93134 – [graphite] ICE: Segmentation fault in ISL

Bug 93134 - [graphite] ICE: Segmentation fault in ISL

Summary: [graphite] ICE: Segmentation fault in ISL

Status:	RESOLVED MOVED

Alias:	None

Product:	gcc
Classification:	Unclassified
Component:	tree-optimization (show other bugs)
Version:	9.2.1

Importance:	P3 normal
Target Milestone:	---
Assignee:	Not yet assigned to anyone

URL:
Keywords:

Duplicates (3):	90004 92945 93167 (view as bug list)
Depends on:
Blocks:	graphite
	Show dependency tree / graph

Reported:	2020-01-02 14:39 UTC by Leandro Nini
Modified:	2020-01-09 12:08 UTC (History)
CC List:	4 users (show)

See Also:	93167 90004
Host:
Target:
Build:
Known to work:
Known to fail:
Last reconfirmed:	2020-01-03 00:00:00

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Leandro Nini 2020-01-02 14:39:39 UTC

Getting a crash with snapshots gcc-9-20191221/gcc-8-20191220 and isl-0.22 on x86_64-linux compiling the following reduced code using "-O2 -floop-block" flags:

typedef struct {
  int a[128]
} b;
b c;
d, e, f, g;
h() {
  int i;
  for (; g < e; g++) {
    i = 1;
    for (; i < d; i++)
      c.a[f + i * 16 + g] = c.a[6 + g];
  }
}



root [ /mnt/devel/build/gcc/gcc-9-20191221/build ]# LANG=C gcc/cc1 -O2 -floop-block /usr/src/gcc_ice.c            
/usr/src/gcc_ice.c:3:1: warning: no semicolon at end of struct or union
    3 | } b;
      | ^
/usr/src/gcc_ice.c:5:1: warning: data definition has no type or storage class
    5 | d, e, f, g;
      | ^
/usr/src/gcc_ice.c:5:1: warning: type defaults to 'int' in declaration of 'd' [-Wimplicit-int]
/usr/src/gcc_ice.c:5:4: warning: type defaults to 'int' in declaration of 'e' [-Wimplicit-int]
    5 | d, e, f, g;
      |    ^
/usr/src/gcc_ice.c:5:7: warning: type defaults to 'int' in declaration of 'f' [-Wimplicit-int]
    5 | d, e, f, g;
      |       ^
/usr/src/gcc_ice.c:5:10: warning: type defaults to 'int' in declaration of 'g' [-Wimplicit-int]
    5 | d, e, f, g;
      |          ^
 h
/usr/src/gcc_ice.c:6:1: warning: return type defaults to 'int' [-Wimplicit-int]
    6 | h() {
      | ^

Analyzing compilation unit
Performing interprocedural optimizations
 <*free_lang_data> <visibility> <build_ssa_passes> <opt_local_passes> <remove_symbols> <targetclone> <free-fnsummary>Streaming LTO
 <whole-program> <profile_estimate> <icf> <devirt> <cp> <fnsummary> <inline> <pure-const> <free-fnsummary> <static-var> <single-use> <comdats>Assembling functions:
 <materialize-all-clones> <simdclone> hduring GIMPLE pass: graphite

/usr/src/gcc_ice.c: In function 'h':
/usr/src/gcc_ice.c:6:1: internal compiler error: Segmentation fault
0x1128de4 crash_signal
        ../../gcc/toplev.c:326
0x7f9145e857bf ???
        /mnt/devel/build/glibc/glibc-2.30/signal/../sysdeps/unix/sysv/linux/x86_64/sigaction.c:0
0x21433a8 isl_basic_map_underlying_set
        ../../isl/isl_map.c:5515
0x20ec8ea equalities_in_underlying_set
        ../../isl/isl_affine_hull.c:860
0x20ecae4 isl_basic_map_detect_equalities
        ../../isl/isl_affine_hull.c:919
0x20ecc9b isl_basic_set_detect_equalities
        ../../isl/isl_affine_hull.c:952
0x21611ff uset_gist
        ../../isl/isl_map_simplify.c:2702
0x2162008 isl_basic_map_gist
        ../../isl/isl_map_simplify.c:3176
0x21622d1 isl_map_gist_basic_map
        ../../isl/isl_map_simplify.c:3234
0x2162dca map_gist
        ../../isl/isl_map_simplify.c:3601
0x2139072 isl_map_align_params_map_map_and
        ../../isl/isl_map.c:1531
0x2162e20 isl_map_gist
        ../../isl/isl_map_simplify.c:3611
0x2162ffe isl_map_gist_domain
        ../../isl/isl_map_simplify.c:3661
0x21ed605 bin_add_pair
        ../../isl/isl_union_map.c:872
0x21ed88e gen_bin_entry
        ../../isl/isl_union_map.c:957
0x2125f7e isl_hash_table_foreach
        ../../isl/isl_hash.c:207
0x21ed985 gen_bin_op
        ../../isl/isl_union_map.c:982
0x21ee560 union_map_gist_domain
        ../../isl/isl_union_map.c:1390
0x21ee5aa isl_union_map_gist_domain
        ../../isl/isl_union_map.c:1403
0x1e77f5a optimize_isl
        ../../gcc/graphite-optimize-isl.c:128
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.



