0x5CAACD9: gori_compute::compute_operand1_range(irange&,
gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1077)
==979255==    by 0x5CAC775: gori_compute::outgoing_edge_range_p(irange&,
edge_def*, tree_node*, range_query&) (gimple-range-gori.cc:1271)
==979255==    by 0x5CA0FDC: ranger_cache::range_on_edge(irange&, edge_def*,
tree_node*) [clone .part.0] (gimple-range-cache.cc:1083)
==979255==    by 0x5C9DFE1: gimple_ranger::range_on_edge(irange&, edge_def*,
tree_node*) (gimple-range.cc:245)
==979255==    by 0x52DB39E: range_query::value_on_edge(edge_def*, tree_node*)
(value-query.cc:107)
==979255==    by 0x52BDDE7: rvrp_folder::value_on_edge(edge_def*, tree_node*)
(tree-vrp.cc:4281)
==979255==    by 0x51D419C:
substitute_and_fold_engine::propagate_into_phi_args(basic_block_def*)
(tree-ssa-propagate.cc:742)
==979255==    by 0x51D4CD7:
substitute_and_fold_dom_walker::before_dom_children(basic_block_def*)
(tree-ssa-propagate.cc:942)
==979255==    by 0x5C70125: dom_walker::walk(basic_block_def*) (domwalk.cc:309)
==979255==    by 0x51D3B6E:
substitute_and_fold_engine::substitute_and_fold(basic_block_def*)
(tree-ssa-propagate.cc:987)
==979255==  Address 0x0 is not stack'd, malloc'd or (recently) free'd
==979255== 
==979255== 
==979255== Process terminating with default action of signal 11 (SIGSEGV)
==979255==  Access not within mapped region at address 0x0
==979255==    at 0x5D85753: operator_minus::op1_range(irange&, tree_node*,
irange const&, irange const&, tree_code) const (range-op.cc:1460)
==979255==    by 0x5CAAC75: gori_compute::compute_operand1_range(irange&,
gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1024)
==979255==    by 0x5CAACD9: gori_compute::compute_operand1_range(irange&,
gimple*, irange const&, tree_node*, fur_source&) (gimple-range-gori.cc:1077)
==979255==    by 0x5CAC775: gori_compute::outgoing_edge_range_p(irange&,
edge_def*, tree_node*, range_query&) (gimple-range-gori.cc:1271)
==979255==    by 0x5CA0FDC: ranger_cache::range_on_edge(irange&, edge_def*,
tree_node*) [clone .part.0] (gimple-range-cache.cc:1083)
==979255==    by 0x5C9DFE1: gimple_ranger::range_on_edge(irange&, edge_def*,
tree_node*) (gimple-range.cc:245)
==979255==    by 0x52DB39E: range_query::value_on_edge(edge_def*, tree_node*)
(value-query.cc:107)
==979255==    by 0x52BDDE7: rvrp_folder::value_on_edge(edge_def*, tree_node*)
(tree-vrp.cc:4281)
==979255==    by 0x51D419C:
substitute_and_fold_engine::propagate_into_phi_args(basic_block_def*)
(tree-ssa-propagate.cc:742)
==979255==    by 0x51D4CD7:
substitute_and_fold_dom_walker::before_dom_children(basic_block_def*)
(tree-ssa-propagate.cc:942)
==979255==    by 0x5C70125: dom_walker::walk(basic_block_def*) (domwalk.cc:309)
==979255==    by 0x51D3B6E:
substitute_and_fold_engine::substitute_and_fold(basic_block_def*)
(tree-ssa-propagate.cc:987)
==979255==  If you believe this happened as a result of a stack
==979255==  overflow in your program's main thread (unlikely but
==979255==  possible), you can try to increase the size of the
==979255==  main thread stack using the --main-stacksize= flag.
==979255==  The main thread stack size used in this run was 67108864.
==979255== 
==979255== HEAP SUMMARY:
==979255==     in use at exit: 1,635,492 bytes in 3,683 blocks
==979255==   total heap usage: 5,493 allocs, 1,810 frees, 2,427,473 bytes
allocated
==979255== 
==979255== LEAK SUMMARY:
==979255==    definitely lost: 0 bytes in 0 blocks
==979255==    indirectly lost: 0 bytes in 0 blocks
==979255==      possibly lost: 0 bytes in 0 blocks
==979255==    still reachable: 1,635,492 bytes in 3,683 blocks
==979255==         suppressed: 0 bytes in 0 blocks
==979255== Rerun with --leak-check=full to see details of leaked memory
==979255== 
==979255== For lists of detected and suppressed errors, rerun with: -s
==979255== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
Speicherzugriffsfehler (Speicherabzug geschrieben)

Reply via email to