[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #9 from Antoni --- Created attachment 57810 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=57810&action=edit Patch to fix the issue I was unable to create a reproducer in C for the tests. It seems the problem was actually in libgccjit because it was not setting BLOCK_SUPERCONTEXT. I'm not sure how best to test it, though. The only idea I have would be to attempt to create a libgccjit test that adds -fanalyzer to its arguments. Do you have a better idea?
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923
--- Comment #8 from Antoni ---
(In reply to David Malcolm from comment #2)
> inlined_call_event's ctor should probably assert that params
> tree apparent_callee_fndecl,
> tree apparent_caller_fndecl,
> are both non-NULL, which might catch the issue slightly early.
I added an assert and here's the stacktrace:
during IPA pass: analyzer
libgccjit.so: internal compiler error: : in inlined_call_event, at
analyzer/checker-event.h:578
0x73d4eafbf076 ana::inlined_call_event::inlined_call_event(unsigned int,
tree_node*, tree_node*, int, int)
../../../gcc/gcc/analyzer/checker-event.h:578
0x73d4eafbe7dd ana::checker_path::inject_any_inlined_call_events(ana::logger*)
../../../gcc/gcc/analyzer/checker-path.cc:319
0x73d4eafd415f
ana::diagnostic_manager::emit_saved_diagnostic(ana::exploded_graph const&,
ana::saved_diagnostic&)
../../../gcc/gcc/analyzer/diagnostic-manager.cc:1599
0x73d4eafd981d ana::dedupe_winners::emit_best(ana::diagnostic_manager*,
ana::exploded_graph const&)
../../../gcc/gcc/analyzer/diagnostic-manager.cc:1472
0x73d4eafd3dcb
ana::diagnostic_manager::emit_saved_diagnostics(ana::exploded_graph const&)
../../../gcc/gcc/analyzer/diagnostic-manager.cc:1524
0x73d4e9a0327a ana::impl_run_checkers(ana::logger*)
../../../gcc/gcc/analyzer/engine.cc:6226
0x73d4e9a03613 ana::run_checkers()
../../../gcc/gcc/analyzer/engine.cc:6300
0x73d4e99f484c execute
../../../gcc/gcc/analyzer/analyzer-pass.cc:87
I can also confirm that this is related to always_inline as there are no
segfaults when removing the #[inline(always)] in the following example (see
comment):
#![no_std]
#![allow(internal_features)]
#![feature(core_intrinsics, lang_items, start)]
#![feature(transparent_unions)]
use core::mem::ManuallyDrop;
#[panic_handler]
fn panic_handler(_: &core::panic::PanicInfo<'_>) -> ! {
core::intrinsics::abort();
}
#[lang="eh_personality"]
fn eh_personality(){}
#[derive(Clone, Copy)]
#[repr(transparent)]
pub union MaybeUninit {
uninit: (),
value: ManuallyDrop,
}
impl MaybeUninit {
// NOTE: there are no segfaults when removing the next line.
#[inline(always)]
pub const fn uninit() -> MaybeUninit {
MaybeUninit { uninit: () }
}
}
#[start]
fn main(_argc: isize, _argv: *const *const u8) -> isize {
let mut x = MaybeUninit::<&i32>::uninit();
0
}
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #7 from Antoni --- I don't know if this helps, but I added a small Rust reproducer that can trigger the segfault when compiled with rustc_codegen_gcc and the corresponding GIMPLE for this Rust reproducer.
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #6 from Antoni --- Created attachment 57439 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=57439&action=edit Rust reproducer
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #5 from Antoni --- Created attachment 57438 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=57438&action=edit GIMPLE for the Rust reproducer
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #4 from Antoni --- I might be able to soon create a reproducer, but for now, I can say it might be related to __attribute__ ((always_inline)).
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #3 from David Malcolm --- (In reply to David Malcolm from comment #2) > are both non-NULL, which might catch the issue slightly early. ^ earlier
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923 --- Comment #2 from David Malcolm --- inlined_call_event's ctor should probably assert that params tree apparent_callee_fndecl, tree apparent_caller_fndecl, are both non-NULL, which might catch the issue slightly early.
[Bug analyzer/113923] Segfault in gcc/gcc/tree-diagnostic.cc:265
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=113923
--- Comment #1 from David Malcolm ---
Reproducing that is going to be a challenge.
FWIW you can probably work around it via -fno-analyzer-undo-inlining.
For an inlined_call_event's m_apparent_caller_fndecl to be NULL, then when it
was created in checker_path::inject_any_inlined_call_events, cd.m_fndecl would
have to be NULL here:
310const chain_element &ce = elements[element_idx];
311int stack_depth_adjustment
312 = (blocks_in_curr_event.elements () - element_idx) - 1;
313if (location_t callsite = BLOCK_SOURCE_LOCATION
(ce.m_block))
314 updated_events.safe_push
315(new inlined_call_event (callsite,
316 elements[element_idx -
1].m_fndecl,
317 ce.m_fndecl,
318 orig_stack_depth,
319 stack_depth_adjustment));
which comes from iter.get_fndecl () earlier in that function:
292for (inlining_iterator iter (curr_loc); !iter.done_p ();
iter.next ())
293 {
294chain_element ce;
295ce.m_block = iter.get_block ();
296ce.m_fndecl = iter.get_fndecl ();
297
298if (!blocks_in_prev_event.contains (ce.m_block))
299 elements.safe_push (ce);
300blocks_in_curr_event.add (ce.m_block);
301 }
inlining-iterator.h looks at FUNCTION_DECL, so maybe if you're using a
different code that could confuse it. But this is from libgccjit, so I'm not
sure.
