[Bug c/84298] New: Shared TYPE_SIZE_UNIT ends up with freed SSA names

Thu, 08 Feb 2018 13:20:06 -0800 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=84298

            Bug ID: 84298
           Summary: Shared TYPE_SIZE_UNIT ends up with freed SSA names
           Product: gcc
           Version: unknown
            Status: UNCONFIRMED
          Severity: normal
          Priority: P3
         Component: c
          Assignee: unassigned at gcc dot gnu.org
          Reporter: rsandifo at gcc dot gnu.org
  Target Milestone: ---

The testcase:

int res, a, b;
void *foo;
static void f2 (int arg) { res = ((int (*)[arg][b]) foo)[0][0][0]; }
void f1 (void) { f2 (a); }

when compiled at -O or above causes:

0xff3baf crash_signal
        /work/richards/shoji/oban/src/gcc/gcc/toplev.c:325
0x12f1b0a make_ssa_name_fn(function*, tree_node*, gimple*, unsigned int)
        /work/richards/shoji/oban/src/gcc/gcc/tree-ssanames.c:266
0x10a4d68 make_ssa_name
        /work/richards/shoji/oban/src/gcc/gcc/tree-ssanames.h:115
0x10a5ed7 remap_ssa_name
        /work/richards/shoji/oban/src/gcc/gcc/tree-inline.c:241
0x10aa672 copy_tree_body_r(tree_node**, int*, void*)
        /work/richards/shoji/oban/src/gcc/gcc/tree-inline.c:1091
0x13d2b8f walk_tree_1(tree_node**, tree_node* (*)(tree_node**, int*, void*),
void*, hash_set<tree_node*, default_hash_traits<tree
_node*> >*, tree_node* (*)(tree_node**, int*, tree_node* (*)(tree_node**, int*,
void*), void*, hash_set<tree_node*, default_hash_
traits<tree_node*> >*))
        /work/richards/shoji/oban/src/gcc/gcc/tree.c:11390
0x13d41b4 walk_tree_1(tree_node**, tree_node* (*)(tree_node**, int*, void*),
void*, hash_set<tree_node*, default_hash_traits<tree
_node*> >*, tree_node* (*)(tree_node**, int*, tree_node* (*)(tree_node**, int*,
void*), void*, hash_set<tree_node*, default_hash_
traits<tree_node*> >*))
        /work/richards/shoji/oban/src/gcc/gcc/tree.c:11706
0x13d41b4 walk_tree_1(tree_node**, tree_node* (*)(tree_node**, int*, void*),
void*, hash_set<tree_node*, default_hash_traits<tree
_node*> >*, tree_node* (*)(tree_node**, int*, tree_node* (*)(tree_node**, int*,
void*), void*, hash_set<tree_node*, default_hash_
traits<tree_node*> >*))
        /work/richards/shoji/oban/src/gcc/gcc/tree.c:11706
0x10a8760 remap_type_1
        /work/richards/shoji/oban/src/gcc/gcc/tree-inline.c:575
0x10a8818 remap_type(tree_node*, copy_body_data*)
        /work/richards/shoji/oban/src/gcc/gcc/tree-inline.c:603

The problem is that the TYPE_SIZE_UNIT of the outer [arg][b]
array includes a MULT_EXPR that is shared with the pointer
calculation.  The pointer calculation is gimplified and
eventually the original SSA names are freed, but the gimplified
MULT_EXPR is still in TYPE_SIZE_UNIT and still refers to the
freed SSA names.

Reply via email to