[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282 --- Comment #16 from mcccs at gmx dot com --- Created attachment 61401 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=61401&action=edit innocent gimple code failing with trunk with -O3 -fno-dce -fno-tree-dce -fno-dse -fno-tree-dse or with -O0 no patches needed, this well-formed gimple file fails with trunk "-O3 -fno-dce -fno-tree-dce -fno-dse -fno-tree-dse" or "-O0"
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282 --- Comment #15 from mcccs at gmx dot com --- There's indeed a miscompilation and I've confirmed it's still present in the current trunk. With -fno-dce -fno-ipa-cp -fno-tree-dce the issue was visible until r12-248 which made the issue latent. So I added -fno-tree-dse and then it was made latent by r12-1848. So I added: sed -i -e 's/mark_dead_statements (m_oparms\[i\]/(void)3;\/\//g' ./gcc/gcc/ipa-param-manipulation.cc which replaced "mark_dead_statements(blahblah)" with a no-op but then it was made latent by r15-5336 so I replaced in ipa-fnsummary.cc if (!gimple_plf (stmt, STMT_NECESSARY)) with if (!gimple_plf (stmt, STMT_NECESSARY) && 0) and the issue can be reproduced. **Summary for reproducing the issue from trunk:** Download the minimized testcase from https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282#c14 -O3 -fno-dce -fno-ipa-cp -fno-tree-dce -fno-dse -fno-tree-dse sed -i -e 's/mark_dead_statements (m_oparms\[i\]/(void)3;\/\//g' ./gcc/gcc/ipa-param-manipulation.cc in ipa-fnsummary.cc, add && 0 after the condition of "!gimple_plf (stmt, STMT_NECESSARY)"
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282
--- Comment #14 from mcccs at gmx dot com ---
Minimized testcase:
int a[], d[];
long b, c, e, g;
int f, h, i;
short j, k, l;
int *m = a;
static int *n(int *o) {
int p = l == *o | k <= j;
p = *d;
h = c;
g = 0 == e;
f = *m;
b = 0;
return &i;
}
int main() { n(a); }
-O3 -fno-dce -fno-ipa-cp -fno-tree-dce
works on 9.5.0
I bisected it before I reduced it the previous time so as I said it's
introduced by:
Bad commit:
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=ff6686d2e5f797d6c6a36ad14a7084bc1dc350e4
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282 --- Comment #13 from Sam James --- No problem -- you may want to do -Werror=return-type -Werror=uninitialized -Werror=sequence-point as well to reduce the chance of reducing to something bogus. (-Werror=return-type would catch that issue I mention above; the other issue with it not building on trunk is a C23 thing, but that ends up being useful for catching UB too.) I usually then test with Clang as well and GCC with some optimisation level known not to trigger it or before the bisection result or whatever. Of course, that makes the process slower ;)
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282 --- Comment #12 from mcccs at gmx dot com --- Thanks Sam, I'm restarting reduction this time checking if it compiles with trunk GCC as well
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282 --- Comment #11 from Sam James --- (In reply to mcccs from comment #10) Using the return value of e() when it didn't return anything is undefined.
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282
--- Comment #10 from mcccs at gmx dot com ---
Bad commit:
https://gcc.gnu.org/git/?p=gcc.git;a=commit;h=ff6686d2e5f797d6c6a36ad14a7084bc1dc350e4
Minimal testcase:
int a[];
short b, c;
long d;
__attribute__((noipa)) long(e)() {}
static int f(int *g) { char h = b < *g | c <= e(d); }
int main() { f(a); }
-O3 -fno-dce -fno-ipa-cp -fno-tree-dce -fno-tree-sink
Reproducible on arm as well - different "optimized" pass output
Known to work 9.5.0 as well
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282 --- Comment #9 from mcccs at gmx dot com --- Sorry never mind I understand, it should still be bisected and reduced so that any hidden bugs would be uncovered. I'll bisect it
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282 mcccs at gmx dot com changed: What|Removed |Added CC||mcccs at gmx dot com --- Comment #8 from mcccs at gmx dot com --- GCC 11 branch was closed so this can be closed?
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282
--- Comment #7 from Xi Ruoyao ---
(In reply to CTC from comment #6)
> Another related and smaller reproducer:
>
> # cat tmp.i
> main() {
> int *a = 0;
> int b = *a;
> }
No, this is an undefined behavior and the compiler is allowed to generate code
to crash.
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282
--- Comment #6 from CTC <19373742 at buaa dot edu.cn> ---
Another related and smaller reproducer:
# cat tmp.i
main() {
int *a = 0;
int b = *a;
}
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282 --- Comment #5 from Andrew Pinski --- Note I suspect r12-248-gb58dc0b803057c0e6032e0d9b made the problem latent in GCC 12+. But turning off DSE in GCC 12.1.0 does not reproduce the bug
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282 --- Comment #4 from CTC <19373742 at buaa dot edu.cn> --- (In reply to Richard Biener from comment #3) > Confirmed behavior also with GCC 10, with -fno-bit-tests -fbit-tests > -fno-ipa-modref -fipa-modref removed. > > Can you please adjust your script to not pointlessly increase the command > line > by adding both positive and neagtive variants of an option? Can you please > try to reduce the set of arbitrary options that reproduce the issue? > > 25kB garbage testcases are painfully enough to even look at. Other fuzzing > people manage to file bugs with < 100 lines of code and a command line that > remotely makes sense. Sorry for the long command lines. This issue can be reproduced with -O3 -fno-dce -fno-ipa-cp -fno-tree-dce -fno-tree-sink.
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282 Richard Biener changed: What|Removed |Added Known to fail||10.4.0, 11.1.0, 11.3.0 Known to work||12.3.0, 13.1.0 --- Comment #3 from Richard Biener --- Confirmed behavior also with GCC 10, with -fno-bit-tests -fbit-tests -fno-ipa-modref -fipa-modref removed. Can you please adjust your script to not pointlessly increase the command line by adding both positive and neagtive variants of an option? Can you please try to reduce the set of arbitrary options that reproduce the issue? 25kB garbage testcases are painfully enough to even look at. Other fuzzing people manage to file bugs with < 100 lines of code and a command line that remotely makes sense.
[Bug middle-end/110282] Segmentation fault with specific optimizations
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=110282 Xi Ruoyao changed: What|Removed |Added CC||xry111 at gcc dot gnu.org --- Comment #2 from Xi Ruoyao --- Not reproducible with GCC 13.1 too.
