[Bug ipa/111960] [14 Regression] ICE: during GIMPLE pass: rebuild_frequencies: SIGSEGV (Invalid read of size 4) with -fdump-tree-rebuild_frequencies-all

[jakub at gcc dot gnu.org via Gcc-bugs]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=111960

--- Comment #9 from Jakub Jelinek <jakub at gcc dot gnu.org> ---
Ok, so what I see is a buffer overflow during
97          sprintf (buffer, "%" PRId64 " (%s, freq %.4f)", m_val,
98                   profile_quality_display_names[m_quality],
99                   to_sreal_scale (ENTRY_BLOCK_PTR_FOR_FN
(fun)->count).to_double ());
in
#0  profile_count::dump (this=0x7fffe9f37a18, buffer=0x7fffffffd7a0
"\300\327\377\377\377\177", fun=0x7fffea3020b8) at
../../gcc/profile-count.cc:97
#1  0x0000000000c92609 in profile_count::dump (this=0x7fffe9f37a18,
f=0x3ab2930, fun=0x7fffea3020b8) at ../../gcc/profile-count.cc:111
#2  0x000000000065fefc in dump_bb_info (outf=0x3ab2930, bb=<basic_block
0x7fffe9f379c0 (3)>, indent=2, flags=266692985, do_header=true,
do_footer=false) at ../../gcc/cfg.cc:812
#3  0x000000000068f3eb in dump_bb (outf=0x3ab2930, bb=<basic_block
0x7fffe9f379c0 (3)>, indent=2, flags=266692985) at ../../gcc/cfghooks.cc:302
#4  0x0000000000e31800 in dump_function_to_file (fndecl=<function_decl
0x7fffea2dd800 Compile>, file=0x3ab2930, flags=266692985) at
../../gcc/tree-cfg.cc:8458
#5  0x0000000000c4e038 in execute_function_dump (fn=0x7fffea3020b8,
data=0x3a156d0) at ../../gcc/passes.cc:1797
#6  0x0000000000c4dbd9 in do_per_function (callback=0xc4dfd0
<execute_function_dump(function*, void*)>, data=0x3a156d0) at
../../gcc/passes.cc:1687
#7  0x0000000000c503e1 in execute_one_pass (pass=<opt_pass* 0x3a156d0
"rebuild_frequencies"(116)>) at ../../gcc/passes.cc:2722
buffer points to
107     void
108     profile_count::dump (FILE *f, struct function *fun) const
109     {
110       char buffer[64];
variable and the values I see are:
(gdb) p m_val
$18 = 2305843009213693950
(gdb) p profile_quality_display_names[m_quality]
$19 = 0x2ba5722 "estimated locally"
(gdb) p to_sreal_scale (((basic_block)0x7fffea2df600)->count, (bool *)
0).to_double ()
$20 = 1.4411518807585587e+17
So, that is 19 chars for m_val, 17 chars for the name and printing
144115188075855872.0000 double value, 23 chars, plus 11 chars on top of that.
That is 70 chars, overflow by 6 bytes.
Whether the above comes from some badly initialized values or what, no idea.

That said, generally %PRId64 can print at most 20 chars, %s 38 chars and %.4f
can print
at most 309 digits before the decimal dot, then 1 char for the decimal dot and
4 digits after the dot.
That is already 69 chars without the double at all, plus 314 for the double.
Are you sure you want to print %.4f and not say %.4g so that there is a
reasonable upper bound for the size of the double printing?  Or use %.4f or
%.4e conditionally depending on if the double is larger than some limit.