The original non-reduced code crashes only on gcc 9 with the same backtrace and not on gcc 8, can add the preprocessed source if required.
Maybe related to bug 90004

Comment 1 Martin Liška 2020-01-03 11:01:26 UTC

Confirmed with current trunk and isl-0.22. Apparently, isl-0.20 is fine.
@Richi: Can you please take a look? There's updated isl:
https://build.opensuse.org/package/show/home:marxin:branches:devel:libraries:c_c++/isl

Comment 2 Martin Liška 2020-01-06 08:20:47 UTC

One another ICE for existing test-suite:

$ gfortran /home/marxin/Programming/gcc/gcc/testsuite/gfortran.dg/dependency_58.f90 -O3 -fwrapv -floop-nest-optimize
during GIMPLE pass: graphite
/home/marxin/Programming/gcc/gcc/testsuite/gfortran.dg/dependency_58.f90:4:0:

    4 | program main
      | 
internal compiler error: Segmentation fault
0xe5fa6f crash_signal
	/home/marxin/Programming/gcc/gcc/toplev.c:328
0x7f6551d1a14f ???
	/usr/src/debug/glibc-2.30-2.1.x86_64/signal/../sysdeps/unix/sysv/linux/x86_64/sigaction.c:0
0x173e44e scop_get_dependences(scop*)
	/home/marxin/Programming/gcc/gcc/graphite-dependences.c:316
0x173e937 optimize_isl
	/home/marxin/Programming/gcc/gcc/graphite-optimize-isl.c:125
0x173e937 apply_poly_transforms(scop*)
	/home/marxin/Programming/gcc/gcc/graphite-optimize-isl.c:211
0x1739140 graphite_transform_loops()
	/home/marxin/Programming/gcc/gcc/graphite.c:467
0x1739670 graphite_transforms
	/home/marxin/Programming/gcc/gcc/graphite.c:537
0x1739670 execute
	/home/marxin/Programming/gcc/gcc/graphite.c:614
Please submit a full bug report,
with preprocessed source if appropriate.
Please include the complete backtrace with any bug report.
See <https://gcc.gnu.org/bugs/> for instructions.

Comment 3 Arseny Solokha 2020-01-06 17:12:36 UTC

(In reply to Martin Liška from comment #1)
> Confirmed with current trunk and isl-0.22. Apparently, isl-0.20 is fine.

Please at least add PR90004 to the See Also section.

Comment 4 Richard Biener 2020-01-07 08:29:50 UTC

Crashes in ISL are not easy to track down for me - we might present it with
garbage of course.

Comment 5 Richard Biener 2020-01-07 08:53:42 UTC

But, confirmed.  With in-tree ISL:

