ICE (segfault) in gsi_for_stmt

not seen with FSF 4.6.3, but with 4.6 Linaro

Thank you for the bug report. I've confirmed this with gcc-linaro-4.6-2012.03+bzr106882 on x86_64:

michaelh@crucis:~/linaro/gcc/build/native-4.6/gcc$ PATH=$PWD:$PATH ./xgcc -O3 ~/linaro/bugs/sparsmat.ii
sparsmat.cc: In function ‘long int smExpBound(ideal, int, int, int)’:
sparsmat.cc:216:37: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
sparsmat.cc:217:37: warning: cast to pointer from integer of different size [-Wint-to-pointer-cast]
sparsmat.cc: In function ‘BOOLEAN _ZL11smIsNegQuotP8spolyrecS0_S0_.part.12(poly, poly, poly)’:
sparsmat.cc:1948:16: internal compiler error: Segmentation fault

The fault is exposed by the tree vectoriser. The work-around is to compile with -fno-tree-vectorize or to drop down to -O2. I'll try to reproduce it in the upstream branches.

I've set it to medium priority as it is a ftbfs, has a work around, and occurs at high optimisation levels.

Backtrace:

Program received signal SIGSEGV, Segmentation fault.
gsi_for_stmt (stmt=0x7ffff462d5f0) at ../../../4.6/gcc/gimple-iterator.c:552
552 i = gsi_start_phis (bb);
(gdb) back
#0 gsi_for_stmt (stmt=0x7ffff462d5f0) at ../../../4.6/gcc/gimple-iterator.c:552
#1 0x00000000004935be in cond_if_else_store_replacement_1 (else_assign=0x7ffff462d5f0,
    then_assign=0x7ffff462d370, join_bb=0x7ffff462b0d0, then_bb=<optimized out>,
    else_bb=<optimized out>) at ../../../4.6/gcc/tree-ssa-phiopt.c:1337
#2 cond_if_else_store_replacement_1 (join_bb=0x7ffff462b0d0, then_assign=0x7ffff462d370,
    else_assign=0x7ffff462d5f0, then_bb=<optimized out>, else_bb=<optimized out>)
    at ../../../4.6/gcc/tree-ssa-phiopt.c:1300
#3 0x000000000086b013 in cond_if_else_store_replacement (join_bb=0x7ffff462b0d0,
    else_bb=0x7ffff462b068, then_bb=<optimized out>) at ../../../4.6/gcc/tree-ssa-phiopt.c:1542
#4 tree_ssa_phiopt_worker (do_store_elim=1 '\001') at ../../../4.6/gcc/tree-ssa-phiopt.c:283
#5 0x0000000000737329 in execute_one_pass (pass=0x11a5da0) at ../../../4.6/gcc/passes.c:1556
#6 0x00000000007375e5 in execute_pass_list (pass=0x11a5da0) at ../../../4.6/gcc/passes.c:1611
#7 0x00000000007375f7 in execute_pass_list (pass=0x11a4e40) at ../../../4.6/gcc/passes.c:1612
#8 0x0000000000804e21 in tree_rest_of_compilation (fndecl=0x7ffff4614600)
    at ../../../4.6/gcc/tree-optimize.c:422
#9 0x0000000000949f2f in cgraph_expand_function (node=0x7ffff7ebadc0)
    at ../../../4.6/gcc/cgraphunit.c:1576
#10 0x000000000094bbda in cgraph_expand_all_functions () at ../../../4.6/gcc/cgraphunit.c:1635
#11 cgraph_optimize () at ../../../4.6/gcc/cgraphunit.c:1899
#12 0x000000000094bfda in cgraph_finalize_compilation_unit () at ../../../4.6/gcc/cgraphunit.c:1096
#13 0x00000000004faf21 in cp_write_global_declarations () at ../../../4.6/gcc/cp/decl2.c:4000
#14 0x00000000007c94a2 in compile_file () at ../../../4.6/gcc/toplev.c:591
#15 do_compile () at ../../../4.6/gcc/toplev.c:1900
#16 toplev_main (argc=3, argv=0x7fffffffe118) at ../../../4.6/gcc/toplev.c:1963

FWIW, also doesn't happen with FSF 4.7.0.

I can send you further similar examples in case you need them:

Starting program: /usr/lib/gcc/x86_64-linux-gnu/4.6/cc1plus -quiet -I . -I .. -I /mnt/linux-data-on-win7/Sage/sage-5.0.beta11-gcc-4.6.3-1ubuntu3/local -I /mnt/linux-data-on-win7/Sage/sage-5.0.beta11-gcc-4.6.3-1ubuntu3/local/include -I /mnt/linux-data-on-win7/Sage/sage-5.0.beta11-gcc-4.6.3-1ubuntu3/local/include -I /mnt/linux-data-on-win7/Sage/sage-5.0.beta11-gcc-4.6.3-1ubuntu3/local/include -imultilib . -imultiarch x86_64-linux-gnu -D_GNU_SOURCE -D HONORS_CXXFLAGS -D HONORS_CPPFLAGS -D NDEBUG -D OM_NDEBUG -D x86_64_Linux -D HAVE_CONFIG_H /data/tmp/kspoly.ii -march=corei7-avx -mcx16 -msahf -mno-movbe -maes -mpclmul -mpopcnt -mno-abm -mno-lwp -mno-fma -mno-fma4 -mno-xop -mno-bmi -mno-tbm -mavx -msse4.2 -msse4.1 --param l1-cache-size=32 --param l1-cache-line-size=64 --param l2-cache-size=3072 -mtune=corei7-avx -quiet -dumpbase kspoly.cc -auxbase kspoly -g -g -g -O3 -O2 -O3 -fno-strict-aliasing -fPIC -fno-implicit-templates -fstack-protector -o /data/tmp/kspoly.s -frandom-seed=0

Program received signal SIGSEGV, Segmentation fault.
0x00000000006b903e in gsi_for_stmt ()
(gdb) bt
#0 0x00000000006b903e in gsi_for_stmt ()
#1 0x00000000004904ef in ?? ()
#2 0x0000000000865c73 in ?? ()
#3 0x0000000000732779 in execute_one_pass ()
#4 0x0000000000732a35 in execute_pass_list ()
#5 0x0000000000732a47 in execute_pass_list ()
#6 0x00000000007ffc11 in tree_rest_of_compilation ()
#7 0x000000000094440f in ?? ()
#8 0x00000000009460ba in cgraph_optimize ()
#9 0x00000000009464ba in cgraph_finalize_compilation_unit ()
#10 0x00000000004f7af1 in cp_write_global_declarations ()
#11 0x00000000007c447e in toplev_main ()
#12 0x00007ffff6f4376d in __libc_start_main ()
   from /lib/x86_64-linux-gnu/libc.so.6
#13 0x000000000049f889 in _start ()
(gdb)

(This one is also from Singular 3-1-3-3.)

I can confirm this behavior on 32-bit Precise. I get the same errors with sparsmat.ii, and the workaround...uh, works around the problem successfully. My gcc is "4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu3)".

Yes, the latter (kspoly.cc) also compiles with '-O3 -fno-tree-vectorize'. These two files seem to be the only ones (of Singular) Ubuntu's GCC 4.6.3 / cc1plus crashes on.

A minimal (C) test case (with "-O -ftree-vectorize") for me is:

struct test
{
  unsigned long exp[0];
};

void test (struct test *a, long b, unsigned long bitmask)
{
  if (b > 0)
    {
      a->exp[0] &= ~bitmask;
      a->exp[0] |= b;
    }
  else
    {
      a->exp[0] &= ~bitmask;
    }
}

The problem here is a bug in the data dependency detection when zero-sized arrays are involved in an access.

This bug was latent, and got exposed by Ira's patch to improve conditional store sinking:
http://gcc.gnu.org/ml/gcc-patches/2011-03/msg01393.html

The bug was later fixed (inadvertently) by Richard Guenther's data-dependency fix series, in particular this patch:
http://gcc.gnu.org/ml/gcc-patches/2011-08/msg01878.html

Since both of these patches are in mainline (and FSF 4.7, and Linaro 4.7), the bug is not appear there.
Since FSF 4.6 contains neither of those, the bug is latent (without visible effect) there.

The bug does appear in Linaro 4.6, since we backported Ira's patch but not Richard's data-dependency fix.

I'll try testing a backport of that fix.

I've checked in a backport of Richard's fix to Linaro GCC 4.6. Other series are not affected.

This bug was fixed in the package gcc-4.6 - 4.6.3-4ubuntu1

---------------
gcc-4.6 (4.6.3-4ubuntu1) quantal; urgency=low

  * Update to SVN 20120425 (r186817) from the gcc-4_6-branch.
    - Fix PR middle-end/53084, PR lto/48246.
  * Default to armv5t, soft float on armel.

gcc-4.6 (4.6.3-4) unstable; urgency=low

  [ Matthias Klose ]
  * Update to SVN 20120416 (r186492) from the gcc-4_6-branch.
    - Fix PR middle-end/52894, PR target/52717, PR target/52775,
      PR target/52775.
  * Update the Linaro support to the 4.6-2012.04 release.
  * Fix PR middle-end/52870, taken from the trunk (Ulrich Weigand).
    Linaro only. LP: #968766.
  * Fix ICE (regression) in Linaro gcc-4.6 (Ulrich Weigand).
    LP: #972648.
  * Don't build ARM biarch runtime libraries, now built from the
    gcc-4.7 sources.
  * Set the ARM hard-float linker path according to the consensus:
    http://lists.linaro.org/pipermail/cross-distro/2012-April/000261.html

  [ Samuel Thibault ]
  * ada-s-osinte-gnu.adb.diff, ada-s-osinte-gnu.ads.diff,
    ada-s-taprop-gnu.adb.diff, gcc_ada_gcc-interface_Makefile.in.diff:
    Add ada support for GNU/Hurd, thanks Svante Signell for the patches
    and bootstrap! (Closes: #668425).
 -- Matthias Klose <email address hidden> Wed, 25 Apr 2012 16:26:46 +0200

The change that has been uploaded to precise-proposed looks appropriate for an SRU, but this bug is missing required SRU information in the bug description. In particular, the test case needs to be spelled out in clearer detail so that we can follow it. (The patch is only applied to the linaro branch. Does that mean the regression test needs to be done on arm? Does it matter if we test on armel or armhf?)

The patch to the package doesn't include an addition to the test suite, which in itself is ok as long as we have clear step-by-step instructions for validating this fix.

FWIW, uweigand's test case still fails with

$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.6/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu/Linaro 4.6.3-1ubuntu5' --with-bugurl=file:///usr/share/doc/gcc-4.6/README.Bugs --enable-languages=c,c++,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.6 --enable-shared --enable-linker-build-id --with-system-zlib --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.6 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --enable-plugin --enable-objc-gc --disable-werror --with-arch-32=i686 --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 4.6.3 (Ubuntu/Linaro 4.6.3-1ubuntu5)

$ cat /etc/issue
Ubuntu 12.04.1 LTS \n \l

I mean I don't understand why Precise (12.04.1) still ships with this partially broken compiler, although apparently a fix is available since quite a while.

The Precise Pangolin has reached end of life, so this bug will not be fixed for that release