rogram received signal SIGSEGV, Segmentation fault.
0x0000000002447d44 in isl_basic_map_underlying_set (bmap=0x0)
    at /tmp/trunk/isl/isl_map.c:5515
5515            space = isl_space_underlying(space, bmap->n_div);
(gdb) bt
#0  0x0000000002447d44 in isl_basic_map_underlying_set (bmap=0x0)
    at /tmp/trunk/isl/isl_map.c:5515
#1  0x00000000023f0fc0 in equalities_in_underlying_set (bmap=0x3779510)
    at /tmp/trunk/isl/isl_affine_hull.c:860
#2  0x00000000023f11ba in isl_basic_map_detect_equalities (bmap=0x3779510)
    at /tmp/trunk/isl/isl_affine_hull.c:919
#3  0x00000000023f1374 in isl_basic_set_detect_equalities (bset=0x3779510)
    at /tmp/trunk/isl/isl_affine_hull.c:952
#4  0x0000000002465c0a in uset_gist (bset=0x0, context=0x3779510)
    at /tmp/trunk/isl/isl_map_simplify.c:2702
#5  0x0000000002466a13 in isl_basic_map_gist (bmap=0x3836370, 
    context=0x38242f0) at /tmp/trunk/isl/isl_map_simplify.c:3176
#6  0x0000000002466cd9 in isl_map_gist_basic_map (map=0x37f56e0, 
    context=0x3929240) at /tmp/trunk/isl/isl_map_simplify.c:3234
#7  0x00000000024677d5 in map_gist (map=0x38118f0, context=0x38dc310)
    at /tmp/trunk/isl/isl_map_simplify.c:3601
#8  0x000000000243d9b7 in isl_map_align_params_map_map_and (map1=0x38118f0, 
    map2=0x38dc310, fn=0x24675f3 <map_gist>) at /tmp/trunk/isl/isl_map.c:1531
#9  0x000000000246782b in isl_map_gist (map=0x38118f0, context=0x38dc310)
    at /tmp/trunk/isl/isl_map_simplify.c:3611
#10 0x0000000002467a09 in isl_map_gist_domain (map=0x38118f0, 
    context=0x377ec30) at /tmp/trunk/isl/isl_map_simplify.c:3661
#11 0x00000000024f256b in bin_add_pair (res=0x37b2cc0, map1=0x38118f0, 
#12 0x00000000024f27f7 in gen_bin_entry (entry=0x377f478, user=0x7fffffffd5c0)
    at /tmp/trunk/isl/isl_union_map.c:957
#13 0x000000000242a86a in isl_hash_table_foreach (ctx=0x37597e0, 
    table=0x3780a90, fn=0x24f2742 <gen_bin_entry>, user=0x7fffffffd5c0)
    at /tmp/trunk/isl/isl_hash.c:207
#14 0x00000000024f28f1 in gen_bin_op (umap1=0x3780a80, umap2=0x378cc60, 
    control=0x7fffffffd610) at /tmp/trunk/isl/isl_union_map.c:982
#15 0x00000000024f34d5 in union_map_gist_domain (umap=0x3780a80, 
    uset=0x378cc60) at /tmp/trunk/isl/isl_union_map.c:1390
#16 0x00000000024f351f in isl_union_map_gist_domain (umap=0x3780a80, 
    uset=0x378cc60) at /tmp/trunk/isl/isl_union_map.c:1403
#17 0x0000000002142e2b in optimize_isl (scop=0x36458d0)
    at /tmp/trunk/gcc/graphite-optimize-isl.c:128
#18 0x0000000002143307 in apply_poly_transforms (scop=0x36458d0)
    at /tmp/trunk/gcc/graphite-optimize-isl.c:211

looks like isl_basic_map_cow can return NULL but the code doesn't check that:

Breakpoint 5, isl_basic_map_underlying_set (bmap=0x376f1b0)
    at /tmp/trunk/isl/isl_map.c:5513
5513            bmap = isl_basic_map_cow(bmap);
(gdb) l
5508            if (bmap->dim->nparam == 0 && bmap->dim->n_in == 0 &&
5509                bmap->n_div == 0 &&
5510                !isl_space_is_named_or_nested(bmap->dim, isl_dim_in) &&
5511                !isl_space_is_named_or_nested(bmap->dim, isl_dim_out))
5512                    return bset_from_bmap(bmap);
5513            bmap = isl_basic_map_cow(bmap);
5514            space = isl_basic_map_take_space(bmap);
5515            space = isl_space_underlying(space, bmap->n_div);
5516            bmap = isl_basic_map_restore_space(bmap, space);
5517            if (!bmap)

it can return NULL via isl_basic_map_dup ending up with a NULL
dup from isl_basic_map_alloc_space.  We do

isl_basic_map_alloc_space (space=0x3a29240, extra=0, n_eq=0, n_ineq=22)

and isl_calloc_type fails via

101             if (isl_ctx_next_operation(ctx) < 0)
102                     return NULL;

because ctx->max_operations && ctx->operations >= ctx->max_operations

so the segfault is clearly an ISL bug.

Comment 6 Richard Biener 2020-01-07 09:02:11 UTC

I've tried to notify ISL folks via the isl-development google group,
bugzilla doesn't like the URL though, https://groups.google.com/forum/#!topic/isl-development/kgt5RxawS_Q

Comment 7 Richard Biener 2020-01-07 09:22:00 UTC

Looking at ISL 0.2[01] they did

__isl_give isl_basic_set *isl_basic_map_underlying_set(
        __isl_take isl_basic_map *bmap)
{
        if (!bmap)
                goto error;
        if (bmap->dim->nparam == 0 && bmap->dim->n_in == 0 &&
            bmap->n_div == 0 &&
            !isl_space_is_named_or_nested(bmap->dim, isl_dim_in) &&
            !isl_space_is_named_or_nested(bmap->dim, isl_dim_out))
                return bset_from_bmap(bmap);
        bmap = isl_basic_map_cow(bmap);
        if (!bmap)
                goto error;

Comment 8 Richard Biener 2020-01-08 07:51:44 UTC

So this one is confirmed an ISL issue.

Comment 9 Richard Biener 2020-01-08 13:16:44 UTC

*** Bug 92945 has been marked as a duplicate of this bug. ***

Comment 10 Martin Liška 2020-01-09 11:27:41 UTC

*** Bug 93167 has been marked as a duplicate of this bug. ***

Comment 11 Arseny Solokha 2020-01-09 12:08:01 UTC

*** Bug 90004 has been marked as a duplicate of this bug. ***